NethServer Version: 7.5.1804
Module: fail2ban
Hi,
I would like to create/enable a jail for asterisk.
In security -> fail2ban there’s no asterisk checkbox.
How can i add this jail without breaking anything else?
2 Likes
@support_team
I found this:
https://www.fail2ban.org/wiki/index.php/Asterisk
Has somebody an idea how to do it?
do you have some evidences of tentative of intrusion in asterisk logs , could be a good start
create a file
vim /etc/e-smith/templates/etc/fail2ban/jail.local/10Asterisk
put this content
[asterisk]
enabled = true
port = 5060,5061
logpath = /var/log/asterisk/messages
maxretry = 3
I suppose that the log file is /var/log/asterisk/messages, please double check
then expand the file
signal-event nethserver-fail2ban-save
verifiy the jail exists
fail2ban-listban
run few days and report, if you want a precise statistic then do
cat /var/lib/nethserver/fail2ban/fail2ban.json
1 Like
Thanks for support!
the log path is /var/log/asterisk/full
I followed your instruction and it works perfectly!
asterisk Jail enabled
- Currently banned: 7 - Total banned after service start: 7
- Banned IP: list of banned ip
Here a sample of bad registration tentative:
[2018-06-27 22:29:47] NOTICE[774]: res_pjsip/pjsip_distributor.c:649 log_failed_request: Request ‘REGISTER’ from ‘“2001” sip:2001@XX.XX.XX.XX’ failed for ‘46.17.41.96:5209’ (callid: 2302148521) - Failed to authenticate
3 Likes
if you uninstall asterisk, think to remove the custom file, please monitor it and we could add it per default
4 Likes
please could you take a look to https://www.fail2ban.org/wiki/index.php/Asterisk
and could you paste the content of /etc/asterisk/logger.conf
The file is all commented.
;--------------------------------------------------------------------------------;
; Do NOT edit this file as it is auto-generated by FreePBX. All modifications to ;
; this file must be done via the web gui. There are alternative files to make ;
; custom modifications, details at: http://freepbx.org/configuration_files ;
;--------------------------------------------------------------------------------;
;
; This file is part of FreePBX.
;
; FreePBX is free software: you can redistribute it and/or modify
; it under the terms of the GNU General Public License as published by
; the Free Software Foundation, either version 2 of the License, or
; (at your option) any later version.
;
; FreePBX is distributed in the hope that it will be useful,
; but WITHOUT ANY WARRANTY; without even the implied warranty of
; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
; GNU General Public License for more details.
;
; You should have received a copy of the GNU General Public License
; along with FreePBX. If not, see <http://www.gnu.org/licenses/>.
;
; Copyright (C) 2007 Astrogen LLC (USA)
[general]
#include logger_general_additional.conf
#include logger_general_custom.conf
[logfiles]
#include logger_logfiles_additional.conf
#include logger_logfiles_custom.conf@Stll0 how do you trick freepbx if you need to rewrite a configuration file. It is not a mandatory but the fail2ban team advices to enable the extra logging and use it in fail2ban to ban attackers
needed configurations are in two included logfiles:
/etc/asterisk/logger_general_additional.conf: dateformat=%F %T (which is correct)
and
/etc/asterisk/logger_logfiles_additional.conf: full => debug,error,notice,verbose,warning
in this one we should add security events. This could be done from FreePBX interface -> Settings -> Asterisk logfile settings -> log files
I think that it isn’t very nice to enable it by default for two reason:
- security log is verbose with FreePBX because logs a lot of false positive warnings about dialplan
- changing it means change a mysql row after installation (or change FreePBX installation) and we can’t know if user changed it or if it’s a default setting
We could do it, but since it’s not mandatory and can be easily configured from interface, maybe it’s better to write it in documentation.
What do you think?
3 Likes
if we could break something by adding a new setting, you know the mantra, do not break existing installations. We could document it
What are the news, how many attackers have you banned ?
I could see a /var/log/asterisk/fail2ban what is the content please ?
please could you test
yum install http://packages.nethserver.org/nethserver/7.5.1804/autobuild/x86_64/Packages/nethserver-fail2ban-1.0.4-1.6.pr31.g57fccb2.ns7.noarch.rpm
think to remove your custom template
{“TotalBannedIP”:{“sshd-ddos”:1,“recidive”:58,“apache-noscript”:88,“apache-auth”:6,“asterisk-tcp”:2957,“sshd”:1718,“asterisk-udp”:2957}}
It is empty
1 Like
La vache (french translation of wtf)
Did you see the asterisk number of bans :’)
Do you have installed the new rpm ?
1 Like
We are implementing the asterisk jail, is it possible you send me the two logs per email (stephdl at de-labrusse dot org)
/var/log/fail2ban.log
/var/log/asterisk/full
I feel the number of bans a bit high, either you were under a heavy attack, or your users were banned, what do you think ?
did you make some configuration modifications in asterisk also
2 Likes
Give me some days to install the rpm, i’m slightly busy!
the bans are hight, but it’s normal for a public vm!
Hi all
I hope that your holidays are/were good
I need some QA on this topic
thank for your help