@Stll0 how do you trick freepbx if you need to rewrite a configuration file. It is not a mandatory but the fail2ban team advices to enable the extra logging and use it in fail2ban to ban attackers
needed configurations are in two included logfiles:
/etc/asterisk/logger_general_additional.conf: dateformat=%F %T
(which is correct)
and
/etc/asterisk/logger_logfiles_additional.conf: full => debug,error,notice,verbose,warning
in this one we should add security events. This could be done from FreePBX interface -> Settings -> Asterisk logfile settings -> log files
I think that it isn’t very nice to enable it by default for two reason:
- security log is verbose with FreePBX because logs a lot of false positive warnings about dialplan
- changing it means change a mysql row after installation (or change FreePBX installation) and we can’t know if user changed it or if it’s a default setting
We could do it, but since it’s not mandatory and can be easily configured from interface, maybe it’s better to write it in documentation.
What do you think?
if we could break something by adding a new setting, you know the mantra, do not break existing installations. We could document it
What are the news, how many attackers have you banned ?
I could see a /var/log/asterisk/fail2ban
what is the content please ?
please could you test
yum install http://packages.nethserver.org/nethserver/7.5.1804/autobuild/x86_64/Packages/nethserver-fail2ban-1.0.4-1.6.pr31.g57fccb2.ns7.noarch.rpm
think to remove your custom template
{“TotalBannedIP”:{“sshd-ddos”:1,“recidive”:58,“apache-noscript”:88,“apache-auth”:6,“asterisk-tcp”:2957,“sshd”:1718,“asterisk-udp”:2957}}
It is empty
La vache (french translation of wtf)
Did you see the asterisk number of bans :’)
Do you have installed the new rpm ?
We are implementing the asterisk jail, is it possible you send me the two logs per email (stephdl at de-labrusse dot org)
/var/log/fail2ban.log
/var/log/asterisk/full
I feel the number of bans a bit high, either you were under a heavy attack, or your users were banned, what do you think ?
did you make some configuration modifications in asterisk also
Give me some days to install the rpm, i’m slightly busy!
the bans are hight, but it’s normal for a public vm!
Hi all
I hope that your holidays are/were good
I need some QA on this topic
thank for your help
I need this bug is verified before to release the new fail2ban statistics feature…please go on
The jail should be enabled you can check it by fail2ban-client status asterisk
Check the UI, a new fieldset switch exists Communication it replaces Instant messaging
With the asterisk auth checkbox you can disable the jail if needed (/etc/fail2ban/jail.local check [asterisk]-> false or true)
On a real asterisk server you should wait to see the bans and if they are not false positive
The maxretry value is the double of the general maxretry value (/etc/fail2ban/jail.local check [asterisk])
The jail is disabled if the asterisk service is disabled (/etc/fail2ban/jail.local check [asterisk])
I disabled the asterisk service via shell and ui, did “signal-event nethserver-fail2ban-save” but the jail is still up and the config file is unchanged.
I tested on a VM with only green interface and port forwarding from the router. As client I used microsip with a wrong password to simulate bans.
sorry but I cannot reproduce, can you check again, this is what I did
[root@ns7loc15 ~]# config setprop asterisk status disabled
[root@ns7loc15 ~]# signal-event nethserver-fail2ban-save
[root@ns7loc15 ~]# fail2ban-client status asterisk
ERROR NOK: ('asterisk',)
Sorry but the jail 'asterisk' does not exist
[root@ns7loc15 ~]# config setprop asterisk status enabled
[root@ns7loc15 ~]# signal-event nethserver-fail2ban-save
[root@ns7loc15 ~]# fail2ban-client status asterisk
Status for the jail: asterisk
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/log/asterisk/full
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
you can see also in /etc/fail2ban/jail.local
that the jail is enabled/disabled
I used this rpm, is it the same ?
[root@ns7loc15 ~]# rpm -qa nethserver-fail2ban
nethserver-fail2ban-1.0.4-1.4.g41ce7d0.ns7.noarch
what UI did you try, the Status/services UI stop only the service at the systemd level, nothing at the esmith layer
My fault. I only did a systemctl disable --now
. Disabling asterisk via e-smith disables the fail2ban jail.
Am I too paranoia when bells and whistles go off when I read such a thing? Is it necessary to make the GUI services status/stop option to also stop at e-smith layer level?
I do not think so, this panel is here to manage the service restart/stop, if you want to disable completely a service, I suppose it is the role of the relevant configuration panel
for example you can stop fail2ban from the service panel, but I provide a status checkbox to disable the service in the fail2ban setting panel
@mrmarkuz can we release this rpm, does the jail is not too much aggressive and generate false positive (good guys banned) ?
merci par avance (thank in advance)
On the test VM it works as expected, some bad guys were banned, my sip client still can connect.