Fail2Ban

=FreeSwitch= For information about Fail2Ban on FreeSWITCH, see their wiki =FusionPBX=
 * Thank AviMarcus!
 * 2011 Feb. 01

Make FusionPBX log Auth Failures
Code added to r794 by Avi Marcus.

Logs
This will log FusionPBX authentication failures to syslog (AUTH_LOG). This file can be in different places depending on how rsyslog, or syslog is configured.
 * Ubuntu
 * /var/log/auth.log

GUI Login
incorrect username Feb 1 11:35:11 your_hostname FusionPBX: [w.x.y.z] authentication failed for login_username incorrect password Feb 1 12:07:27 your_hostname FusionPBX: [w.x.y.z] authentication failed for superadmin

Provisioning
Created from the code in /fusionpbx/mod/provision/index.php Please doublecheck this! Feb 1 12:07:27 your_hostname FusionPBX: [w.x.y.z] provision attempt bad password for AA:BB:CC:DD:EE:FF

=Setting up Fail2Ban=

RegEx
You can test the regex with fail2ban-regex '[hostname] FusionPBX: \[\] authentication failed'

Jail Options
Every jail can be customized by tuning following options:

Filter Rules
vim /etc/fail2ban/filter.d/fusionpbx.conf # # [Definition] # failregex = .* FusionPBX: \[\] authentication failed for = .* FusionPBX: \[\] provision attempt bad password for # ignoreregex =
 * 1) Fail2Ban configuration file
 * 1) Author: soapee01
 * 1) Option:  failregex
 * 2) Notes.:  regex to match the password failures messages in the logfile. The
 * 3)          host must be matched by a group named "host". The tag "" can
 * 4)          be used for standard IP/hostname matching and is only an alias for
 * 5)          (?:::f{4,6}:)?(?P [\w\-.^_]+)
 * 6) Values:  TEXT
 * 1) failregex = [hostname] FusionPBX: \[\] authentication failed
 * 2) [hostname] variable doesn't seem to work in every case. Do this instead:
 * 1) Option:  ignoreregex
 * 2) Notes.:  regex to ignore. If this regex matches, the line is ignored.
 * 3) Values:  TEXT

add the following to /etc/fail2ban/jail.local [fusionpbx] enabled = true port    = 80,443 protocol = tcp filter  = fusionpbx logpath = /var/log/auth.log action  = iptables-allports[name=fusionpbx, protocol=all]
 * 1)          sendmail-whois[name=FusionPBX, dest=root, sender=fail2ban@example.org] #no smtp server installed

/var/log/fail2ban.log will log this after 3 missed logins. 2011-02-01 12:32:18,151 fail2ban.actions: WARNING [fusionpbx] Ban 192.168.100.1 hostname # iptables -n -L fail2ban-fusionpbx Chain fail2ban-fusionpbx (1 referecnes) target   prot opt source        destination DROP     all  --  192.168.100.1 anywhere RETURN   all  --  anywhere      anywhere

hostname # iptables -n -D fail2ban-fusionpbx 1
 * Important
 * You can easily ban yourself, including current active ssh connections.
 * To unban:

Keep yourself from getting banned.
add to /etc/fail2ban/jail.local [DEFAULT] ignoreip = 127.0.0.1 192.168.0.99 bantime = 600 maxretry = 3
 * 1) "ignoreip" can be an IP address, a CIDR mask or a DNS host

Errors
If you're seeing something like this in your fail2ban logfile: 2011-02-27 14:11:42,326 fail2ban.actions.action: ERROR iptables -N fail2ban-freeswitch-tcp add the time.sleep(0.1) to /usr/bin/fail2ban-client def __processCmd(self, cmd, showRet = True): beautifier = Beautifier for c in cmd: time.sleep(0.1) beautifier.setInputCmd(c)

or sed -i -e s,beautifier\.setInputCmd\(c\),'time.sleep\(0\.1\)\n\t\t\tbeautifier.setInputCmd\(c\)', /usr/bin/fail2ban-client

Source: fail2ban wiki