Fail2Ban

From FusionPBX
Revision as of 19:18, 1 February 2011 by AviMarcus (talk | contribs) (Make FusionPBX log Auth Failures)
Jump to: navigation, search

FreeSwitch

For information about Fail2Ban on FreeSWITCH, see their wiki

FusionPBX

  • Thank AviMarcus!
  • 2011 Feb. 01

Make FusionPBX log Auth Failures

Code added to r794 by Avi Marcus.

Logs

This will log FusionPBX authentication failures to syslog (AUTH_LOG). This file can be in different places depending on how rsyslog, or syslog is configured.

  • Ubuntu
    • /var/log/auth.log

Examples

incorrect username

Feb  1 11:35:11 your_hostname FusionPBX: [w.x.y.z] authentication failed for login_username

incorrect password

Feb  1 12:07:27 your_hostname FusionPBX: [w.x.y.z] authentication failed for superadmin

Setting up Fail2Ban

RegEx

You can test the regex with fail2ban-regex

'[hostname] FusionPBX: \[<HOST>\] authentication failed'

Configuration

Ubuntu

vim /etc/fail2ban/filter.d/fusionpbx.conf

# Fail2Ban configuration file
#
# Author: soapee01
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = [hostname] FusionPBX: \[<HOST>\] authentication failed

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

add the following to /etc/fail2ban/jail.local

[fusionpbx]

enabled  = true
port     = 80,443
protocol = tcp
filter   = fusionpbx
logpath  = /var/log/auth.log
action   = iptables-allports[name=fusionpbx, protocol=all]
#          sendmail-whois[name=FusionPBX, dest=root, sender=fail2ban@example.org] #no smtp server installed


/var/log/fail2ban.log will log this after 3 missed logins.

2011-02-01 12:32:18,151 fail2ban.actions: WARNING [fusionpbx] Ban 192.168.100.1

hostname # iptables -n -L fail2ban-fusionpbx

Chain fail2ban-fusionpbx (1 referecnes)
target    prot opt source        destination
DROP      all  --  192.168.100.1 anywhere
RETURN    all  --  anywhere      anywhere
  • Important
    • You can easily ban yourself, including current active ssh connections.
    • To unban:
hostname # iptables -n -D fail2ban-fusionpbx 1

Keep yourself from getting banned.

add to /etc/fail2ban/jail.local

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1 192.168.0.99
bantime  = 600
maxretry = 3