New fail2ban statistic feature

testing

(Stéphane de Labrusse) #1

I need you help to verifiy this bug

in short it is to do this

think also to verify this bug, I need it before to release it


(Markus Neuberger) #2

Great work as usual! I tested on 3 Nethservers:

:white_check_mark: Now the configuration fail2ban page is only for this usage, a new menu is available in the status section
:white_check_mark: Unban IP is in the status section, check you can unban an IP, check the IP list is well displayed with the fieldsetswitch, you can see also the active jails fieldsetswitch
:white_check_mark: Bans statistics are available in the status section, check the statistics ban per jail is well displayed.

After unbanning in the web UI the list of banned IP is not refreshed, one has to refresh manually, not really an issue.

I noticed that the asterisk banned ip count is doubled because it’s recognized as tcp and udp. In real I only had 3 bans. Maybe it’s because of my SIP client trying TCP and UDP…

grafik

Ban statistics look good:

grafik

grafik


(Pedro Sitan) #3

It’s a great feature, i just have a doubt, if I have already install the fail2ban module, I need uninstall and reinstall? because I apply all the available updates and appear like always.

Or I need unlock the updates too?


(Stéphane de Labrusse) #4

the rpm to install is in nethsever-testing repository

in your terminal do

yum install nethserver-fail2ban --enablerepo=nethserver-testing

it is a good habit to use a VM (in virtualbox for example) first, then test on your real server (sometime it is needed for specific user case)


(Stéphane de Labrusse) #5

please could you monitor the asterisk jail during few days, I worry it could be too strict, maybe we could bring this jail disabled per default if we are not sure.

I look after the asterisk service


(Markus Neuberger) #6

Yes, I test some more and give you a report.
I’d like the jail to be enabled by default because a misused asterisk could be expensive.


(Stéphane de Labrusse) #7

tk for reporting I found a solution

EDIT: new rpm available


(Stéphane de Labrusse) #8

ok, please check that the jail is not too aggressive and does false positive


(Markus Neuberger) #9

Catched an attack.
Only one IP is banned but I get 6 more banned IPs and +3 tcp and +3 udp in the statistics.

fail2ban.log:

2018-08-11 09:57:24,365 fail2ban.filter         [4351]: INFO    [asterisk] Found 1.2.3.4
2018-08-11 09:57:24,367 fail2ban.filter         [4351]: INFO    [asterisk] Found 1.2.3.4
2018-08-11 09:57:24,368 fail2ban.filter         [4351]: INFO    [asterisk] Found 1.2.3.4
2018-08-11 09:57:24,369 fail2ban.filter         [4351]: INFO    [asterisk] Found 1.2.3.4
2018-08-11 09:57:24,370 fail2ban.filter         [4351]: INFO    [asterisk] Found 1.2.3.4
2018-08-11 09:57:24,371 fail2ban.filter         [4351]: INFO    [asterisk] Found 1.2.3.4
2018-08-11 09:57:24,372 fail2ban.filter         [4351]: INFO    [asterisk] Found 1.2.3.4
2018-08-11 09:57:24,503 fail2ban.actions        [4351]: NOTICE  [asterisk] Ban 1.2.3.4
2018-08-11 09:57:25,380 fail2ban.filter         [4351]: INFO    [asterisk] Found 1.2.3.4
2018-08-11 09:57:25,381 fail2ban.filter         [4351]: INFO    [asterisk] Found 1.2.3.4
2018-08-11 09:57:25,382 fail2ban.filter         [4351]: INFO    [asterisk] Found 1.2.3.4
2018-08-11 09:57:25,383 fail2ban.filter         [4351]: INFO    [asterisk] Found 1.2.3.4
2018-08-11 09:57:25,384 fail2ban.filter         [4351]: INFO    [asterisk] Found 1.2.3.4
2018-08-11 09:57:25,385 fail2ban.filter         [4351]: INFO    [asterisk] Found 1.2.3.4
2018-08-11 09:57:25,386 fail2ban.filter         [4351]: INFO    [asterisk] Found 1.2.3.4
2018-08-11 09:57:25,386 fail2ban.filter         [4351]: INFO    [asterisk] Found 1.2.3.4
2018-08-11 09:57:25,387 fail2ban.filter         [4351]: INFO    [asterisk] Found 1.2.3.4
2018-08-11 09:57:25,388 fail2ban.filter         [4351]: INFO    [asterisk] Found 1.2.3.4
2018-08-11 09:57:25,472 fail2ban.filter         [4351]: INFO    [recidive] Found 1.2.3.4
2018-08-11 09:57:25,550 fail2ban.actions        [4351]: NOTICE  [asterisk] 1.2.3.4 already banned

Status:

[root@testserver ~]# fail2ban-client status asterisk
Status for the jail: asterisk
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     17
|  `- File list:        /var/log/asterisk/full
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:   1.2.3.4

Stats:

grafik


(Markus Neuberger) #10

You got it. Refresh works now.