search

ugoviti / izpbx

izPBX is a Turnkey Cloud Native Telephony System powered by Asterisk Engine and FreePBX Management GUI
GNU General Public License v3.0
169 stars 71 forks source link

fail2ban does nothing #8

Closed fa-at-pulsit closed 3 years ago

fa-at-pulsit commented 3 years ago

After a fresh install, I have a strange behavior of fail2ban, no ban, no action. I have installed izpbx on RancherOS v1.5.6, started with docker-compose, with

cap_add:
 - NET_ADMIN
privileged: true
network_mode: host

no warning or errors in /var/log/fail2ban/fail2ban.log

in asterisk security log is set for /var/log/asterisk/security

iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
# Warning: iptables-legacy tables present, use iptables-legacy to see them

fail2ban-server version 0.11.1

fail2ban-server status asterisk

Status for the jail: asterisk
|- Filter
|  |- Currently failed: 0
|  |- Total failed: 0
|  `- File list:    /var/log/asterisk/security
`- Actions
   |- Currently banned: 0
   |- Total banned: 0
   `- Banned IP list:

currently in asterisk (some brutforce)

[2020-12-23 09:49:32] NOTICE[906]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '"1006" <sip:1006@XX.XX.XX.XX>' failed for '63.143.35.74:6816' (callid: 4290517180) - Failed to authenticate
[2020-12-23 09:49:33] NOTICE[906]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '"1006" <sip:1006@XX.XX.XX.XX>' failed for '63.143.35.74:6816' (callid: 562318303) - Failed to authenticate
[2020-12-23 09:49:33] NOTICE[906]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '"1006" <sip:1006@XX.XX.XX.XX>' failed for '63.143.35.74:6816' (callid: 3386000034) - Failed to authenticate
...

in /var/log/asterisk/security

[2020-12-23 09:50:45] SECURITY[959] res_security_log.c: SecurityEvent="ChallengeResponseFailed",EventTV="2020-12-23T09:50:45.972+0000",Severity="Error",Service="PJSIP",EventVersion="1",AccountID="<unknown>",SessionID="945605671",LocalAddress="IPV4/UDP/XX.XX.XX.XX/5060",RemoteAddress="IPV4/UDP/63.143.35.74/5697",Challenge="1608717045/a8642900acb187c61e4d86328bef3982",Response="7c28990472d961b8560c99032af55f75",ExpectedResponse=""
[2020-12-23 09:50:45] SECURITY[959] res_security_log.c: SecurityEvent="ChallengeResponseFailed",EventTV="2020-12-23T09:50:45.986+0000",Severity="Error",Service="PJSIP",EventVersion="1",AccountID="<unknown>",SessionID="4051990597",LocalAddress="IPV4/UDP/XX.XX.XX.XX/5060",RemoteAddress="IPV4/UDP/63.143.35.74/6816",Challenge="1608717045/a8642900acb187c61e4d86328bef3982",Response="496417b5ee8def0ec8fb0275405d7ced",ExpectedResponse=""
[2020-12-23 09:50:46] SECURITY[959] res_security_log.c: SecurityEvent="ChallengeResponseFailed",EventTV="2020-12-23T09:50:46.016+0000",Severity="Error",Service="PJSIP",EventVersion="1",AccountID="<unknown>",SessionID="3386000034",LocalAddress="IPV4/UDP/XX.XX.XX.XX/5060",RemoteAddress="IPV4/UDP/63.143.35.74/6816",Challenge="1608717045/a8642900acb187c61e4d86328bef3982",Response="f53cebe818596d7ec43a81bb5f77c378",ExpectedResponse=""
...

but fail2ban filter worked properly fail2ban-regex /var/log/asterisk/security /etc/fail2ban/filter.d/asterisk.conf

Running tests
=============

Use   failregex filter file : asterisk, basedir: /etc/fail2ban
Use      datepattern : Default Detectors
Use         log file : /var/log/asterisk/security
Use         encoding : UTF-8

Results
=======

Failregex: 8864 total
|-  #) [# of hits] regular expression
|   6) [8864] ^SecurityEvent="(?:FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)"(?:(?:,(?!RemoteAddress=)\w+="[^"]*")*|.*?),RemoteAddress="IPV[46]/[^/"]+/<HOST>/\d+"(?:,(?!RemoteAddress=)\w+="[^"]*")*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [25657] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T|  ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
`-

Lines: 25657 lines, 0 ignored, 8864 matched, 16793 missed
[processed in 2.47 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 16793 lines

any ideas what can it be? thanks in advance!

fa-at-pulsit commented 3 years ago

I have just try it with a custom configuration

...
[asterisk-iptables]
enabled = true
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
sendmail-whois[name=ASTERISK, dest=root@localhost, sender=fail2ban@localhost]
logpath = /var/log/asterisk/security
maxretry = 10
findtime = 86400
bantime = 864000
...

and after reload, everything worked as expected.

ugoviti commented 3 years ago

Hi,

thank you for the feedback...

you have edited inside the container a fail2ban config file? what file?

can you past the output of the following command?

docker exec -it izpbx cat /etc/fail2ban/jail.d/99-local.conf

Thank you,

Kind regards

fa-at-pulsit commented 3 years ago

Hi, I put it exactly in 99-local.conf, just before your default config for asterisk

[DEFAULT]
# whitelist the following IP
ignoreip = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
bantime=300
findtime=3600
maxretry=10
banaction = iptables-allports

destemail = root@localhost
sender = fail2ban@localhost.localdomain

## banna mandando email di report
#action = %(action_mwl)s

## banna senza mandare email
action = %(action_)s

# logs override
logtarget = /var/log/fail2ban/fail2ban.log
apache_error_log = /var/log/httpd/*error*log
apache_access_log = /var/log/httpd/*access*log

## scommentare la seguente per abilitare tutte le jail
#enabled = true

# trova e blocca gli indirizzi che ripetono gli attacchi in modo persistente
[recidive]
enabled=true
logpath  = /var/log/fail2ban/fail2ban.log
action   = %(action_mwl)s
protocol = all
bantime=1814400
findtime=15552000
maxretry=10

[asterisk-iptables]
enabled = true
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
sendmail-whois[name=ASTERISK, dest=root@localhost, sender=fail2ban@localhost]
logpath = /var/log/asterisk/security
maxretry = 10
findtime = 86400
bantime = 864000

## se enabled=true non viene definito a livello globale
## elencare ogni singola jail che deve essere abilitata
[asterisk]
enabled=true
logpath=/var/log/asterisk/security

[freepbx]
enabled = true
logpath = /var/log/asterisk/freepbx_security.log

[apache-auth]
enabled = true

[apache-badbots]
enabled = true

[apache-noscript]
enabled = true

[apache-overflows]
enabled = true

[apache-nohome]
enabled = true

[apache-botsearch]
enabled = true

[apache-fakegooglebot]
enabled = true

[apache-shellshock]
enabled = true

and you can see this config works, default - not (see below) Maybe this occurs because of the wrong sender (fail2ban@localhost.localdomain) ?!

fail2ban-server status asterisk-iptables

Status for the jail: asterisk-iptables
|- Filter
|  |- Currently failed: 3
|  |- Total failed: 44301
|  `- File list:    /var/log/asterisk/security
`- Actions
   |- Currently banned: 1
   |- Total banned: 1
   `- Banned IP list:   63.143.35.74

fail2ban-server status asterisk

Status for the jail: asterisk
|- Filter
|  |- Currently failed: 0
|  |- Total failed: 0
|  `- File list:    /var/log/asterisk/security
`- Actions
   |- Currently banned: 0
   |- Total banned: 0
   `- Banned IP list:
fa-at-pulsit commented 3 years ago

and one other thing, maybe is a good idea to integrate AbuseIPDB with Fail2Ban - https://www.abuseipdb.com/fail2ban.html

fa-at-pulsit commented 3 years ago

Hi, I try it again, something is wrong with predefined action for asterisk jail If I insert action = iptables-allports[name=ASTERISK, protocol=all] in [asterisk] section, then all worked as expected

ugoviti commented 3 years ago

Hi, this is strange, iptables-allports is already used inside [DEFAULT] section...

I'll try further deploying a new installation

ugoviti commented 3 years ago

should be fixed by https://github.com/ugoviti/izdock-izpbx/commit/92b9a8fdc921e1ab6999fe602aef9f9c083158ff and released as 18.15.7, can you test?

Thank you