fail2ban doen't ban

Support for security such as Firewalls and securing linux
Post Reply
ipvinner
Posts: 9
Joined: 2016/02/03 14:48:15

fail2ban doen't ban

Post by ipvinner » 2016/02/03 15:01:02

Hello. Could somebody help me.
I'm using centos 7, firewalld, and fail2ban
/etc/fail2ban/jail.conf

Code: Select all

[asterisk]
enabled  = true
filter   = asterisk
action = firewallcmd-ipset
#banaction = firewallcmd-ipset
#action   = iptables-allports[name=ASTERISK, protocol=all] 
#      sendmail[name=ASTERISK, dest=ivanv@domain, sender=fail2ban@local.local]

logpath  = /var/log/asterisk/full
maxretry = 2 
bantime = 259200
findtime = 21600
/etc/fail2ban/filter.d/asterisk.conf:

Code: Select all

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = asterisk
__pid_re = (?:\[\d+\])

iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4}

# All Asterisk log messages begin like this:
log_prefix= (?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])? \S+:\d*( in \w+:)?

failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension not found in context 'default'\.$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s hacking attempt detected '<HOST>'$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="(\d*|<unknown>)",SessionID=".+",LocalAddress="IPV[46]/(UDP|TCP|WS)/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UDP|TCP|WS)/<HOST>/\d+"(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",ExpectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$
            ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )Ext\. s: "Rejecting unknown SIP connection from <HOST>"$

ignoreregex =
Tested and looks like filter is work correct:
fail2ban-regex /var/log/asterisk/full /etc/fail2ban/filter.d/asterisk.conf

Code: Select all

Results
=======
Failregex: 14 total
fail2ban bans ssh failed attempt, but when I try to connect to asterisk with wrong password, fail2ban doen't ban
and there is nothing interesting at the /var/log/fail2ban.log

Code: Select all

2016-02-03 15:08:44,606 fail2ban.filtersystemd  [2917]: NOTICE  Jail started without 'journalmatch' set. Jail regexs will be checked against all journal entries, which is not advised for performance reasons.
2016-02-03 15:08:44,608 fail2ban.jail           [2917]: INFO    Jail 'asterisk' started

lightman47
Posts: 953
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

Re: fail2ban doen't ban

Post by lightman47 » 2016/02/04 14:23:39

I'm no expert, but is fail2ban "looking at" the actual asterisk log? Is "full" the actual name of the log file? From your description it sounds like fail2ban isn't seeing the login failures.

- just a shot in the dark -
Multple login IDs are not your friend when asking for help!

ipvinner
Posts: 9
Joined: 2016/02/03 14:48:15

Re: fail2ban doen't ban

Post by ipvinner » 2016/02/04 17:07:18

lightman47 wrote:I'm no expert, but is fail2ban "looking at" the actual asterisk log? Is "full" the actual name of the log file? From your description it sounds like fail2ban isn't seeing the login failures.

- just a shot in the dark -
Yes it's freePBX log, but I'm checking using fail2ban-regex /var/log/asterisk/full /etc/fail2ban/filter.d/asterisk.conf
and that file contains all logs records with unauthorized attempts of connect to asterisk

Post Reply

Return to “CentOS 7 - Security Support”