Difference between revisions of "Fail2Ban"

From FusionPBX
Jump to: navigation, search
(Created page with "=FreeSwitch= For information about Fail2Ban on FreeSWITCH, [http://wiki.freeswitch.org/wiki/Fail2ban see their wiki] =FusionPBX= *Thank AviMarcus! *2011 Feb. 01 ==Make FusionPBX ...")
 
(Make FusionPBX log Auth Failures)
Line 12: Line 12:
 
                         openlog('FusionPBX', LOG_NDELAY, LOG_AUTH);
 
                         openlog('FusionPBX', LOG_NDELAY, LOG_AUTH);
 
                         syslog(LOG_WARNING, '['.$_SERVER['REMOTE_ADDR']."] authentication failed for ".$_POST["username"]);
 
                         syslog(LOG_WARNING, '['.$_SERVER['REMOTE_ADDR']."] authentication failed for ".$_POST["username"]);
 +
                        closelog();
 
                         header("Location: ".PROJECT_PATH."/login.php?path=".urlencode($strphpself)."&msg=".urlencode($msg));
 
                         header("Location: ".PROJECT_PATH."/login.php?path=".urlencode($strphpself)."&msg=".urlencode($msg));
 
                         exit;
 
                         exit;
 
add the openlog and syslog lines
 
add the openlog and syslog lines
 +
 
==Logs==
 
==Logs==
 
This will log FusionPBX authentication failures to syslog (AUTH_LOG). This file can be in different places depending on how rsyslog, or syslog is configured.
 
This will log FusionPBX authentication failures to syslog (AUTH_LOG). This file can be in different places depending on how rsyslog, or syslog is configured.

Revision as of 18:56, 1 February 2011

FreeSwitch

For information about Fail2Ban on FreeSWITCH, see their wiki

FusionPBX

  • Thank AviMarcus!
  • 2011 Feb. 01

Make FusionPBX log Auth Failures

vim /var/www/fusionpbx/includes/checkauth.php

if (count($result) == 0) {
                       $strphpself = $_SERVER["PHP_SELF"];
                       //$strphpself = str_replace ("/", "", $strphpself);
                       $msg = "Username or Password were incorrect. Please try again.";
                       openlog('FusionPBX', LOG_NDELAY, LOG_AUTH);
                       syslog(LOG_WARNING, '['.$_SERVER['REMOTE_ADDR']."] authentication failed for ".$_POST["username"]);
                       closelog();
                       header("Location: ".PROJECT_PATH."/login.php?path=".urlencode($strphpself)."&msg=".urlencode($msg));
                       exit;

add the openlog and syslog lines

Logs

This will log FusionPBX authentication failures to syslog (AUTH_LOG). This file can be in different places depending on how rsyslog, or syslog is configured.

  • Ubuntu
    • /var/log/auth.log

Examples

incorrect username

Feb  1 11:35:11 your_hostname FusionPBX: [w.x.y.z] authentication failed for login_username

incorrect password

Feb  1 12:07:27 your_hostname FusionPBX: [w.x.y.z] authentication failed for superadmin

Setting up Fail2Ban

RegEx

You can test the regex with fail2ban-regex

'[hostname] FusionPBX: \[<HOST>\] authentication failed'

Configuration

Ubuntu

vim /etc/fail2ban/filter.d/fusionpbx.conf

# Fail2Ban configuration file
#
# Author: soapee01
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = [hostname] FusionPBX: \[<HOST>\] authentication failed

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

add the following to /etc/fail2ban/jail.local

[fusionpbx]

enabled  = true
port     = 80,443
protocol = tcp
filter   = fusionpbx
logpath  = /var/log/auth.log
action   = iptables-allports[name=fusionpbx, protocol=all]
#          sendmail-whois[name=FusionPBX, dest=root, sender=fail2ban@example.org] #no smtp server installed


/var/log/fail2ban.log will log this after 3 missed logins.

2011-02-01 12:32:18,151 fail2ban.actions: WARNING [fusionpbx] Ban 192.168.100.1

hostname # iptables -n -L fail2ban-fusionpbx

Chain fail2ban-fusionpbx (1 referecnes)
target    prot opt source        destination
DROP      all  --  192.168.100.1 anywhere
RETURN    all  --  anywhere      anywhere
  • Important
    • You can easily ban yourself, including current active ssh connections.
    • To unban:
hostname # iptables -n -D fail2ban-fusionpbx 1

Keep yourself from getting banned.

add to /etc/fail2ban/jail.local

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1 192.168.0.99
bantime  = 600
maxretry = 3