Fail2Ban : Asterisk jail doesn't follow the "Email Notification" setting

Hi there,

It’s been a while that I receive tons and tons of fail2ban messages related to script kiddies trying to hack my freepbx / asterisk server. There are so much that it just floods my email account for nothing.

The strange thing is that the “Email Notification” setting is off :

# config show fail2ban
fail2ban=service
ApacheAuth_status=true
ApacheBadbots_status=true
ApacheBotsearch_status=false
ApacheFakegooglebot_status=true
ApacheModsecurity_status=true
ApacheNohome_status=true
ApacheNoscript_status=true
ApacheOverflows_status=true
ApachePhpMyAdmin_status=true
ApacheScan_status=true
ApacheShellshock_status=true
Apache_MaxRetry=
AsteriskAuth_status=true
BanAction=shorewall-nethserver
BanLocalNetwork=enabled
BanTime=1800
CustomDestemail=servers@gaillet.be
Dovecot_MaxRetry=
Dovecot_status=true
EjabberAuth_status=true
Ejabber_MaxRetry=
FindTime=1800
HttpdAdmin_MaxRetry=
HttpdAdmin_status=true
IgnoreIP=
LogLevel=INFO
----> >>>> Mail=disabled <<<<--------
MailJailState=enabled
MaxRetry=5
MysqldAuth_status=true
Mysqld_MaxRetry=
Nextcloud_MaxRetry=
Nextcloud_status=true
NginxBotSearch_status=true
NginxHttpAuth_status=true
Nginx_MaxRetry=
OpenVpnAuth_status=true
OpenVpn_MaxRetry=
Owncloud_MaxRetry=
Owncloud_status=true
PamGeneric_MaxRetry=
PamGeneric_status=true
PostfixRbl_status=true
PostfixSaslAbuse_IgnoreIP=
PostfixSaslAbuse_MaxRetry=
PostfixSaslAbuse_status=true
Postfix_MaxRetry=
Postfix_status=true
Recidive_MaxRetry=
Recidive_Perpetual=enabled
Recidive_status=true
Roundcube_MaxRetry=
Roundcube_status=true
Rspamd_MaxRetry=
Rspamd_status=true
Sieve_MaxRetry=
Sieve_status=true
SogoAuth_status=true
Sogo_MaxRetry=
SshdDdos_status=true
Sshd_MaxRetry=
Sshd_status=true
Urbackup_MaxRetry=
Urbackup_status=true
Vsftpd_MaxRetry=
Vsftpd_status=true
Webtop_MaxRetry=
Webtop_status=true
status=enabled

And indeed I see that the asterisk jail doesn’t follow that setting :

# fail2ban-client -d | grep mail
['set', 'asterisk', 'addaction', 'sendmail-whois']
['set', 'asterisk', 'action', 'sendmail-whois', 'actionban', 'printf %b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: <sendername> <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe IP <ip> has just been banned by Fail2Ban after\n<failures> attempts against <name>.\\n\\n\nHere is more information about <ip> :\\n\n`/usr/bin/whois <ip> || echo missing whois program`\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>']
['set', 'asterisk', 'action', 'sendmail-whois', 'actionstop', '']
['set', 'asterisk', 'action', 'sendmail-whois', 'actionstart', '']
['set', 'asterisk', 'action', 'sendmail-whois', 'actionunban', '']
['set', 'asterisk', 'action', 'sendmail-whois', 'actioncheck', '']
['set', 'asterisk', 'action', 'sendmail-whois', 'known/known/sendername', 'Fail2Ban']
['set', 'asterisk', 'action', 'sendmail-whois', 'sender', 'fail2ban']
['set', 'asterisk', 'action', 'sendmail-whois', 'known/sender', 'fail2ban']
['set', 'asterisk', 'action', 'sendmail-whois', 'dest', 'root@mattlabs.gaillet.be, servers@gaillet.be']
['set', 'asterisk', 'action', 'sendmail-whois', 'known/known/dest', 'root']
['set', 'asterisk', 'action', 'sendmail-whois', 'known/__name__', 'Init']
['set', 'asterisk', 'action', 'sendmail-whois', 'known/sendername', 'Fail2Ban']
['set', 'asterisk', 'action', 'sendmail-whois', 'known/known/sender', 'fail2ban']
['set', 'asterisk', 'action', 'sendmail-whois', 'known/name', 'default']
['set', 'asterisk', 'action', 'sendmail-whois', 'known/dest', 'root']
['set', 'asterisk', 'action', 'sendmail-whois', 'known/known/__name__', 'Init']
['set', 'asterisk', 'action', 'sendmail-whois', 'sendername', 'Fail2Ban']
['set', 'asterisk', 'action', 'sendmail-whois', 'name', 'asterisk']
['set', 'postfix-ddos', 'addlogpath', '/var/log/maillog', 'head']
['set', 'postfix-sasl-abuse', 'addlogpath', '/var/log/maillog', 'head']

I can’t find where those rules are defined. I’m wondering if FreePBX could install it’s own set of rules / jails but where ? I noticed that there are two sets of jails defined : asterisk and asterisk_nethserver in jail.local :

[asterisk]
enabled  = true
port     = 5060,5038,8088,8089,5061
logpath  = /var/log/asterisk/full
maxretry = 10

[asterisk_nethserver]
enabled  = true
port     = 5060,5038,8088,8089,5061
logpath  = /var/log/asterisk/full
maxretry = 10

Anybody can help ? @Stll0 maybe ? Tes

in /etc/fail2ban/jail.conf the asterisk jail is set to send email whatever our configuration

       %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]

in /etc/e-smith/templates/etc/fail2ban/jail.local/10asterisk try to add to the asterisk and asterisk_nethserver jail

action = %(action_)s

then

signal-event nethserver-fail2ban-save

please report

1 Like

Looks good !

# fail2ban-client -d | grep mail
['set', 'postfix-ddos', 'addlogpath', '/var/log/maillog', 'head']
['set', 'postfix-sasl-abuse', 'addlogpath', '/var/log/maillog', 'head']

Confirmed. asterisk jail just banned someone, but no more mails. Thanks @stephdl !

1 Like

I will commit, please stay available to do the QA

@pagaille could you please do the qa ?

https://github.com/NethServer/dev/issues/5829#issuecomment-529932717

yum update nethserver-fail2ban --enablerepo=nethserver-testing

1 Like

thank to have verified it mister matthieu, released as 1.1.10

3 Likes