Fail2Ban

From FusionPBX
Revision as of 18:48, 1 February 2011 by Soapee01 (talk | contribs) (Created page with "=FreeSwitch= For information about Fail2Ban on FreeSWITCH, [http://wiki.freeswitch.org/wiki/Fail2ban see their wiki] =FusionPBX= *Thank AviMarcus! *2011 Feb. 01 ==Make FusionPBX ...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

FreeSwitch

For information about Fail2Ban on FreeSWITCH, see their wiki

FusionPBX

  • Thank AviMarcus!
  • 2011 Feb. 01

Make FusionPBX log Auth Failures

vim /var/www/fusionpbx/includes/checkauth.php 

if (count($result) == 0) {
                       $strphpself = $_SERVER["PHP_SELF"];
                       //$strphpself = str_replace ("/", "", $strphpself);
                       $msg = "Username or Password were incorrect. Please try again.";
                       openlog('FusionPBX', LOG_NDELAY, LOG_AUTH);
                       syslog(LOG_WARNING, '['.$_SERVER['REMOTE_ADDR']."] authentication failed for ".$_POST["username"]);
                       header("Location: ".PROJECT_PATH."/login.php?path=".urlencode($strphpself)."&msg=".urlencode($msg));
                       exit;

add the openlog and syslog lines

Logs

This will log FusionPBX authentication failures to syslog (AUTH_LOG). This file can be in different places depending on how rsyslog, or syslog is configured.

  • Ubuntu
    • /var/log/auth.log

Examples

incorrect username 

Feb  1 11:35:11 your_hostname FusionPBX: [w.x.y.z] authentication failed for login_username

incorrect password 

Feb  1 12:07:27 your_hostname FusionPBX: [w.x.y.z] authentication failed for superadmin

Setting up Fail2Ban

RegEx

You can test the regex with fail2ban-regex 

'[hostname] FusionPBX: \[<HOST>\] authentication failed'

Configuration

Ubuntu

vim /etc/fail2ban/filter.d/fusionpbx.conf 

# Fail2Ban configuration file
#
# Author: soapee01
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = [hostname] FusionPBX: \[<HOST>\] authentication failed

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

add the following to /etc/fail2ban/jail.local 

[fusionpbx]

enabled  = true
port     = 80,443
protocol = tcp
filter   = fusionpbx
logpath  = /var/log/auth.log
action   = iptables-allports[name=fusionpbx, protocol=all]
#          sendmail-whois[name=FusionPBX, dest=root, sender=fail2ban@example.org] #no smtp server installed


/var/log/fail2ban.log will log this after 3 missed logins. 

2011-02-01 12:32:18,151 fail2ban.actions: WARNING [fusionpbx] Ban 192.168.100.1

hostname # iptables -n -L fail2ban-fusionpbx 

Chain fail2ban-fusionpbx (1 referecnes)
target    prot opt source        destination
DROP      all  --  192.168.100.1 anywhere
RETURN    all  --  anywhere      anywhere
  • Important
    • You can easily ban yourself, including current active ssh connections.
    • To unban:
hostname # iptables -n -D fail2ban-fusionpbx 1

Keep yourself from getting banned.

add to /etc/fail2ban/jail.local 

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1 192.168.0.99
bantime  = 600
maxretry = 3
Retrieved from "http://wiki.fusionpbx.com/index.php?title=Fail2Ban&oldid=822"