Fail2Ban

=FreeSwitch= For information about Fail2Ban on FreeSWITCH, see their wiki =FusionPBX=
 * Thank AviMarcus!
 * 2011 Feb. 01

Make FusionPBX log Auth Failures
vim /var/www/fusionpbx/includes/checkauth.php if (count($result) == 0) { $strphpself = $_SERVER["PHP_SELF"]; //$strphpself = str_replace ("/", "", $strphpself); $msg = "Username or Password were incorrect. Please try again."; openlog('FusionPBX', LOG_NDELAY, LOG_AUTH); syslog(LOG_WARNING, '['.$_SERVER['REMOTE_ADDR']."] authentication failed for ".$_POST["username"]); header("Location: ".PROJECT_PATH."/login.php?path=".urlencode($strphpself)."&msg=".urlencode($msg)); exit; add the openlog and syslog lines

Logs
This will log FusionPBX authentication failures to syslog (AUTH_LOG). This file can be in different places depending on how rsyslog, or syslog is configured.
 * Ubuntu
 * /var/log/auth.log

Examples
incorrect username Feb 1 11:35:11 your_hostname FusionPBX: [w.x.y.z] authentication failed for login_username incorrect password Feb 1 12:07:27 your_hostname FusionPBX: [w.x.y.z] authentication failed for superadmin =Setting up Fail2Ban=

RegEx
You can test the regex with fail2ban-regex '[hostname] FusionPBX: \[\] authentication failed'

Ubuntu
vim /etc/fail2ban/filter.d/fusionpbx.conf # # [Definition] # failregex = [hostname] FusionPBX: \[\] authentication failed # ignoreregex =
 * 1) Fail2Ban configuration file
 * 1) Author: soapee01
 * 1) Option:  failregex
 * 2) Notes.:  regex to match the password failures messages in the logfile. The
 * 3)          host must be matched by a group named "host". The tag "" can
 * 4)          be used for standard IP/hostname matching and is only an alias for
 * 5)          (?:::f{4,6}:)?(?P [\w\-.^_]+)
 * 6) Values:  TEXT
 * 1) Option:  ignoreregex
 * 2) Notes.:  regex to ignore. If this regex matches, the line is ignored.
 * 3) Values:  TEXT

add the following to /etc/fail2ban/jail.local [fusionpbx] enabled = true port    = 80,443 protocol = tcp filter  = fusionpbx logpath = /var/log/auth.log action  = iptables-allports[name=fusionpbx, protocol=all]
 * 1)          sendmail-whois[name=FusionPBX, dest=root, sender=fail2ban@example.org] #no smtp server installed

/var/log/fail2ban.log will log this after 3 missed logins. 2011-02-01 12:32:18,151 fail2ban.actions: WARNING [fusionpbx] Ban 192.168.100.1 hostname # iptables -n -L fail2ban-fusionpbx Chain fail2ban-fusionpbx (1 referecnes) target   prot opt source        destination DROP     all  --  192.168.100.1 anywhere RETURN   all  --  anywhere      anywhere

hostname # iptables -n -D fail2ban-fusionpbx 1
 * Important
 * You can easily ban yourself, including current active ssh connections.
 * To unban:

Keep yourself from getting banned.
add to /etc/fail2ban/jail.local [DEFAULT] ignoreip = 127.0.0.1 192.168.0.99 bantime = 600 maxretry = 3
 * 1) "ignoreip" can be an IP address, a CIDR mask or a DNS host