vicidial.org

[dito]

Hi all,
saw some confused posts turning around firewall and security on vicibox server.
Fail2ban is a log-parsing application that monitors system logs for symptoms of an automated attack on your Vicibox.
When an attempted compromise is located, using the defined parameters, Fail2ban will add a new rule to iptables to block the IP address of the attacker, either for a set amount of time or permanently. Fail2ban can also alert you through email that an attack is occurring.
Steps To setup fail2ban working on your system, this will protect from ATTACKS AGAINST ASTERISK, APACHE, AND SSH:

1- fail2ban install:

Code: Select all

yast2 -i fail2ban

2 - configure fail2ban:

Code: Select all

vi /etc/fail2ban/jail.local

add those lines:

# Do all your modifications to the jail's configuration in jail.local!

Code: Select all

[DEFAULT]
ignoreip = 127.0.0.1
bantime  = 6048000
findtime  = 600
maxretry = 5
backend = auto

[asterisk-iptables]
enabled  = true
filter   = asterisk
action   = iptables-allports[name=SIP, protocol=all]
           sendmail[name=VICIBOX-ASTERISK-DETECTOR, dest=support@crm.tn, sender=vicibox@crm.tn]
logpath  = /var/log/asterisk/messages
maxretry = 3
bantime = 6048000

[ssh-iptables]
enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail[name=VICIBOX-SSH-DETECTOR, dest=yourmail, sender=yourmail]
logpath  = /var/log/messages
maxretry = 3
bantime = 6048000

[apache-tcpwrapper]
enabled  = true
filter   = apache-auth
action   = iptables-allports[name=apache-auth, port=http, protocol=tcp]
           sendmail[name=VICIBOX-APACHE-DETECTOR, dest=yourmail, sender=yourmail]
logpath  = /var/log/apache2/error_log
maxretry = 3

[apache-badbots]
enabled  = true
filter   = apache-badbots
action   = iptables-multiport[name=BadBots, port="http,https"]
           sendmail[name=VICIBOX-BadBots-DETECTOR, dest=yourmail, sender=yourmail]
logpath  = /var/log/apache2/*access_log
bantime  = 6048000
maxretry = 1

# Jail for more extended banning of persistent abusers
# !!! WARNING !!!
#   Make sure that your loglevel specified in fail2ban.conf/.local
#   is not at DEBUG level -- which might then cause fail2ban to fall into
#   an infinite loop constantly feeding itself with non-informative lines
[recidive]
enabled  = true
filter   = recidive
logpath  = /var/log/fail2ban.log*
action   = iptables-allports[name=recidive, protocol=all]
           sendmail[name=VICIBOX-BADBOY-DETECTOR, dest=yourmail, sender=yourmail]
bantime  = 6048000  ; 10 weeks
#findtime = 60480000   ; 5 hours
findtime = 43200   ; 12 hours
maxretry = 5


3 - launch and check fail2ban
launch fail2ban :

Code: Select all

service fail2ban start

check if jails are on:

Code: Select all

fail2ban-client status

you will have to see sth like this:

Code: Select all

Status
|- Number of jail:      5
`- Jail list:   apache-badbots, apache-tcpwrapper, asterisk-iptables, recidive, ssh-iptables


check your mailbox if all is ok you will recieve sth like this:

Advice: add your own ip as ignoreip to avoid risk getting banned from your own server

Code: Select all

ignoreip = 127.0.0.1
ignoreip = yourserverip
ignoreip = yourofficeip

[williamconley]

Cool.

Does this take into account SIP registration attacks?

[dito]

Cool.

Does this take into account SIP registration attacks?

Yes take a look into the jail code above you will see what is exactly parsed from asterisk log.
it's located in
/etc/fail2ban/filter.d/asterisk.conf

Code: Select all

log_prefix= (?:NOTICE|SECURITY|WARNING)%(__pid_re)s:?(?:\[C-[\da-f]*\])? [^:]+:\d*(?:(?: in)? \w+:)?

failregex = ^%(__prefix_line)s%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
            ^%(__prefix_line)s%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '[^']*' rejected because extension not found in context
            ^%(__prefix_line)s%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$
            ^%(__prefix_line)s%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$
            ^%(__prefix_line)s%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
            ^%(__prefix_line)s%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$
            ^%(__prefix_line)s%(log_prefix)s hacking attempt detected '<HOST>'$
            ^%(__prefix_line)s%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="(\d*|<unknown>)",SessionID=".+",LocalAddress="IPV[46]/(UDP|TCP|WS)/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UDP|TCP|WS)/<HOST>/\d+"(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",ExpectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$
            ^%(__prefix_line)s%(log_prefix)s "Rejecting unknown SIP connection from <HOST>"$
            ^%(__prefix_line)s%(log_prefix)s Request (?:'[^']*' )?from '[^']*' failed for '<HOST>(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching


[williamconley]

How does it handle rotating IP SIP registration attacks?

And how does it handle the situation when a single agent in a call center has a bad password? (Will it lock out the entire call center from that server for one bad password?)

[dito]

How does it handle rotating IP SIP registration attacks?

And how does it handle the situation when a single agent in a call center has a bad password? (Will it lock out the entire call center from that server for one bad password?)

as i said in the first post ignoreip line kind of whitelist ips in "jail.local" not jail.conf
to add the server ip to avoid the ban of the server ip cause some attacks display only server ip "device attack"
then your own adresses.

Code: Select all

ignoreip = 127.0.0.1,5.135.123.123,182.121.123.123,41.321.321.321


[williamconley]

You missed this one:

How does it handle rotating IP SIP registration attacks?

[dito]

You missed this one:

How does it handle rotating IP SIP registration attacks?

didn't know what you meant by rotating my english is not so good..
but rotating (coming back after unban) or rotating changing ip's
there is a jail called recidive after re"attaking the ip is banned for more long time in this example
recidive check each 12 hours if the unbanned ip reattack the ip is banned for 10 weeks

Code: Select all

[recidive]
enabled  = true
filter   = recidive
logpath  = /var/log/fail2ban.log*
action   = iptables-allports[name=recidive, protocol=all]
           sendmail[name=VICIBOX-BADBOY-DETECTOR, dest=yourmail, sender=yourmail]
bantime  = 6048000  ; 10 weeks
findtime = 43200   ; 12 hours
maxretry = 5


if rotating = changing ip multiple ip from subnet etcy , you can try replacing <ip> in your action(s) with this:whois <ip> | grep route: | awk '{print $2}'. It will ban the whole subnet according to the whois data, not only /24 which may be not enough.

https://github.com/XaF/fail2ban-subnets

fail2ban-subnets aims to provide a way to ban subnets of IPs repeatingly banned by fail2ban for multiple offenses. It thus uses the fail2ban logfiles and calculates the most restricted subnet to be banned for these IPs. Using the log file generated by fail2ban-subnets, and a new action.d script, we can thus create a specific jail in fail2ban for banning those subnets.

fail2ban-subnets is here to provide what's currently impossible in fail2ban, even if there are issues that are progressing on that side.

[cyberlinux]

Thank you for posting this, and how do I filtered or block all IPs accessing viciserver that have not listed in ignoreip?

[dito]

Thank you for posting this, and how do I filtered or block all IPs accessing viciserver that have not listed in ignoreip?

if you want to block ALL IP's only permit your own ip you don't need fail2ban ... just do it on your iptables.
this fail2ban is in certain way permitting vicibox to be "public"
example of use "homeshoring" with dynamic changing ip's etc...

[dito]

hi there,
someone used my mail in the fail2ban install procedure please change it i am recieving email from your server
server name : BMI
thx

Code: Select all

Hi,

The IP 192.168.1.117 has just been banned by Fail2Ban after
14 attempts against VICIBOX-ASTERISK-DETECTOR.

Regards,


[kashinc]

my jail's are not loading.... I have created the jail.local file but still the output I get is

sudo fail2ban-client status
Status
|- Number of jail: 0
`- Jail list:

[dito]

my jail's are not loading.... I have created the jail.local file but still the output I get is

sudo fail2ban-client status
Status
|- Number of jail: 0
`- Jail list:

Hello,
please provide more informations ... vicibox version you are running under ..
you said you've created jail.local ... in fact if you installed fail2ban you will have to edit it ..
so may be you did the vi un the wrong place the jail.local should be in /etc/fail2ban/
cheers

[kashinc]

vicibox 8.0.1
Asterisk 13.21.0-vici

TEL1:/etc/fail2ban # ls
action.d fail2ban.conf fail2ban.d filter.d jail.conf jail.conf.rpmsave jail.d jail.local jail.local.rpmsave paths-common.conf paths-opensuse.conf

TEL1:/etc/fail2ban # cat jail.local
# Do all your modifications to the jail's configuration in jail.local!

[DEFAULT]
ignoreip = 127.0.0.1,12.X.X.X
bantime  = 6048000
findtime = 600
maxretry = 5
backend = auto

[asterisk-iptables]
enabled  = true
filter   = asterisk
action   = iptables-allports[name=SIP, protocol=all]
           sendmail[name=VICIBOX-ASTERISK-DETECTOR, dest=admin@xxxxx.com, sender=vicibox@xxxxx.com]
logpath  = /var/log/asterisk/messages
maxretry = 3
bantime = 6048000

[ssh-iptables]
enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail[name=VICIBOX-SSH-DETECTOR, dest=yourmail, sender=yourmail]
logpath  = /var/log/messages
maxretry = 3
bantime = 6048000

[apache-tcpwrapper]
enabled  = true
filter   = apache-auth
action   = iptables-allports[name=apache-auth, port=http, protocol=tcp]
           sendmail[name=VICIBOX-APACHE-DETECTOR, dest=yourmail, sender=yourmail]
logpath  = /var/log/apache2/error_log
maxretry = 3

[apache-badbots]
enabled  = true
filter   = apache-badbots
action   = iptables-multiport[name=BadBots, port="http,https"]
           sendmail[name=VICIBOX-BadBots-DETECTOR, dest=yourmail, sender=yourmail]
logpath  = /var/log/apache2/*access_log
bantime  = 6048000
maxretry = 1

# Jail for more extended banning of persistent abusers
# !!! WARNING !!!
#   Make sure that your loglevel specified in fail2ban.conf/.local
#   is not at DEBUG level -- which might then cause fail2ban to fall into
#   an infinite loop constantly feeding itself with non-informative lines
[recidive]
enabled  = true
filter   = recidive
logpath  = /var/log/fail2ban.log*
action   = iptables-allports[name=recidive, protocol=all]
           sendmail[name=VICIBOX-BADBOY-DETECTOR, dest=yourmail, sender=yourmail]
bantime  = 6048000  ; 10 weeks
#findtime = 60480000   ; 5 hours
findtime = 43200   ; 12 hours
maxretry = 5

[dito]

vicibox 8.0.1
Asterisk 13.21.0-vici

just do

Code: Select all

fail2ban-client reload

then

Code: Select all

fail2ban-client status

best regards

[bigape]

I had to create /var/log/fail2ban.log in order to get fail2ban-0.9.7-3.1.noarch to startup successfully using instructions provided and vicibox 8.01.

[rmathur2588]

Hello Everyone,


I am getting this error message when i try start fail2ban service (service fail2ban start)

ERROR: Job for fail2ban.service failed because the control process exited with error code. See "systemctl status fail2ban.service" and "journalctl -xe" for details.

My Setup:

- ViciBox v.8.0.1
VERSION: 2.14-695a
BUILD: 181116-1133
Hosted on a dedicated server in Frankfurt using OVH Cloud Services.

[williamconley]

See "systemctl status fail2ban.service" and "journalctl -xe" for details.

And when you checked using those method for the error causing the fail ... what did you find?

[rmathur2588]

Command : "systemctl status fail2ban.service"
Output:
fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; disabled; vendor preset: disabled)
Active: failed (Result: start-limit) since Mon 2018-12-03 18:03:36 EST; 18min ago
Docs: man:fail2ban(1)
Process: 24308 ExecStart=/usr/bin/fail2ban-client -x $FAIL2BAN_OPTIONS start (code=exited, status=255)

Dec 03 18:03:36 vicibox8 systemd[1]: Failed to start Fail2Ban Service.
Dec 03 18:03:36 vicibox8 systemd[1]: fail2ban.service: Unit entered failed state.
Dec 03 18:03:36 vicibox8 systemd[1]: fail2ban.service: Failed with result 'exit-code'.
Dec 03 18:03:36 vicibox8 systemd[1]: fail2ban.service: Service hold-off time over, scheduling restart.
Dec 03 18:03:36 vicibox8 systemd[1]: Stopped Fail2Ban Service.
Dec 03 18:03:36 vicibox8 systemd[1]: fail2ban.service: Start request repeated too quickly.
Dec 03 18:03:36 vicibox8 systemd[1]: Failed to start Fail2Ban Service.
Dec 03 18:03:36 vicibox8 systemd[1]: fail2ban.service: Unit entered failed state.
Dec 03 18:03:36 vicibox8 systemd[1]: fail2ban.service: Failed with result 'start-limit'.
fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; disabled; vendor preset: disabled)
Active: failed (Result: start-limit) since Mon 2018-12-03 18:03:36 EST; 18min ago
Docs: man:fail2ban(1)
Process: 24308 ExecStart=/usr/bin/fail2ban-client -x $FAIL2BAN_OPTIONS start (code=exited, status=255)

Dec 03 18:03:36 vicibox8 systemd[1]: Failed to start Fail2Ban Service.
Dec 03 18:03:36 vicibox8 systemd[1]: fail2ban.service: Unit entered failed state.
Dec 03 18:03:36 vicibox8 systemd[1]: fail2ban.service: Failed with result 'exit-code'.
Dec 03 18:03:36 vicibox8 systemd[1]: fail2ban.service: Service hold-off time over, scheduling restart.
Dec 03 18:03:36 vicibox8 systemd[1]: Stopped Fail2Ban Service.
Dec 03 18:03:36 vicibox8 systemd[1]: fail2ban.service: Start request repeated too quickly.
Dec 03 18:03:36 vicibox8 systemd[1]: Failed to start Fail2Ban Service.
Dec 03 18:03:36 vicibox8 systemd[1]: fail2ban.service: Unit entered failed state.
Dec 03 18:03:36 vicibox8 systemd[1]: fail2ban.service: Failed with result 'start-limit'.


Command : journalctl -xe

Output:
Dec 03 18:23:01 vicibox8 systemd[1]: Started Session 820 of user root.
-- Subject: Unit session-820.scope has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/li ... temd-devel
--
-- Unit session-820.scope has finished starting up.
--
-- The start-up result is done.
Dec 03 18:23:01 vicibox8 systemd[1]: Started Session 821 of user root.
-- Subject: Unit session-821.scope has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/li ... temd-devel
--
-- Unit session-821.scope has finished starting up.
--
-- The start-up result is done.
Dec 03 18:23:01 vicibox8 systemd[1]: Started Session 822 of user root.
-- Subject: Unit session-822.scope has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/li ... temd-devel
--
-- Unit session-822.scope has finished starting up.
--
-- The start-up result is done.
Dec 03 18:23:01 vicibox8 systemd[1]: Started Session 823 of user root.
-- Subject: Unit session-823.scope has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/li ... temd-devel
--
-- Unit session-823.scope has finished starting up.
--
-- The start-up result is done.
Dec 03 18:23:01 vicibox8 CRON[6623]: (root) CMD (/usr/share/astguiclient/AST_inbound_email_parser.pl)
Dec 03 18:23:01 vicibox8 CRON[6624]: (root) CMD (/usr/share/astguiclient/AST_VDhopper.pl -q)
Dec 03 18:23:01 vicibox8 CRON[6625]: (root) CMD (/usr/share/astguiclient/ADMIN_keepalive_ALL.pl)
Dec 03 18:23:01 vicibox8 CRON[6627]: (root) CMD (/usr/share/astguiclient/AST_manager_kill_hung_congested.pl)
Dec 03 18:23:01 vicibox8 CRON[6628]: (root) CMD (/usr/share/astguiclient/AST_vm_update.pl)
Dec 03 18:23:01 vicibox8 CRON[6626]: (root) CMD (/usr/share/astguiclient/AST_conf_update.pl)
Dec 03 18:23:01 vicibox8 CRON[6616]: pam_unix(crond:session): session closed for user root
Dec 03 18:23:02 vicibox8 CRON[6615]: pam_unix(crond:session): session closed for user root
Dec 03 18:23:02 vicibox8 CRON[6614]: pam_unix(crond:session): session closed for user root
Dec 03 18:23:02 vicibox8 CRON[6612]: pam_unix(crond:session): session closed for user root
Dec 03 18:23:06 vicibox8 CRON[6611]: pam_unix(crond:session): session closed for user root

[rmathur2588]

I had to create /var/log/fail2ban.log in order to get fail2ban-0.9.7-3.1.noarch to startup successfully using instructions provided and vicibox 8.01.

How you create this log file.

Can you post the instructions for my ref. please.

Thanks in Advance

[williamconley]

Creating a file can be as easy as

Code: Select all

touch /var/log/fail2ban.log

[rmathur2588]

Thanks. I worked like charm.

Cheers!!

[m@rio]

Hi,

I tried this but it doesnt block the IPs who are trying to hack me by SIP registration. Fail2ban is active but i still can see the same IP trying over and over to hack me.
Any ideas?

[williamconley]

fail2ban closes the barn door after the cows have left. you are already on a list of "active sip servers" and will be attacked.

whitelist lockdown is the actual solution. the newest vicibox has a firewall system capable of whitelisting. All OpenSuSE installations with iptables active can whitelist from "yast firewall".

Dynamic Good Guys was published many years ago for easing the use of a whitelisted Vicibox server by adding simplistic web pages to authorize IPs (no cli needed for adding each new good ip address). It also includes instructions for whitelisting without installing ... but then you have to use yast firewall's custom IP authorization to whitelist IPs and subnets.

[m@rio]

The link for Dynamic Good Guys its not working. Do you now where I can find it?

[williamconley]

The link for Dynamic Good Guys its not working. Do you now where I can find it?

WHAT link isn't working?

[waleed]

Ignoreip did not worked. I have entered wrong password of ssh on purpose and it blocked my ip even though i put it in ignore ip.

[rameez.amjad4]

I have installed fail2ban in my server today its Vicibox 8.1.2

Version: 2.14b0.5
SVN Version: 3130
DB Schema Version: 1574
DB Schema Update Date: 2019-08-21 20:46:07
Password Encryption: DISABLED - S1 - C1
Auto User-add Value: 101
Recording Prompt Count: 0
Install Date: 2019-08-21

when i try to execute command " service fail2ban start " i get the following error, please help, Thanks.

Job for fail2ban.service failed because the control process exited with error code. See "systemctl status fail2ban.service" and "journalctl -xe" for details.

journalctl -xe

Aug 21 21:20:43 Eishal systemd[1]: Failed to start Fail2Ban Service.
-- Subject: Unit fail2ban.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/li ... temd-devel
--
-- Unit fail2ban.service has failed.
--
-- The result is failed.
Aug 21 21:20:43 Eishal systemd[1]: fail2ban.service: Unit entered failed state.
Aug 21 21:20:43 Eishal systemd[1]: fail2ban.service: Failed with result 'exit-code'.
Aug 21 21:20:43 Eishal systemd[1]: fail2ban.service: Service RestartSec=100ms expired, scheduling restart.
Aug 21 21:20:43 Eishal systemd[1]: Stopped Fail2Ban Service.
-- Subject: Unit fail2ban.service has finished shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/li ... temd-devel
--
-- Unit fail2ban.service has finished shutting down.
Aug 21 21:20:43 Eishal systemd[1]: fail2ban.service: Start request repeated too quickly.
Aug 21 21:20:43 Eishal systemd[1]: Failed to start Fail2Ban Service.
-- Subject: Unit fail2ban.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/li ... temd-devel
--
-- Unit fail2ban.service has failed.
--
-- The result is failed.
Aug 21 21:20:43 Eishal systemd[1]: fail2ban.service: Unit entered failed state.
Aug 21 21:20:43 Eishal systemd[1]: fail2ban.service: Failed with result 'start-limit'.
Aug 21 21:20:46 Eishal CRON[7408]: pam_unix(crond:session): session closed for user root

Please help how to fix and get it up & running, Thanks.

[williamconley]

These are the two lines with the real information:

Code: Select all

Aug 21 21:20:43 Eishal systemd[1]: fail2ban.service: Start request repeated too quickly.
Aug 21 21:20:43 Eishal systemd[1]: fail2ban.service: Failed with result 'start-limit'.

How you could have made the request too often is interesting. But I suggest you check for a cause for these two lines and determine if some other process attempted to start it (unless you actually requested the start twice?).

[rameez.amjad4]

Actually I didn't tried to open it twice I just installed and followed the mentioned steps but it's not working can you tell me how to fix it and keep it working ???

[rameez.amjad4]

any one can help to fix this issue?

[rameez.amjad4]

I did installed vicibox 8.1.2 again and still having same issue can some one help me to fix it ?


service fail2ban start
Job for fail2ban.service failed because the control process exited with error code. See "systemctl status fail2ban.service" and "journalctl -xe" for details.

=========================================

systemctl status fail2ban.service
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
Active: failed (Result: start-limit) since Sat 2019-09-07 17:27:42 EDT; 9s ago
Docs: man:fail2ban(1)
Process: 11469 ExecStart=/usr/bin/fail2ban-client -x $FAIL2BAN_OPTIONS start (code=exited, status=255)

Sep 07 17:27:42 Esha systemd[1]: Failed to start Fail2Ban Service.
Sep 07 17:27:42 Esha systemd[1]: fail2ban.service: Unit entered failed state.
Sep 07 17:27:42 Esha systemd[1]: fail2ban.service: Failed with result 'exit-code'.
Sep 07 17:27:42 Esha systemd[1]: fail2ban.service: Service RestartSec=100ms expired, scheduling restart.
Sep 07 17:27:42 Esha systemd[1]: Stopped Fail2Ban Service.
Sep 07 17:27:42 Esha systemd[1]: fail2ban.service: Start request repeated too quickly.
Sep 07 17:27:42 Esha systemd[1]: Failed to start Fail2Ban Service.
Sep 07 17:27:42 Esha systemd[1]: fail2ban.service: Unit entered failed state.
Sep 07 17:27:42 Esha systemd[1]: fail2ban.service: Failed with result 'start-limit'.

=========================================

journalctl -xe
-- Support: http://lists.freedesktop.org/mailman/li ... temd-devel
--
-- Unit session-220.scope has finished starting up.
--
-- The start-up result is done.
Sep 07 17:29:01 Esha systemd[1]: Started Session 223 of user root.
-- Subject: Unit session-223.scope has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/li ... temd-devel
--
-- Unit session-223.scope has finished starting up.
--
-- The start-up result is done.
Sep 07 17:29:01 Esha systemd[1]: Started Session 221 of user root.
-- Subject: Unit session-221.scope has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/li ... temd-devel
--
-- Unit session-221.scope has finished starting up.
--
-- The start-up result is done.
Sep 07 17:29:01 Esha CRON[11630]: (root) CMD (/usr/share/astguiclient/AST_conf_update.pl)
Sep 07 17:29:01 Esha CRON[11631]: (root) CMD (/usr/share/astguiclient/AST_vm_update.pl)
Sep 07 17:29:01 Esha CRON[11632]: (root) CMD (/usr/share/astguiclient/AST_VDhopper.pl -q)
Sep 07 17:29:01 Esha CRON[11633]: (root) CMD (/usr/share/astguiclient/AST_manager_kill_hung_congested.pl)
Sep 07 17:29:01 Esha CRON[11634]: (root) CMD (/usr/share/astguiclient/ADMIN_keepalive_ALL.pl)
Sep 07 17:29:01 Esha CRON[11635]: (root) CMD (/usr/share/astguiclient/AST_inbound_email_parser.pl)
Sep 07 17:29:02 Esha CRON[11619]: pam_unix(crond:session): session closed for user root
Sep 07 17:29:02 Esha CRON[11620]: pam_unix(crond:session): session closed for user root
Sep 07 17:29:02 Esha CRON[11616]: pam_unix(crond:session): session closed for user root
Sep 07 17:29:02 Esha CRON[11618]: pam_unix(crond:session): session closed for user root
Sep 07 17:29:07 Esha CRON[11615]: pam_unix(crond:session): session closed for user root

[rameez.amjad4]

Any one can help in resolving issue fail2ban not working with vicibox 8.1.2 , error: quick start

Any help???

[susam]

Hi all,
saw some confused posts turning around firewall and security on vicibox server.
Fail2ban is a log-parsing application that monitors system logs for symptoms of an automated attack on your Vicibox.
When an attempted compromise is located, using the defined parameters, Fail2ban will add a new rule to iptables to block the IP address of the attacker, either for a set amount of time or permanently. Fail2ban can also alert you through email that an attack is occurring.
Steps To setup fail2ban working on your system, this will protect from ATTACKS AGAINST ASTERISK, APACHE, AND SSH:

1- fail2ban install:

Code: Select all

yast2 -i fail2ban

2 - configure fail2ban:

Code: Select all

vi /etc/fail2ban/jail.local

add those lines:

# Do all your modifications to the jail's configuration in jail.local!

Code: Select all

[DEFAULT]
ignoreip = 127.0.0.1
bantime  = 6048000
findtime  = 600
maxretry = 5
backend = auto

[asterisk-iptables]
enabled  = true
filter   = asterisk
action   = iptables-allports[name=SIP, protocol=all]
           sendmail[name=VICIBOX-ASTERISK-DETECTOR, dest=support@crm.tn, sender=vicibox@crm.tn]
logpath  = /var/log/asterisk/messages
maxretry = 3
bantime = 6048000

[ssh-iptables]
enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail[name=VICIBOX-SSH-DETECTOR, dest=yourmail, sender=yourmail]
logpath  = /var/log/messages
maxretry = 3
bantime = 6048000

[apache-tcpwrapper]
enabled  = true
filter   = apache-auth
action   = iptables-allports[name=apache-auth, port=http, protocol=tcp]
           sendmail[name=VICIBOX-APACHE-DETECTOR, dest=yourmail, sender=yourmail]
logpath  = /var/log/apache2/error_log
maxretry = 3

[apache-badbots]
enabled  = true
filter   = apache-badbots
action   = iptables-multiport[name=BadBots, port="http,https"]
           sendmail[name=VICIBOX-BadBots-DETECTOR, dest=yourmail, sender=yourmail]
logpath  = /var/log/apache2/*access_log
bantime  = 6048000
maxretry = 1

# Jail for more extended banning of persistent abusers
# !!! WARNING !!!
#   Make sure that your loglevel specified in fail2ban.conf/.local
#   is not at DEBUG level -- which might then cause fail2ban to fall into
#   an infinite loop constantly feeding itself with non-informative lines
[recidive]
enabled  = true
filter   = recidive
logpath  = /var/log/fail2ban.log*
action   = iptables-allports[name=recidive, protocol=all]
           sendmail[name=VICIBOX-BADBOY-DETECTOR, dest=yourmail, sender=yourmail]
bantime  = 6048000  ; 10 weeks
#findtime = 60480000   ; 5 hours
findtime = 43200   ; 12 hours
maxretry = 5


3 - launch and check fail2ban
launch fail2ban :

Code: Select all

service fail2ban start

check if jails are on:

Code: Select all

fail2ban-client status

you will have to see sth like this:

Code: Select all

Status
|- Number of jail:      5
`- Jail list:   apache-badbots, apache-tcpwrapper, asterisk-iptables, recidive, ssh-iptables


check your mailbox if all is ok you will recieve sth like this:

Advice: add your own ip as ignoreip to avoid risk getting banned from your own server

Code: Select all

ignoreip = 127.0.0.1
ignoreip = yourserverip
ignoreip = yourofficeip

Thanks for such a nice post, I am using 8.0.1 and it is working fine, now I have two questions 1) someone try to register sip account taking my own IP(IP Spoofing) how to block that one and 2) how to block sip port scanning ? I will be grateful if you provide me step by step as same like fail2ban.

[carpenox]

is this fully working on v9? I can get the setup done but I am not receiving banned IP's to my email, only when it stops and starts.... its not bannnig failed attempts...

[carpenox]

OK so I got fail2ban working on vicibox v9.0.3 - it was setting the logs to use "systemd" instead of auto or polling

[IanGP]

Much Appreciated!
Works like a charm on 9.0.3.

Just must remember to set F2B to start at boot:

Code: Select all

chkconfig --add fail2ban

[carpenox]

yea i did it using systemctl but im glad its working for ya