Difference between revisions of "Fail2Ban"

From FusionPBX
Jump to: navigation, search
(Make FusionPBX log Auth Failures)
m (Configuration)
Line 22: Line 22:
 
  '[hostname] FusionPBX: \[<HOST>\] authentication failed'
 
  '[hostname] FusionPBX: \[<HOST>\] authentication failed'
 
==Configuration==
 
==Configuration==
 +
==== Jail Options ====
 +
 +
Every jail can be customized by tuning following options:
 +
 +
{| border="1"
 +
|+ Jail Options
 +
! Name !! Default !! Description
 +
|-
 +
! filter ||
 +
| Name of the filter to be used by the jail to detect matches. Each single match by a filter increments the counter within the jail
 +
|-
 +
! logpath || /var/log/messages
 +
| Path to the log file which is provided to the filter
 +
|-
 +
! maxretry || 3
 +
| Number of matches (i.e. value of the counter) which triggers ban action on the IP.
 +
|-
 +
! findtime || 600 sec
 +
| The counter is set to zero if no match is found within "findtime" seconds.
 +
|-
 +
! bantime || 600 sec
 +
| Duration (in seconds) for IP to be banned for.
 +
|}
 +
 
===Ubuntu===
 
===Ubuntu===
 
vim /etc/fail2ban/filter.d/fusionpbx.conf
 
vim /etc/fail2ban/filter.d/fusionpbx.conf

Revision as of 19:34, 1 February 2011

FreeSwitch

For information about Fail2Ban on FreeSWITCH, see their wiki

FusionPBX

  • Thank AviMarcus!
  • 2011 Feb. 01

Make FusionPBX log Auth Failures

Code added to r794 by Avi Marcus.

Logs

This will log FusionPBX authentication failures to syslog (AUTH_LOG). This file can be in different places depending on how rsyslog, or syslog is configured.

  • Ubuntu
    • /var/log/auth.log

Examples

incorrect username

Feb  1 11:35:11 your_hostname FusionPBX: [w.x.y.z] authentication failed for login_username

incorrect password

Feb  1 12:07:27 your_hostname FusionPBX: [w.x.y.z] authentication failed for superadmin

Setting up Fail2Ban

RegEx

You can test the regex with fail2ban-regex

'[hostname] FusionPBX: \[<HOST>\] authentication failed'

Configuration

Jail Options

Every jail can be customized by tuning following options:

Jail Options
Name Default Description
filter Name of the filter to be used by the jail to detect matches. Each single match by a filter increments the counter within the jail
logpath /var/log/messages Path to the log file which is provided to the filter
maxretry 3 Number of matches (i.e. value of the counter) which triggers ban action on the IP.
findtime 600 sec The counter is set to zero if no match is found within "findtime" seconds.
bantime 600 sec Duration (in seconds) for IP to be banned for.

Ubuntu

vim /etc/fail2ban/filter.d/fusionpbx.conf

# Fail2Ban configuration file
#
# Author: soapee01
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = [hostname] FusionPBX: \[<HOST>\] authentication failed

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

add the following to /etc/fail2ban/jail.local

[fusionpbx]

enabled  = true
port     = 80,443
protocol = tcp
filter   = fusionpbx
logpath  = /var/log/auth.log
action   = iptables-allports[name=fusionpbx, protocol=all]
#          sendmail-whois[name=FusionPBX, dest=root, sender=fail2ban@example.org] #no smtp server installed


/var/log/fail2ban.log will log this after 3 missed logins.

2011-02-01 12:32:18,151 fail2ban.actions: WARNING [fusionpbx] Ban 192.168.100.1

hostname # iptables -n -L fail2ban-fusionpbx

Chain fail2ban-fusionpbx (1 referecnes)
target    prot opt source        destination
DROP      all  --  192.168.100.1 anywhere
RETURN    all  --  anywhere      anywhere
  • Important
    • You can easily ban yourself, including current active ssh connections.
    • To unban:
hostname # iptables -n -D fail2ban-fusionpbx 1

Keep yourself from getting banned.

add to /etc/fail2ban/jail.local

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1 192.168.0.99
bantime  = 600
maxretry = 3