NethServer Version: 7.5.1804
Module: fail2ban
Hi,
I would like to create/enable a jail for asterisk.
In security -> fail2ban there’s no asterisk checkbox.
How can i add this jail without breaking anything else?
NethServer Version: 7.5.1804
Module: fail2ban
Hi,
I would like to create/enable a jail for asterisk.
In security -> fail2ban there’s no asterisk checkbox.
How can i add this jail without breaking anything else?
@support_team
I found this:
https://www.fail2ban.org/wiki/index.php/Asterisk
Has somebody an idea how to do it?
Maybe @stephdl can have a look. He’s the maintainer for fail2ban.
do you have some evidences of tentative of intrusion in asterisk logs , could be a good start
create a file
vim /etc/e-smith/templates/etc/fail2ban/jail.local/10Asterisk
put this content
[asterisk]
enabled = true
port = 5060,5061
logpath = /var/log/asterisk/messages
maxretry = 3
I suppose that the log file is /var/log/asterisk/messages
, please double check
then expand the file
signal-event nethserver-fail2ban-save
verifiy the jail exists
fail2ban-listban
run few days and report, if you want a precise statistic then do
cat /var/lib/nethserver/fail2ban/fail2ban.json
Thanks for support!
the log path is /var/log/asterisk/full
I followed your instruction and it works perfectly!
asterisk Jail enabled
- Currently banned: 7 - Total banned after service start: 7
- Banned IP: list of banned ip
Here a sample of bad registration tentative:
[2018-06-27 22:29:47] NOTICE[774]: res_pjsip/pjsip_distributor.c:649 log_failed_request: Request ‘REGISTER’ from ‘“2001” sip:2001@XX.XX.XX.XX’ failed for ‘46.17.41.96:5209’ (callid: 2302148521) - Failed to authenticate
if you uninstall asterisk, think to remove the custom file, please monitor it and we could add it per default
please could you take a look to https://www.fail2ban.org/wiki/index.php/Asterisk
and could you paste the content of /etc/asterisk/logger.conf
The file is all commented.
;--------------------------------------------------------------------------------;
; Do NOT edit this file as it is auto-generated by FreePBX. All modifications to ;
; this file must be done via the web gui. There are alternative files to make ;
; custom modifications, details at: http://freepbx.org/configuration_files ;
;--------------------------------------------------------------------------------;
;
; This file is part of FreePBX.
;
; FreePBX is free software: you can redistribute it and/or modify
; it under the terms of the GNU General Public License as published by
; the Free Software Foundation, either version 2 of the License, or
; (at your option) any later version.
;
; FreePBX is distributed in the hope that it will be useful,
; but WITHOUT ANY WARRANTY; without even the implied warranty of
; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
; GNU General Public License for more details.
;
; You should have received a copy of the GNU General Public License
; along with FreePBX. If not, see <http://www.gnu.org/licenses/>.
;
; Copyright (C) 2007 Astrogen LLC (USA)
[general]
#include logger_general_additional.conf
#include logger_general_custom.conf
[logfiles]
#include logger_logfiles_additional.conf
#include logger_logfiles_custom.conf
@Stll0 how do you trick freepbx if you need to rewrite a configuration file. It is not a mandatory but the fail2ban team advices to enable the extra logging and use it in fail2ban to ban attackers
needed configurations are in two included logfiles:
/etc/asterisk/logger_general_additional.conf: dateformat=%F %T
(which is correct)
and
/etc/asterisk/logger_logfiles_additional.conf: full => debug,error,notice,verbose,warning
in this one we should add security events. This could be done from FreePBX interface -> Settings -> Asterisk logfile settings -> log files
I think that it isn’t very nice to enable it by default for two reason:
We could do it, but since it’s not mandatory and can be easily configured from interface, maybe it’s better to write it in documentation.
What do you think?
if we could break something by adding a new setting, you know the mantra, do not break existing installations. We could document it
What are the news, how many attackers have you banned ?
I could see a /var/log/asterisk/fail2ban
what is the content please ?
please could you test
yum install http://packages.nethserver.org/nethserver/7.5.1804/autobuild/x86_64/Packages/nethserver-fail2ban-1.0.4-1.6.pr31.g57fccb2.ns7.noarch.rpm
think to remove your custom template
{“TotalBannedIP”:{“sshd-ddos”:1,“recidive”:58,“apache-noscript”:88,“apache-auth”:6,“asterisk-tcp”:2957,“sshd”:1718,“asterisk-udp”:2957}}
It is empty
La vache (french translation of wtf)
Did you see the asterisk number of bans :’)
Do you have installed the new rpm ?
We are implementing the asterisk jail, is it possible you send me the two logs per email (stephdl at de-labrusse dot org)
/var/log/fail2ban.log
/var/log/asterisk/full
I feel the number of bans a bit high, either you were under a heavy attack, or your users were banned, what do you think ?
did you make some configuration modifications in asterisk also
Give me some days to install the rpm, i’m slightly busy!
the bans are hight, but it’s normal for a public vm!
Hi all
I hope that your holidays are/were good
I need some QA on this topic
thank for your help