Fail2ban --- Dicko, help needed pls

Amphibian

Joined
Sep 8, 2009
Messages
1,128
Likes
2
Points
38
#1
Mr. Dicko,

I have installed fail2ban and it appears to be working with the exception that I continue to see in my fail2ban log the following error message: "Unable to get failures in /var/log/asterisk/fail2ban"

I am seeing where it is baning IP addresses, I'm not sure I know what it is looking for in this file so that I can correct the prob. Any suggestions maybe????

Thanks Sir

Amphibian
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#2
It would seem to be generated by the function getfailures line 384 in

http://www.fail2ban.org/docs/filter_8py-source.html

it should probably not be

/var/log/asterisk/fail2ban

but


/var/log/fail2ban.log

or

/var/log/asterisk/full

I would double/triple check all the spelling in /etc/fail2ban/jail.conf and
/etc/fail2ban/fail2ban.conf

perhaps post a fuller part of the log?

and perhaps the issue of

ls -las /var/log/fail2ban*


regards

dicko
 

Amphibian

Joined
Sep 8, 2009
Messages
1,128
Likes
2
Points
38
#3
Thank you Sir,

I found after reading your post that the jail.conf had it listed as /var/log/asterisk/fail2ban, and the fail2ban.conf has it listed as /var/log/fail2ban.log.

So I just changed the jail.conf to be the same as the fail2ban.conf.

I think I may understand what is being accomplished. Will see if it's right.


Once again you have been very helpful.

Have a great day.


Amphibian
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#4
I suggest your clause for asterisk in jail.conf should be much like:-



[asterisk-iptables]

enabled = true
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
sendmail-whois[name=ASTERISK, [email=dest=you@you.com]dest=you@you.com[/email], sender=fail2ban@elastix.you.com]
logpath = /var/log/asterisk/full
maxretry = 5
bantime = 18000


that way fail2ban will parse /var/log/asterisk/full for errors. those errors will end up in /var/log/fail2ban.log (defined in /etc/fail2ban/fail2ban.conf )

good luck

dicko
 

Amphibian

Joined
Sep 8, 2009
Messages
1,128
Likes
2
Points
38
#5
Thank you Sir,

Will change as noted.


Have a great evening,

Amphibian
 

franklin

Joined
Oct 22, 2010
Messages
254
Likes
0
Points
0
#6
dicko, Can you tell me how to uninstall fail2ban? I am unable to SSH into my box remotely. Inside the LAN on 22 no problem. /etc/ssh/sshd_config shows port 22. On this box I had installed fail2ban, and then it crashed completely. Rhino was unable to recover the password and we were locked out. I think I did not set up my jails properly. At any rate, I completely reinstalled 1.6. But fail2ban seems to have stuck around, because when I powered the unit down I got the email that said The jail ASTERISK has been started successfully.

Here is my last log:
2011-01-25 10:01:03,717 fail2ban.jail : INFO Jail 'asterisk-iptables' stopped
2011-01-25 10:01:03,720 fail2ban.server : INFO Exiting Fail2ban
2011-01-25 10:17:49,883 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4
2011-01-25 10:17:49,920 fail2ban.jail : INFO Creating new jail 'asterisk-iptables'
2011-01-25 10:17:49,922 fail2ban.jail : INFO Jail 'asterisk-iptables' uses poller
2011-01-25 10:17:50,072 fail2ban.filter : INFO Set maxRetry = 3
2011-01-25 10:17:50,084 fail2ban.filter : INFO Set findtime = 600
2011-01-25 10:17:50,088 fail2ban.actions: INFO Set banTime = 600
2011-01-25 10:17:50,298 fail2ban.jail : INFO Jail 'asterisk-iptables' started


I can't think of any other reason why remote SSH would be blocked.

Thanks
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#7
To completely remove the service:


service fail2ban stop
chkconfig fail2ban off
rm -rf /etc/fail2ban
rm /etc/init.d/fail2ban
rm /var/log/fail2ban*

But I think your problem is elsewhere, you don't show the ssh jail being started only the asterisk jail you would only be banned for 10 minutes and the /var/log/fail2ban would show you being banned if you broke the asterisk rules more than three times, if you were banned by the astrisk rules then indeed you would be banned from ssh also.
 

franklin

Joined
Oct 22, 2010
Messages
254
Likes
0
Points
0
#8
Thanks. I'd moved the box from a colo with a different gateway and forgot to change in in Networking. But thanks for the directions. This PBX is in production now and I need to get comfy with F2B before I start. Many thanks for your referral to Asternic here over the months. He's great. Bought two things from him so far. More to come.
 

Members online

No members online now.

Latest posts

Forum statistics

Threads
30,902
Messages
130,886
Members
17,564
Latest member
Mai Tuyen
Top