Difference between revisions of "Fail2Ban"
(→Make FusionPBX log Auth Failures) |
(→Filter Rules) |
||
(9 intermediate revisions by 3 users not shown) | |||
Line 5: | Line 5: | ||
*2011 Feb. 01 | *2011 Feb. 01 | ||
==Make FusionPBX log Auth Failures== | ==Make FusionPBX log Auth Failures== | ||
− | + | Code added to r794 by Avi Marcus. | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
==Logs== | ==Logs== | ||
Line 23: | Line 13: | ||
===Examples=== | ===Examples=== | ||
+ | ====GUI Login==== | ||
incorrect username | incorrect username | ||
Feb 1 11:35:11 your_hostname FusionPBX: [w.x.y.z] authentication failed for login_username | Feb 1 11:35:11 your_hostname FusionPBX: [w.x.y.z] authentication failed for login_username | ||
incorrect password | incorrect password | ||
Feb 1 12:07:27 your_hostname FusionPBX: [w.x.y.z] authentication failed for superadmin | Feb 1 12:07:27 your_hostname FusionPBX: [w.x.y.z] authentication failed for superadmin | ||
+ | ====Provisioning==== | ||
+ | Created from the code in /fusionpbx/mod/provision/index.php Please doublecheck this! | ||
+ | Feb 1 12:07:27 your_hostname FusionPBX: [w.x.y.z] provision attempt bad password for AA:BB:CC:DD:EE:FF | ||
+ | |||
=Setting up Fail2Ban= | =Setting up Fail2Ban= | ||
==RegEx== | ==RegEx== | ||
Line 32: | Line 27: | ||
'[hostname] FusionPBX: \[<HOST>\] authentication failed' | '[hostname] FusionPBX: \[<HOST>\] authentication failed' | ||
==Configuration== | ==Configuration== | ||
− | === | + | ==== Jail Options ==== |
+ | |||
+ | Every jail can be customized by tuning following options: | ||
+ | |||
+ | {| border="1" | ||
+ | |+ Jail Options | ||
+ | ! Name !! Default !! Description | ||
+ | |- | ||
+ | ! filter || | ||
+ | | Name of the filter to be used by the jail to detect matches. Each single match by a filter increments the counter within the jail | ||
+ | |- | ||
+ | ! logpath || /var/log/messages | ||
+ | | Path to the log file which is provided to the filter | ||
+ | |- | ||
+ | ! maxretry || 3 | ||
+ | | Number of matches (i.e. value of the counter) which triggers ban action on the IP. | ||
+ | |- | ||
+ | ! findtime || 600 sec | ||
+ | | The counter is set to zero if no match is found within "findtime" seconds. | ||
+ | |- | ||
+ | ! bantime || 600 sec | ||
+ | | Duration (in seconds) for IP to be banned for. | ||
+ | |} | ||
+ | |||
+ | ===Filter Rules=== | ||
vim /etc/fail2ban/filter.d/fusionpbx.conf | vim /etc/fail2ban/filter.d/fusionpbx.conf | ||
# Fail2Ban configuration file | # Fail2Ban configuration file | ||
Line 48: | Line 67: | ||
# Values: TEXT | # Values: TEXT | ||
# | # | ||
− | failregex = [hostname] FusionPBX: \[<HOST>\] authentication failed | + | #failregex = [hostname] FusionPBX: \[<HOST>\] authentication failed |
+ | #[hostname] variable doesn't seem to work in every case. Do this instead: | ||
+ | failregex = .* FusionPBX: \[<HOST>\] authentication failed for | ||
+ | = .* FusionPBX: \[<HOST>\] provision attempt bad password for | ||
# Option: ignoreregex | # Option: ignoreregex | ||
Line 66: | Line 88: | ||
action = iptables-allports[name=fusionpbx, protocol=all] | action = iptables-allports[name=fusionpbx, protocol=all] | ||
# sendmail-whois[name=FusionPBX, dest=root, sender=fail2ban@example.org] #no smtp server installed | # sendmail-whois[name=FusionPBX, dest=root, sender=fail2ban@example.org] #no smtp server installed | ||
+ | |||
+ | Add /etc/fail2ban/filter.d/freeswitch.conf with the contents: | ||
+ | # Fail2Ban configuration file | ||
+ | # | ||
+ | # Author: Rupa SChomaker (first two regex) | ||
+ | |||
+ | [Definition] | ||
+ | |||
+ | # Option: failregex | ||
+ | # Notes.: regex to match the password failures messages in the logfile. The | ||
+ | # host must be matched by a group named "host". The tag "<HOST>" can | ||
+ | # be used for standard IP/hostname matching and is only an alias for | ||
+ | # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) | ||
+ | # Values: TEXT | ||
+ | # | ||
+ | failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(REGISTER\) on sofia profile \'\w+\' for \[.*\] from ip <HOST> | ||
+ | \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(INVITE\) on sofia profile \'\w+\' for \[.*\] from ip <HOST> | ||
+ | \[WARNING\] sofia_reg.c:\d+ SIP auth challenge \(REGISTER\) on sofia profile \'\w+\' for \[.*\] from ip <HOST> | ||
+ | |||
+ | # Option: ignoreregex | ||
+ | # Notes.: regex to ignore. If this regex matches, the line is ignored. | ||
+ | # Values: TEXT | ||
+ | # | ||
+ | ignoreregex = | ||
+ | |||
+ | Modify /etc/fail2ban/jail.conf. Add the following make sure the freeswitch.log file path is correct. | ||
+ | |||
+ | [freeswitch-tcp] | ||
+ | |||
+ | enabled = true | ||
+ | port = 5060,5061,5080,5081 | ||
+ | protocol = tcp | ||
+ | filter = freeswitch | ||
+ | logpath = /usr/local/freeswitch/log/freeswitch.log | ||
+ | action = iptables-allports[name=freeswitch-tcp, protocol=all] | ||
+ | sendmail-whois[name=FreeSwitch, dest=root, sender=fail2ban@example.org] | ||
+ | |||
+ | [freeswitch-udp] | ||
+ | |||
+ | enabled = true | ||
+ | port = 5060,5061,5080,5081 | ||
+ | protocol = udp | ||
+ | filter = freeswitch | ||
+ | logpath = /usr/local/freeswitch/log/freeswitch/freeswitch.log | ||
+ | action = iptables-allports[name=freeswitch-udp, protocol=all] | ||
+ | sendmail-whois[name=FreeSwitch, dest=root, sender=fail2ban@example.org] | ||
Line 89: | Line 157: | ||
bantime = 600 | bantime = 600 | ||
maxretry = 3 | maxretry = 3 | ||
+ | |||
+ | ==Errors== | ||
+ | If you're seeing something like this in your fail2ban logfile: | ||
+ | 2011-02-27 14:11:42,326 fail2ban.actions.action: ERROR iptables -N fail2ban-freeswitch-tcp | ||
+ | add the time.sleep(0.1) to /usr/bin/fail2ban-client | ||
+ | def __processCmd(self, cmd, showRet = True): | ||
+ | beautifier = Beautifier() | ||
+ | for c in cmd: | ||
+ | '''time.sleep(0.1)''' | ||
+ | beautifier.setInputCmd(c) | ||
+ | |||
+ | or | ||
+ | sed -i -e s,beautifier\.setInputCmd\(c\),'time.sleep\(0\.1\)\n\t\t\tbeautifier.setInputCmd\(c\)', /usr/bin/fail2ban-client | ||
+ | |||
+ | [http://www.fail2ban.org/wiki/index.php/Fail2ban_talk:Community_Portal#fail2ban.action.action_ERROR_on_startup.2Frestart Source: fail2ban wiki] |
Latest revision as of 21:16, 6 September 2011
Contents
FreeSwitch
For information about Fail2Ban on FreeSWITCH, see their wiki
FusionPBX
- Thank AviMarcus!
- 2011 Feb. 01
Make FusionPBX log Auth Failures
Code added to r794 by Avi Marcus.
Logs
This will log FusionPBX authentication failures to syslog (AUTH_LOG). This file can be in different places depending on how rsyslog, or syslog is configured.
- Ubuntu
- /var/log/auth.log
Examples
GUI Login
incorrect username
Feb 1 11:35:11 your_hostname FusionPBX: [w.x.y.z] authentication failed for login_username
incorrect password
Feb 1 12:07:27 your_hostname FusionPBX: [w.x.y.z] authentication failed for superadmin
Provisioning
Created from the code in /fusionpbx/mod/provision/index.php Please doublecheck this!
Feb 1 12:07:27 your_hostname FusionPBX: [w.x.y.z] provision attempt bad password for AA:BB:CC:DD:EE:FF
Setting up Fail2Ban
RegEx
You can test the regex with fail2ban-regex
'[hostname] FusionPBX: \[<HOST>\] authentication failed'
Configuration
Jail Options
Every jail can be customized by tuning following options:
Name | Default | Description |
---|---|---|
filter | Name of the filter to be used by the jail to detect matches. Each single match by a filter increments the counter within the jail | |
logpath | /var/log/messages | Path to the log file which is provided to the filter |
maxretry | 3 | Number of matches (i.e. value of the counter) which triggers ban action on the IP. |
findtime | 600 sec | The counter is set to zero if no match is found within "findtime" seconds. |
bantime | 600 sec | Duration (in seconds) for IP to be banned for. |
Filter Rules
vim /etc/fail2ban/filter.d/fusionpbx.conf
# Fail2Ban configuration file # # Author: soapee01 # [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # #failregex = [hostname] FusionPBX: \[<HOST>\] authentication failed #[hostname] variable doesn't seem to work in every case. Do this instead: failregex = .* FusionPBX: \[<HOST>\] authentication failed for = .* FusionPBX: \[<HOST>\] provision attempt bad password for # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =
add the following to /etc/fail2ban/jail.local
[fusionpbx] enabled = true port = 80,443 protocol = tcp filter = fusionpbx logpath = /var/log/auth.log action = iptables-allports[name=fusionpbx, protocol=all] # sendmail-whois[name=FusionPBX, dest=root, sender=fail2ban@example.org] #no smtp server installed
Add /etc/fail2ban/filter.d/freeswitch.conf with the contents:
# Fail2Ban configuration file # # Author: Rupa SChomaker (first two regex) [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(REGISTER\) on sofia profile \'\w+\' for \[.*\] from ip <HOST> \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(INVITE\) on sofia profile \'\w+\' for \[.*\] from ip <HOST> \[WARNING\] sofia_reg.c:\d+ SIP auth challenge \(REGISTER\) on sofia profile \'\w+\' for \[.*\] from ip <HOST> # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =
Modify /etc/fail2ban/jail.conf. Add the following make sure the freeswitch.log file path is correct.
[freeswitch-tcp] enabled = true port = 5060,5061,5080,5081 protocol = tcp filter = freeswitch logpath = /usr/local/freeswitch/log/freeswitch.log action = iptables-allports[name=freeswitch-tcp, protocol=all] sendmail-whois[name=FreeSwitch, dest=root, sender=fail2ban@example.org] [freeswitch-udp] enabled = true port = 5060,5061,5080,5081 protocol = udp filter = freeswitch logpath = /usr/local/freeswitch/log/freeswitch/freeswitch.log action = iptables-allports[name=freeswitch-udp, protocol=all] sendmail-whois[name=FreeSwitch, dest=root, sender=fail2ban@example.org]
/var/log/fail2ban.log will log this after 3 missed logins.
2011-02-01 12:32:18,151 fail2ban.actions: WARNING [fusionpbx] Ban 192.168.100.1
hostname # iptables -n -L fail2ban-fusionpbx
Chain fail2ban-fusionpbx (1 referecnes) target prot opt source destination DROP all -- 192.168.100.1 anywhere RETURN all -- anywhere anywhere
- Important
- You can easily ban yourself, including current active ssh connections.
- To unban:
hostname # iptables -n -D fail2ban-fusionpbx 1
Keep yourself from getting banned.
add to /etc/fail2ban/jail.local
[DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host ignoreip = 127.0.0.1 192.168.0.99 bantime = 600 maxretry = 3
Errors
If you're seeing something like this in your fail2ban logfile:
2011-02-27 14:11:42,326 fail2ban.actions.action: ERROR iptables -N fail2ban-freeswitch-tcp
add the time.sleep(0.1) to /usr/bin/fail2ban-client
def __processCmd(self, cmd, showRet = True): beautifier = Beautifier() for c in cmd: time.sleep(0.1) beautifier.setInputCmd(c)
or
sed -i -e s,beautifier\.setInputCmd\(c\),'time.sleep\(0\.1\)\n\t\t\tbeautifier.setInputCmd\(c\)', /usr/bin/fail2ban-client