Closed fa-at-pulsit closed 3 years ago
I have just try it with a custom configuration
...
[asterisk-iptables]
enabled = true
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
sendmail-whois[name=ASTERISK, dest=root@localhost, sender=fail2ban@localhost]
logpath = /var/log/asterisk/security
maxretry = 10
findtime = 86400
bantime = 864000
...
and after reload, everything worked as expected.
Hi,
thank you for the feedback...
you have edited inside the container a fail2ban config file? what file?
can you past the output of the following command?
docker exec -it izpbx cat /etc/fail2ban/jail.d/99-local.conf
Thank you,
Kind regards
Hi, I put it exactly in 99-local.conf, just before your default config for asterisk
[DEFAULT]
# whitelist the following IP
ignoreip = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
bantime=300
findtime=3600
maxretry=10
banaction = iptables-allports
destemail = root@localhost
sender = fail2ban@localhost.localdomain
## banna mandando email di report
#action = %(action_mwl)s
## banna senza mandare email
action = %(action_)s
# logs override
logtarget = /var/log/fail2ban/fail2ban.log
apache_error_log = /var/log/httpd/*error*log
apache_access_log = /var/log/httpd/*access*log
## scommentare la seguente per abilitare tutte le jail
#enabled = true
# trova e blocca gli indirizzi che ripetono gli attacchi in modo persistente
[recidive]
enabled=true
logpath = /var/log/fail2ban/fail2ban.log
action = %(action_mwl)s
protocol = all
bantime=1814400
findtime=15552000
maxretry=10
[asterisk-iptables]
enabled = true
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
sendmail-whois[name=ASTERISK, dest=root@localhost, sender=fail2ban@localhost]
logpath = /var/log/asterisk/security
maxretry = 10
findtime = 86400
bantime = 864000
## se enabled=true non viene definito a livello globale
## elencare ogni singola jail che deve essere abilitata
[asterisk]
enabled=true
logpath=/var/log/asterisk/security
[freepbx]
enabled = true
logpath = /var/log/asterisk/freepbx_security.log
[apache-auth]
enabled = true
[apache-badbots]
enabled = true
[apache-noscript]
enabled = true
[apache-overflows]
enabled = true
[apache-nohome]
enabled = true
[apache-botsearch]
enabled = true
[apache-fakegooglebot]
enabled = true
[apache-shellshock]
enabled = true
and you can see this config works, default - not (see below) Maybe this occurs because of the wrong sender (fail2ban@localhost.localdomain) ?!
fail2ban-server status asterisk-iptables
Status for the jail: asterisk-iptables
|- Filter
| |- Currently failed: 3
| |- Total failed: 44301
| `- File list: /var/log/asterisk/security
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 63.143.35.74
fail2ban-server status asterisk
Status for the jail: asterisk
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/log/asterisk/security
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
and one other thing, maybe is a good idea to integrate AbuseIPDB with Fail2Ban - https://www.abuseipdb.com/fail2ban.html
Hi,
I try it again, something is wrong with predefined action for asterisk jail
If I insert action = iptables-allports[name=ASTERISK, protocol=all]
in [asterisk]
section, then all worked as expected
Hi,
this is strange, iptables-allports
is already used inside [DEFAULT]
section...
I'll try further deploying a new installation
should be fixed by https://github.com/ugoviti/izdock-izpbx/commit/92b9a8fdc921e1ab6999fe602aef9f9c083158ff and released as 18.15.7
, can you test?
Thank you
After a fresh install, I have a strange behavior of fail2ban, no ban, no action. I have installed izpbx on RancherOS v1.5.6, started with docker-compose, with
no warning or errors in
/var/log/fail2ban/fail2ban.log
in asterisk security log is set for
/var/log/asterisk/security
iptables -L
fail2ban-server version 0.11.1
fail2ban-server status asterisk
currently in asterisk (some brutforce)
in /var/log/asterisk/security
but fail2ban filter worked properly
fail2ban-regex /var/log/asterisk/security /etc/fail2ban/filter.d/asterisk.conf
any ideas what can it be? thanks in advance!