My externally hosted vserver runs with Debian lenny stable. Fail2ban 0.8.3 (and iptables) have been installed with the package-manager. The intention is to use fail2ban with the messages-file from asterisk, i.e. without iptables. The configuration files for fail2ban are according this howto. When I start fail2ban with /etc/init.d/fail2ban start no further information is given, so I thought it would work. Later I questioned whether it would require beforehand a /etc/init.d/fail2ban reload or a /etc/init.d/fail2ban restart and in both of these cases I obtain each time the result "failed!" How could I find out what is going wrong? Note: I'm not very familiar with Linux, I only use it in the context of the asterisk.
Fail2Ban works now. The reload has to be done with /usr/bin/fail2ban-client reload and not with /etc/init.d/fail2ban reload (as mentioned in the howto from Voip-Info.org) However, the log indicates that there is still an issue with the mail message (address changed here): Any ideas why the mail-message doesn't work? The mail address is on a different server. Could this be the reason?
Note that I tried with different mail-addresses. None of them is hosted on the same server: Code: # Fail2Ban configuration file ... # $Revision: 747 $ ... [DEFAULT] bantime = 600 findtime = 600 maxretry = 3 backend = auto [asterisk-iptables] enabled = true filter = asterisk action = hostsdeny[name=ASTERISK, protocol=all] mail-whois[name=ASTERISK, [email protected], [email protected]] logpath = /var/log/asterisk/messages # maxretry = 5 # bantime = 259200 maxretry = 3 findtime = 300 bantime = 600 ... all other entries have: enabled=false
Fail2Ban fails to ban ! I just had an other an other attack. The settings in jail.conf were for manual testing as sent before: maxretry = 3 findtime = 300 bantime = 600 The log files show the following: Asterisk Code: [2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"1249349713"<sip:[email protected]>' failed for '76.76.96.74' - No matching peer found [2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"100"<sip:[email protected]>' failed for '76.76.96.74' - No matching peer found [2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"101"<sip:[email protected]>' failed for '76.76.96.74' - No matching peer found [2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"102"<sip:[email protected]>' failed for '76.76.96.74' - No matching peer found [2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"103"<sip:[email protected]>' failed for '76.76.96.74' - No matching peer found [2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"104"<sip:[email protected]>' failed for '76.76.96.74' - No matching peer found .... [2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9994"<sip:[email protected]>' failed for '76.76.96.74' - No matching peer found [2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9995"<sip:[email protected]>' failed for '76.76.96.74' - No matching peer found [2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9996"<sip:[email protected]>' failed for '76.76.96.74' - No matching peer found [2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9997"<sip:[email protected]>' failed for '76.76.96.74' - No matching peer found [2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9998"<sip:[email protected]>' failed for '76.76.96.74' - No matching peer found [2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9999"<sip:[email protected]>' failed for '76.76.96.74' - No matching peer found Fail2ban: Code: 2010-05-22 16:04:06,632 fail2ban.actions: WARNING [asterisk-iptables] Ban 76.76.96.74 2010-05-22 16:04:09,130 fail2ban.actions.action: ERROR printf %b "Hi,\n The IP 76.76.96.74 has just been banned by Fail2Ban after 11 attempts against ASTERISK.\n\n Here are more information about 76.76.96.74:\n `whois 76.76.96.74`\n Regards,\n Fail2Ban"|mail -s "[Fail2Ban] ASTERISK: banned 76.76.96.74" [email][email protected][/email] returned 7f00 2010-05-22 16:04:09,130 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned 2010-05-22 16:04:10,133 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned 2010-05-22 16:04:11,132 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned 2010-05-22 16:04:12,132 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned 2010-05-22 16:04:13,132 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned 2010-05-22 16:04:14,132 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned 2010-05-22 16:04:15,133 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned 2010-05-22 16:04:16,133 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned 2010-05-22 16:04:17,133 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned ... 2010-05-22 16:12:55,309 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned 2010-05-22 16:12:56,311 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned 2010-05-22 16:12:57,318 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned 2010-05-22 16:12:58,321 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned 2010-05-22 16:14:07,356 fail2ban.actions: WARNING [asterisk-iptables] Unban 76.76.96.74 There are about 40 attacks per second whereas fail2ban reacts in about one second intervals only by reporting "already banned". Fail2ban added the IP also in the File /etc/hosts.deny Why then hasn't the IP been blocked ? Any suggestions/recommendations to get it working ?
What is the output of Code: grep -h "Ban " /var/log/fail2ban.log* | awk '{print $5,$1}' | sort | uniq -c Code: grep -h "already banned" /var/log/fail2ban.log* | awk '{print $5,$1}' | sort | uniq -c Code: grep -h "Unban " /var/log/fail2ban.log* | awk '{print $5,$1}' | sort | uniq -c Do they match?
For my understanding, hosts.allow / deny files are only for tcp wrappered app's which I assume asterisk not to be. Why do you try to avoid using iptables?
I'm not sure whether I understand these commands, but they didn't show anything on the CLI. It could also be that I made in the meantime a reload. After the attack I checked the files host.deny this one was empty and host.allow contained the IP which attacked before. I interpreted this to be the result of the action command which unbaned with bantime = 600 the IP after 10 min.
Where is your fail2ban logfile? Code: grep -h "Ban " /var/log/fail2ban.log* | awk '{print $5,$1}' | sort | uniq -c Should return a list with number of BANs per day and what filter was hit -- like here with postfix: Code: 123 [postfix] 2010-05-16 114 [postfix] 2010-05-17 75 [postfix] 2010-05-18 45 [postfix] 2010-05-20 104 [postfix] 2010-05-21 100 [postfix] 2010-05-22 103 [postfix] 2010-05-23 43 [postfix] 2010-05-24 This normaly a good way to see if and what's happening, as you can compare "Ban ", "already banned", "Unban ". If you got nothing there, fail2ban never's done anything for you--it seems.
As mentioned above, there is only the filter [asterisk-iptables] enabled. Attacks on the asterisk occur very irregular. Daly checks in the corresponding log-files show that nothing happened since the last one. I changed now the parameters in jail.conf to maxretry = 5 bantime = 259200 thus not specifying a findtime. I will see how fail2ban will be able to handle the next attack. I don't have much hope that it will improve. At least I would still be able to see whether fail2ban did put the IP into the host.deny-file or not. However, to my understanding, the log of the last attack actually indicates that the IP has first been placed in the host.deny-file. One finds there the three distinct actions "banned", "already banned" and "unban".
