Difference between revisions of "Fail2Ban"
From FusionPBX
(→Make FusionPBX log Auth Failures) |
m (→Configuration) |
||
| Line 22: | Line 22: | ||
'[hostname] FusionPBX: \[<HOST>\] authentication failed' | '[hostname] FusionPBX: \[<HOST>\] authentication failed' | ||
==Configuration== | ==Configuration== | ||
| + | ==== Jail Options ==== | ||
| + | |||
| + | Every jail can be customized by tuning following options: | ||
| + | |||
| + | {| border="1" | ||
| + | |+ Jail Options | ||
| + | ! Name !! Default !! Description | ||
| + | |- | ||
| + | ! filter || | ||
| + | | Name of the filter to be used by the jail to detect matches. Each single match by a filter increments the counter within the jail | ||
| + | |- | ||
| + | ! logpath || /var/log/messages | ||
| + | | Path to the log file which is provided to the filter | ||
| + | |- | ||
| + | ! maxretry || 3 | ||
| + | | Number of matches (i.e. value of the counter) which triggers ban action on the IP. | ||
| + | |- | ||
| + | ! findtime || 600 sec | ||
| + | | The counter is set to zero if no match is found within "findtime" seconds. | ||
| + | |- | ||
| + | ! bantime || 600 sec | ||
| + | | Duration (in seconds) for IP to be banned for. | ||
| + | |} | ||
| + | |||
===Ubuntu=== | ===Ubuntu=== | ||
vim /etc/fail2ban/filter.d/fusionpbx.conf | vim /etc/fail2ban/filter.d/fusionpbx.conf | ||
Revision as of 19:34, 1 February 2011
Contents
FreeSwitch
For information about Fail2Ban on FreeSWITCH, see their wiki
FusionPBX
- Thank AviMarcus!
- 2011 Feb. 01
Make FusionPBX log Auth Failures
Code added to r794 by Avi Marcus.
Logs
This will log FusionPBX authentication failures to syslog (AUTH_LOG). This file can be in different places depending on how rsyslog, or syslog is configured.
- Ubuntu
- /var/log/auth.log
Examples
incorrect username
Feb 1 11:35:11 your_hostname FusionPBX: [w.x.y.z] authentication failed for login_username
incorrect password
Feb 1 12:07:27 your_hostname FusionPBX: [w.x.y.z] authentication failed for superadmin
Setting up Fail2Ban
RegEx
You can test the regex with fail2ban-regex
'[hostname] FusionPBX: \[<HOST>\] authentication failed'
Configuration
Jail Options
Every jail can be customized by tuning following options:
| Name | Default | Description |
|---|---|---|
| filter | Name of the filter to be used by the jail to detect matches. Each single match by a filter increments the counter within the jail | |
| logpath | /var/log/messages | Path to the log file which is provided to the filter |
| maxretry | 3 | Number of matches (i.e. value of the counter) which triggers ban action on the IP. |
| findtime | 600 sec | The counter is set to zero if no match is found within "findtime" seconds. |
| bantime | 600 sec | Duration (in seconds) for IP to be banned for. |
Ubuntu
vim /etc/fail2ban/filter.d/fusionpbx.conf
# Fail2Ban configuration file
#
# Author: soapee01
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = [hostname] FusionPBX: \[<HOST>\] authentication failed
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
add the following to /etc/fail2ban/jail.local
[fusionpbx] enabled = true port = 80,443 protocol = tcp filter = fusionpbx logpath = /var/log/auth.log action = iptables-allports[name=fusionpbx, protocol=all] # sendmail-whois[name=FusionPBX, dest=root, sender=fail2ban@example.org] #no smtp server installed
/var/log/fail2ban.log will log this after 3 missed logins.
2011-02-01 12:32:18,151 fail2ban.actions: WARNING [fusionpbx] Ban 192.168.100.1
hostname # iptables -n -L fail2ban-fusionpbx
Chain fail2ban-fusionpbx (1 referecnes) target prot opt source destination DROP all -- 192.168.100.1 anywhere RETURN all -- anywhere anywhere
- Important
- You can easily ban yourself, including current active ssh connections.
- To unban:
hostname # iptables -n -D fail2ban-fusionpbx 1
Keep yourself from getting banned.
add to /etc/fail2ban/jail.local
[DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host ignoreip = 127.0.0.1 192.168.0.99 bantime = 600 maxretry = 3
