Fail2ban --- Dicko, help needed pls

Discussion in 'General' started by Amphibian, Jan 22, 2011.

  1. Amphibian

    Joined:
    Sep 8, 2009
    Messages:
    1,128
    Likes Received:
    2
    Mr. Dicko,

    I have installed fail2ban and it appears to be working with the exception that I continue to see in my fail2ban log the following error message: "Unable to get failures in /var/log/asterisk/fail2ban"

    I am seeing where it is baning IP addresses, I'm not sure I know what it is looking for in this file so that I can correct the prob. Any suggestions maybe????

    Thanks Sir

    Amphibian
     
  2. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    It would seem to be generated by the function getfailures line 384 in

    http://www.fail2ban.org/docs/filter_8py-source.html

    it should probably not be

    /var/log/asterisk/fail2ban

    but


    /var/log/fail2ban.log

    or

    /var/log/asterisk/full

    I would double/triple check all the spelling in /etc/fail2ban/jail.conf and
    /etc/fail2ban/fail2ban.conf

    perhaps post a fuller part of the log?

    and perhaps the issue of

    ls -las /var/log/fail2ban*


    regards

    dicko
     
  3. Amphibian

    Joined:
    Sep 8, 2009
    Messages:
    1,128
    Likes Received:
    2
    Thank you Sir,

    I found after reading your post that the jail.conf had it listed as /var/log/asterisk/fail2ban, and the fail2ban.conf has it listed as /var/log/fail2ban.log.

    So I just changed the jail.conf to be the same as the fail2ban.conf.

    I think I may understand what is being accomplished. Will see if it's right.


    Once again you have been very helpful.

    Have a great day.


    Amphibian
     
  4. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    I suggest your clause for asterisk in jail.conf should be much like:-



    [asterisk-iptables]

    enabled = true
    filter = asterisk
    action = iptables-allports[name=ASTERISK, protocol=all]
    sendmail-whois[name=ASTERISK, dest=you@you.com, sender=fail2ban@elastix.you.com]
    logpath = /var/log/asterisk/full
    maxretry = 5
    bantime = 18000


    that way fail2ban will parse /var/log/asterisk/full for errors. those errors will end up in /var/log/fail2ban.log (defined in /etc/fail2ban/fail2ban.conf )

    good luck

    dicko
     
  5. Amphibian

    Joined:
    Sep 8, 2009
    Messages:
    1,128
    Likes Received:
    2
    Thank you Sir,

    Will change as noted.


    Have a great evening,

    Amphibian
     
  6. franklin

    Joined:
    Oct 22, 2010
    Messages:
    254
    Likes Received:
    0
    dicko, Can you tell me how to uninstall fail2ban? I am unable to SSH into my box remotely. Inside the LAN on 22 no problem. /etc/ssh/sshd_config shows port 22. On this box I had installed fail2ban, and then it crashed completely. Rhino was unable to recover the password and we were locked out. I think I did not set up my jails properly. At any rate, I completely reinstalled 1.6. But fail2ban seems to have stuck around, because when I powered the unit down I got the email that said The jail ASTERISK has been started successfully.

    Here is my last log:
    2011-01-25 10:01:03,717 fail2ban.jail : INFO Jail 'asterisk-iptables' stopped
    2011-01-25 10:01:03,720 fail2ban.server : INFO Exiting Fail2ban
    2011-01-25 10:17:49,883 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4
    2011-01-25 10:17:49,920 fail2ban.jail : INFO Creating new jail 'asterisk-iptables'
    2011-01-25 10:17:49,922 fail2ban.jail : INFO Jail 'asterisk-iptables' uses poller
    2011-01-25 10:17:50,072 fail2ban.filter : INFO Set maxRetry = 3
    2011-01-25 10:17:50,084 fail2ban.filter : INFO Set findtime = 600
    2011-01-25 10:17:50,088 fail2ban.actions: INFO Set banTime = 600
    2011-01-25 10:17:50,298 fail2ban.jail : INFO Jail 'asterisk-iptables' started


    I can't think of any other reason why remote SSH would be blocked.

    Thanks
     
  7. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    To completely remove the service:


    service fail2ban stop
    chkconfig fail2ban off
    rm -rf /etc/fail2ban
    rm /etc/init.d/fail2ban
    rm /var/log/fail2ban*

    But I think your problem is elsewhere, you don't show the ssh jail being started only the asterisk jail you would only be banned for 10 minutes and the /var/log/fail2ban would show you being banned if you broke the asterisk rules more than three times, if you were banned by the astrisk rules then indeed you would be banned from ssh also.
     
  8. franklin

    Joined:
    Oct 22, 2010
    Messages:
    254
    Likes Received:
    0
    Thanks. I'd moved the box from a colo with a different gateway and forgot to change in in Networking. But thanks for the directions. This PBX is in production now and I need to get comfy with F2B before I start. Many thanks for your referral to Asternic here over the months. He's great. Bought two things from him so far. More to come.
     

Share This Page