Difference between revisions of "Fail2Ban"

From FusionPBX
Jump to: navigation, search
(Make FusionPBX log Auth Failures)
(Make FusionPBX log Auth Failures)
Line 5: Line 5:
 
*2011 Feb. 01
 
*2011 Feb. 01
 
==Make FusionPBX log Auth Failures==
 
==Make FusionPBX log Auth Failures==
vim /var/www/fusionpbx/includes/checkauth.php
+
Code added to r794 by Avi Marcus.
if (count($result) == 0) {
 
                        $strphpself = $_SERVER["PHP_SELF"];
 
                        //$strphpself = str_replace ("/", "", $strphpself);
 
                        $msg = "Username or Password were incorrect. Please try again.";
 
                        openlog('FusionPBX', LOG_NDELAY, LOG_AUTH);
 
                        syslog(LOG_WARNING, '['.$_SERVER['REMOTE_ADDR']."] authentication failed for ".$_POST["username"]);
 
                        closelog();
 
                        header("Location: ".PROJECT_PATH."/login.php?path=".urlencode($strphpself)."&msg=".urlencode($msg));
 
                        exit;
 
add the openlog and syslog lines
 
  
 
==Logs==
 
==Logs==

Revision as of 19:18, 1 February 2011

FreeSwitch

For information about Fail2Ban on FreeSWITCH, see their wiki

FusionPBX

  • Thank AviMarcus!
  • 2011 Feb. 01

Make FusionPBX log Auth Failures

Code added to r794 by Avi Marcus.

Logs

This will log FusionPBX authentication failures to syslog (AUTH_LOG). This file can be in different places depending on how rsyslog, or syslog is configured.

  • Ubuntu
    • /var/log/auth.log

Examples

incorrect username 

Feb  1 11:35:11 your_hostname FusionPBX: [w.x.y.z] authentication failed for login_username

incorrect password 

Feb  1 12:07:27 your_hostname FusionPBX: [w.x.y.z] authentication failed for superadmin

Setting up Fail2Ban

RegEx

You can test the regex with fail2ban-regex 

'[hostname] FusionPBX: \[<HOST>\] authentication failed'

Configuration

Ubuntu

vim /etc/fail2ban/filter.d/fusionpbx.conf 

# Fail2Ban configuration file
#
# Author: soapee01
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = [hostname] FusionPBX: \[<HOST>\] authentication failed

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

add the following to /etc/fail2ban/jail.local 

[fusionpbx]

enabled  = true
port     = 80,443
protocol = tcp
filter   = fusionpbx
logpath  = /var/log/auth.log
action   = iptables-allports[name=fusionpbx, protocol=all]
#          sendmail-whois[name=FusionPBX, dest=root, sender=fail2ban@example.org] #no smtp server installed


/var/log/fail2ban.log will log this after 3 missed logins. 

2011-02-01 12:32:18,151 fail2ban.actions: WARNING [fusionpbx] Ban 192.168.100.1

hostname # iptables -n -L fail2ban-fusionpbx 

Chain fail2ban-fusionpbx (1 referecnes)
target    prot opt source        destination
DROP      all  --  192.168.100.1 anywhere
RETURN    all  --  anywhere      anywhere
  • Important
    • You can easily ban yourself, including current active ssh connections.
    • To unban:
hostname # iptables -n -D fail2ban-fusionpbx 1

Keep yourself from getting banned.

add to /etc/fail2ban/jail.local 

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1 192.168.0.99
bantime  = 600
maxretry = 3
Retrieved from "http://wiki.fusionpbx.com/index.php?title=Fail2Ban&oldid=825"