Upgrade Fail2Ban NOW... see page 3 of this thread
- Thread starter compuguy
- Start date
wardmundy
Nerd Uno
- Joined
- Oct 12, 2007
- Messages
- 19,201
- Reaction score
- 5,219
Fail2Ban 0.8.3 Upgrade
OK. Here's a first cut at a script to upgrade your PBX in a Flash system (only) to Fail2Ban 0.8.3. It has been configured to protect against password attacks in SSH, Apache, and Asterisk SIP. Feedback appreciated.
Log into your server as root, and...
Once the install finishes, be sure to check whether it's running. You should get two entries with this command:
If not, restart the service and repeat the test again.
We strongly recommend that you test all 3 password scenarios, i.e. log into your server 4 times with an incorrect SSH password; log into the FreePBX admin module 4 times with an incorrect maint password; use a softphone and log into a SIP extension on your server 4 times with an incorrect extension password. If you don't get blocked for 30 minutes in every case, there's a problem.
OK. Here's a first cut at a script to upgrade your PBX in a Flash system (only) to Fail2Ban 0.8.3. It has been configured to protect against password attacks in SSH, Apache, and Asterisk SIP. Feedback appreciated.
Log into your server as root, and...
Code:
cd /root
mkdir fail2ban
cd fail2ban
wget http://pbxinaflash.net/source/fail2ban/fail2ban-update
chmod +x fail2ban-update
./fail2ban-updateOnce the install finishes, be sure to check whether it's running. You should get two entries with this command:
Code:
ps aux | grep fail2ban-serverIf not, restart the service and repeat the test again.
Code:
service fail2ban restartWe strongly recommend that you test all 3 password scenarios, i.e. log into your server 4 times with an incorrect SSH password; log into the FreePBX admin module 4 times with an incorrect maint password; use a softphone and log into a SIP extension on your server 4 times with an incorrect extension password. If you don't get blocked for 30 minutes in every case, there's a problem.
OK
First I ran 'yum install fail2ban' then Ward's instructions (above), then changed the email address(es) in /etc/fail2ban/jail.conf, then ran 'service fail2ban restart' . All seems well.
I'm guessing I need to go in and make sure every one of my extensions has a hard to guess password now otherwise this does no good at all. (Assuming a bot would first try the obvious and get in under the radar in < 5 tries on my SIP port). Am I right?
First I ran 'yum install fail2ban' then Ward's instructions (above), then changed the email address(es) in /etc/fail2ban/jail.conf, then ran 'service fail2ban restart' . All seems well.
I'm guessing I need to go in and make sure every one of my extensions has a hard to guess password now otherwise this does no good at all. (Assuming a bot would first try the obvious and get in under the radar in < 5 tries on my SIP port). Am I right?
I followed the instructions, not when I log in to the server, it shows "Fail2Ban" offline. When I start the service , then log off, and log back in, it shows offline again. I went and tried the upgrade again, same thing.
Any thoughts?
Any thoughts?
wardmundy
Nerd Uno
- Joined
- Oct 12, 2007
- Messages
- 19,201
- Reaction score
- 5,219
First, it wouldn't have let you install it again unless you did something horribly wrong the first time. Use the directions provided above for testing. Ignore the fail2ban status message which currently reports on the old version... which, of course, is gone.
I'll read it closer next time.cosmicwombat
Guru
- Joined
- Nov 2, 2007
- Messages
- 498
- Reaction score
- 0
I'll keep digging, but I am having an issue
So, I did get a ban on Apache. And (it might not mean anything) the status display shows fail2ban as offline... I think it is running.
Code:
2008-10-13 16:22:48,718 fail2ban.actions.action: ERROR iptables -N fail2ban-SSH
iptables -A fail2ban-SSH -j RETURN
iptables -I INPUT -p tcp --dport ssh -j fail2ban-SSH returned 100So, I did get a ban on Apache. And (it might not mean anything) the status display shows fail2ban as offline... I think it is running.
cosmicwombat
Guru
- Joined
- Nov 2, 2007
- Messages
- 498
- Reaction score
- 0
It looks like it is running...
Code:
root 2640 0.0 0.3 10064 1728 ? S Oct05 0:00 /usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock
root 32418 0.0 0.1 3920 676 pts/0 R+ 06:31 0:00 grep fail2banIts looking for messages in the logs in any of these formats
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch
NOTICE.* <HOST> failed to authenticate as '.*'$
I assume IAX gives the same messages, you could always test it out.
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch
NOTICE.* <HOST> failed to authenticate as '.*'$
I assume IAX gives the same messages, you could always test it out.
Ok, so I added the additional code line that Ward listed to cover IAX extensions, still no joy. I checked the asterisk full log and the notices I get are listed below.
So would I enter something like this line in /etc/fail2ban/filter.d/asterisk.conf?
Tom
Code:
[2008-10-15 22:32:56] NOTICE[2914] chan_iax2.c: Host 172.16.24.2 failed MD5 authentication for '204' (15c6135b2e18b28d721acbd36tb24b9c != b1f421792d50f69c62d65cd5b68c681b)
[2008-10-15 22:33:26] NOTICE[2919] chan_iax2.c: Host 172.16.24.2 failed MD5 authentication for '204' (3fe2e00a7671a2fb4f42s22d62753ce7 != 2b91e72d34357d3d7cd529c76de13e7d)
[2008-10-15 22:33:56] NOTICE[2915] chan_iax2.c: Host 172.16.24.2 failed MD5 authentication for '204' (8748b14c143d81c4fd6f0t5bd34cab8c != d0772e6d6958e9c87b076f0004830eff)
[2008-10-15 22:34:26] NOTICE[2921] chan_iax2.c: Host 172.16.24.2 failed MD5 authentication for '204' (41684d62gh1b21b9803e2c3d593c59c9 != 8637ee588617388472fbc85703f471c4)
[2008-10-15 22:34:56] NOTICE[2916] chan_iax2.c: Host 172.16.24.2 failed MD5 authentication for '204' (b6f29bf6c9b7b0544c03725b7d68337f != 46bb74ec67ca4f59020251e908fa2511)
[2008-10-15 22:35:26] NOTICE[2914] chan_iax2.c: Host 172.16.24.2 failed MD5 authentication for '204' (388ff2b4db63d5ccbf300972eb9f8230 != d0be9b56b3bf4d06add919eda979b7b0)
[2008-10-15 22:35:56] NOTICE[2919] chan_iax2.c: Host 172.16.24.2 failed MD5 authentication for '204' (9d378832bec45298c3dbcfef41ee9b2a != 346a7708be3f6da50efc7840f8650734)
[2008-10-15 22:36:26] NOTICE[2915] chan_iax2.c: Host 172.16.24.2 failed MD5 authentication for '204' (370ec3e9a44784g7124bdd6888bb95d8 != e95ecbe090d60a653261b898475fb3a4)
[2008-10-15 22:36:56] NOTICE[2921] chan_iax2.c: Host 172.16.24.2 failed MD5 authentication for '204' (1df0e55734ddf32e846adc8cdf52c616 != 4c8908f511ed07fce73a65f91d81a553)So would I enter something like this line in /etc/fail2ban/filter.d/asterisk.conf?
Code:
NOTICE.* <HOST> failed MD5 authentication for '.*'$Tom
Forum statistics
Get 3CX - Absolutely Free!
Link up your team and customers 
Phone System Live Chat Video Conferencing
Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.
Verify your Email
Check your inbox!
We’ve sent you an email. Click on the button in the email body to verify your email address – (if you can not find it, check your spam folder).
Upon verification you will be directed to the 3CX setup wizard.