2

I'm trying to get fail2ban running on CentOS7 (no SELinux) and it uses firewalld. My goal is to set it to ban Asterisk password fails.

Setup was default yum install fail2ban

Config-wise I ONLY added jail.local with following:

[DEFAULT]
backend = systemd
banaction = firewallcmd-ipset
destemail = xx@xxx.com
sender = donotreply@xxx.com


[asterisk]
enabled = true
#filter = asterisk
#logpath  = /var/log/asterisk/messages
maxretry = 5
bantime = 86400

Now when I reboot fail2ban service I get fail2ban.log entries like this:

2015-04-26 13:35:18,149 fail2ban.server         [2820]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.1
2015-04-26 13:35:18,151 fail2ban.database       [2820]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2015-04-26 13:35:18,158 fail2ban.jail           [2820]: INFO    Creating new jail 'asterisk'
2015-04-26 13:35:18,182 fail2ban.jail           [2820]: INFO    Jail 'asterisk' uses systemd
2015-04-26 13:35:18,213 fail2ban.jail           [2820]: INFO    Initiated 'systemd' backend
2015-04-26 13:35:18,220 fail2ban.filter         [2820]: INFO    Set maxRetry = 5
2015-04-26 13:35:18,222 fail2ban.actions        [2820]: INFO    Set banTime = 86400
2015-04-26 13:35:18,223 fail2ban.filter         [2820]: INFO    Set findtime = 600
2015-04-26 13:35:18,309 fail2ban.filtersystemd  [2820]: NOTICE  Jail started without 'journalmatch' set. Jail regexs will be checked against all journal entries, which is not advised for performance reasons.
2015-04-26 13:35:18,331 fail2ban.jail           [2820]: INFO    Jail 'asterisk' started
2015-04-26 13:35:18,488 fail2ban                [2820]: CRITICAL Unhandled exception in Fail2Ban:
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/fail2ban/server/jailthread.py", line 64, in run_with_except_hook
    run(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/fail2ban/server/filtersystemd.py", line 244, in run
    *self.formatJournalEntry(logentry))
  File "/usr/lib/python2.7/site-packages/fail2ban/server/filtersystemd.py", line 172, in formatJournalEntry
    'SYSLOG_PID', logentry['_PID']))
KeyError: '_PID'
2015-04-26 13:35:19,211 fail2ban.actions        [2820]: NOTICE  [asterisk] Ban 212.129.1.26
2015-04-26 13:35:19,534 fail2ban.actions        [2820]: NOTICE  [asterisk] Ban 212.83.187.182

I don't understand what is missing. Those 2 "ban" actions in log actually not happening (I still see attempts from those IPs in Asterisk logs)

katit
  • 213
  • 4
  • 9

2 Answers2

1

In your asterisk configuration block, you have the filter and logpath options remarked out. That is likely why the app is complaining. Verify the paths and unremark those two blocks.

MichelV69
  • 249
  • 1
  • 6
0

I think you are heading down the wrong path here. Asterisk is moving away from simple security event logging (to a flat file) and instead moving towards security events through the AMI. Considering blocking based on AMI events, and NOT on the security log. There are a number of free alternatives to fail2ban (look at http://www.voip-info.org/wiki/view/Asterisk+security for examples).

More importantly, with Asterisk changing from SIP to PJSIP the logging messages have changed (and are still changing) so you will regularly have to keep update your regex entries, or security events may slip past your fail2ban settings. This is a whack a mole approach...

TSG
  • 1,674
  • 7
  • 32
  • 51
  • Yes. What you mentioned and even though I got f2b running it was less than ideal. I just closed it out and all remote phones connected over VPN – katit Jun 15 '15 at 15:25