Add Asterisk jail to fail2ban


(Stéphane de Labrusse) #21

I need this bug is verified before to release the new fail2ban statistics feature…please go on

(Markus Neuberger) #22

:white_check_mark: The jail should be enabled you can check it by fail2ban-client status asterisk
:white_check_mark: Check the UI, a new fieldset switch exists Communication it replaces Instant messaging
:white_check_mark: With the asterisk auth checkbox you can disable the jail if needed (/etc/fail2ban/jail.local check [asterisk]-> false or true)
:white_check_mark: On a real asterisk server you should wait to see the bans and if they are not false positive
:white_check_mark: The maxretry value is the double of the general maxretry value (/etc/fail2ban/jail.local check [asterisk])

:x: The jail is disabled if the asterisk service is disabled (/etc/fail2ban/jail.local check [asterisk])

I disabled the asterisk service via shell and ui, did “signal-event nethserver-fail2ban-save” but the jail is still up and the config file is unchanged.

I tested on a VM with only green interface and port forwarding from the router. As client I used microsip with a wrong password to simulate bans.

(Stéphane de Labrusse) #23

sorry but I cannot reproduce, can you check again, this is what I did

[root@ns7loc15 ~]# config setprop asterisk status disabled
[root@ns7loc15 ~]# signal-event nethserver-fail2ban-save 
[root@ns7loc15 ~]# fail2ban-client status asterisk
ERROR  NOK: ('asterisk',)
Sorry but the jail 'asterisk' does not exist

[root@ns7loc15 ~]# config setprop asterisk status enabled
[root@ns7loc15 ~]# signal-event nethserver-fail2ban-save 
[root@ns7loc15 ~]# fail2ban-client status asterisk
Status for the jail: asterisk
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	0
|  `- File list:	/var/log/asterisk/full
`- Actions
   |- Currently banned:	0
   |- Total banned:	0
   `- Banned IP list:

you can see also in /etc/fail2ban/jail.local that the jail is enabled/disabled

I used this rpm, is it the same ?

[root@ns7loc15 ~]# rpm -qa nethserver-fail2ban

(Stéphane de Labrusse) #24

what UI did you try, the Status/services UI stop only the service at the systemd level, nothing at the esmith layer

(Markus Neuberger) #25

My fault. I only did a systemctl disable --now. Disabling asterisk via e-smith disables the fail2ban jail.

(Rob Bosch) #26

Am I too paranoia when bells and whistles go off when I read such a thing? Is it necessary to make the GUI services status/stop option to also stop at e-smith layer level?

(Stéphane de Labrusse) #27

I do not think so, this panel is here to manage the service restart/stop, if you want to disable completely a service, I suppose it is the role of the relevant configuration panel

for example you can stop fail2ban from the service panel, but I provide a status checkbox to disable the service in the fail2ban setting panel

(Stéphane de Labrusse) #28

@mrmarkuz can we release this rpm, does the jail is not too much aggressive and generate false positive (good guys banned) ?

merci par avance (thank in advance)

(Markus Neuberger) #29

On the test VM it works as expected, some bad guys were banned, my sip client still can connect.