Starting fail2ban: [FAILED]

qvs5010

Joined
Jul 20, 2010
Messages
3
Likes
0
Points
0
#1
Hi


I have followd the intructions on
http://www.sunshinenetworks.com.au/how- ... art-1.html

to get fail2ban installed. i have used the configs on the site. but i keep getting error.


[root@voip fail2ban]# fail2ban-client start
WARNING 'action' not defined in 'php-url-fopen'. Using default value
WARNING 'action' not defined in 'lighttpd-fastcgi'. Using default value
WARNING 'enabled' not defined in 'asterisk-iptables'. Using default value
WARNING 'logpath' not defined in 'asterisk-iptables'. Using default value
WARNING 'filter' not defined in 'asterisk-iptables'. Using default value
WARNING 'action' not defined in 'asterisk-iptables'. Using default value
ERROR No section: 'Definition'
ERROR No section: 'Definition'
ERROR Error in action definition
ERROR Errors in jail 'asterisk-iptables'. Skipping...
[root@voip fail2ban]#



my jail.conf looks like this....

[DEFAULT]
ignoreip = 127.0.0.1

bantime = 600
findtime = 600
maxretry = 3
backend = auto

[asterisk-iptables]
enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
           sendmail-whois[name=ASTERISK, dest=qvs5010@xxxxxx.co.za, sender=fail2ban@xxxxxx.co.za]
logpath  = /var/log/asterisk/fail2ban
maxretry = 5
findtime = 300
bantime = 600
ignoreip = 127.0.0.1

and my /etc/fail2ban/filter.d/asterisk.conf

# /etc/fail2ban/filter.d/asterisk.conf
# Fail2Ban configuration file
#
#
# $Revision: 250 $
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf


[Definition]

#_daemon = asterisk

failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL
NOTICE.* <HOST> failed to authenticate as '.*'$
NOTICE.* .*: No registration for peer '.*' (from <HOST>)
NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
NOTICE.* .*: Failed to authenticate user .*@<HOST>.*


ignoreregex =


nothing apears in the log file to say what is wrong and what is not working.

Can any body help please :(
 

Lee Sharp

Joined
Sep 28, 2010
Messages
332
Likes
0
Points
0
#2
Well, my jail.conf is much bigger than yours. Is your really that small, or are you just posting the changes? For example,
Code:
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 747 $
#

# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1 192.168.0.0/16

# "bantime" is the number of seconds that a host is banned.
bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto". This option can be overridden in
# each jail too (use "gamin" for a jail and "polling" for another).
#
# gamin:   requires Gamin (a file alteration monitor) to be installed. If Gamin
#          is not installed, Fail2ban will use polling.
# polling: uses a polling algorithm which does not require external libraries.
# auto:    will choose Gamin if available and polling otherwise.
backend = auto


# This jail corresponds to the standard configuration in Fail2ban 0.6.
# The mail-whois action send a notification e-mail with a whois request
# in the body.

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=lee.sharp@****.net, sender=fail2ban@****.net]
logpath  = /var/log/secure
maxretry = 5

[proftpd-iptables]

enabled  = false
filter   = proftpd
action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
           sendmail-whois[name=ProFTPD, dest=you@mail.com]
logpath  = /var/log/proftpd/proftpd.log
maxretry = 6

# This jail forces the backend to "polling".

[sasl-iptables]

enabled  = false
filter   = sasl
backend  = polling
action   = iptables[name=sasl, port=smtp, protocol=tcp]
           sendmail-whois[name=sasl, dest=you@mail.com]
logpath  = /var/log/mail.log

# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
# used to avoid banning the user "myuser".

[ssh-tcpwrapper]

enabled     = false
filter      = sshd
action      = hostsdeny
              sendmail-whois[name=SSH, dest=you@mail.com]
ignoreregex = for myuser from
logpath     = /var/log/sshd.log

# This jail demonstrates the use of wildcards in "logpath".
# Moreover, it is possible to give other files on a new line.

[apache-tcpwrapper]

enabled  = false
filter	 = apache-auth
action   = hostsdeny
logpath  = /var/log/apache*/*error.log
           /home/www/myhomepage/error.log
maxretry = 6

# The hosts.deny path can be defined with the "file" argument if it is
# not in /etc.

[postfix-tcpwrapper]

enabled  = false
filter   = postfix
action   = hostsdeny[file=/not/a/standard/path/hosts.deny]
           sendmail[name=Postfix, dest=you@mail.com]
logpath  = /var/log/postfix.log
bantime  = 300

# Do not ban anybody. Just report information about the remote host.
# A notification is sent at most every 600 seconds (bantime).

[vsftpd-notification]

enabled  = false
filter   = vsftpd
action   = sendmail-whois[name=VSFTPD, dest=you@mail.com]
logpath  = /var/log/vsftpd.log
maxretry = 5
bantime  = 1800

# Same as above but with banning the IP address.

[vsftpd-iptables]

enabled  = false
filter   = vsftpd
action   = iptables[name=VSFTPD, port=ftp, protocol=tcp]
           sendmail-whois[name=VSFTPD, dest=you@mail.com]
logpath  = /var/log/vsftpd.log
maxretry = 5
bantime  = 1800

# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.

[apache-badbots]

enabled  = false
filter   = apache-badbots
action   = iptables-multiport[name=BadBots, port="http,https"]
           sendmail-buffered[name=BadBots, lines=5, dest=you@mail.com]
logpath  = /var/www/*/logs/access_log
bantime  = 172800
maxretry = 1

# Use shorewall instead of iptables.

[apache-shorewall]

enabled  = false
filter   = apache-noscript
action   = shorewall
           sendmail[name=Postfix, dest=you@mail.com]
logpath  = /var/log/apache2/error_log

# Ban attackers that try to use PHP's URL-fopen() functionality
# through GET/POST variables. - Experimental, with more than a year
# of usage in production environments.

[php-url-fopen]

enabled = false
port    = http,https
filter  = php-url-fopen
logpath = /var/www/*/logs/access_log
maxretry = 1

# A simple PHP-fastcgi jail which works with lighttpd.
# If you run a lighttpd server, then you probably will
# find these kinds of messages in your error_log:
# ALERT – tried to register forbidden variable ‘GLOBALS’
# through GET variables (attacker '1.2.3.4', file '/var/www/default/htdocs/index.php')
# This jail would block the IP 1.2.3.4.

[lighttpd-fastcgi]

enabled = false
port    = http,https
filter  = lighttpd-fastcgi
# adapt the following two items as needed
logpath = /var/log/lighttpd/error.log
maxretry = 2

# This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"
# option is overridden in this jail. Moreover, the action "mail-whois" defines
# the variable "name" which contains a comma using "". The characters '' are
# valid too.

[ssh-ipfw]

enabled  = false
filter   = sshd
action   = ipfw[localhost=192.168.0.1]
           sendmail-whois[name="SSH,IPFW", dest=you@mail.com]
logpath  = /var/log/auth.log
ignoreip = 168.192.0.1

# These jails block attacks against named (bind9). By default, logging is off
# with bind9 installation. You will need something like this:
#
# logging {
#     channel security_file {
#         file "/var/log/named/security.log" versions 3 size 30m;
#         severity dynamic;
#         print-time yes;
#     };
#     category security {
#         security_file;
#     };
# };
#
# in your named.conf to provide proper logging.
# This jail blocks UDP traffic for DNS requests.

[named-refused-udp]

enabled  = false
filter   = named-refused
action   = iptables-multiport[name=Named, port="domain,953", protocol=udp]
           sendmail-whois[name=Named, dest=you@mail.com]
logpath  = /var/log/named/security.log
ignoreip = 168.192.0.1

# This jail blocks TCP traffic for DNS requests.

[named-refused-tcp]

enabled  = false
filter   = named-refused
action   = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
           sendmail-whois[name=Named, dest=you@mail.com]
logpath  = /var/log/named/security.log
ignoreip = 168.192.0.1

[asterisk-iptables]
enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
           sendmail-whois[name=ASTERISK, dest=lee.sharp@****.net, sender=fail2ban@****.net]
logpath  = /var/log/asterisk/fail2ban
maxretry = 5
bantime = 600
 

qvs5010

Joined
Jul 20, 2010
Messages
3
Likes
0
Points
0
#3
hi

i have found the problem.

had to change
NOTICE.* <HOST> failed to authenticate as '.*'$
to
NOTICE.* .*: <HOST> failed to authenticate as '.*'$


thx for the quick post
 

Lee Sharp

Joined
Sep 28, 2010
Messages
332
Likes
0
Points
0
#4
Those pesky dots and stars... Get you every time. :)
 

sunshinenetworks

Joined
Aug 10, 2010
Messages
12
Likes
0
Points
0
#5
Hi qvs5010,

thanks for finding that typo. It's now been corrected. I have recently added some other articles on how to secure Asterisk ( and Elastix ). Feel free to check them out and please let me know if there are any spelling mistakes / typo's in the code.

Cheers,
sunshinenetworks
 

rlm

Joined
Aug 15, 2012
Messages
3
Likes
0
Points
0
#6
Hi all,

My Fail2ban will not start. I get the following message:

Starting fail2ban: Traceback (most recent call last):
File "/usr/bin/fail2ban-client", line 401, in ?
if client.start(sys.argv):
File "/usr/bin/fail2ban-client", line 370, in start
return self.__processCommand(args)
File "/usr/bin/fail2ban-client", line 180, in __processCommand
ret = self.__readConfig()
File "/usr/bin/fail2ban-client", line 375, in __readConfig
ret = self.__configurator.getOptions()
File "/usr/share/fail2ban/client/configurator.py", line 65, in getOptions
return self.__jails.getOptions(jail)
File "/usr/share/fail2ban/client/jailsreader.py", line 64, in getOptions
ret = jail.getOptions()
File "/usr/share/fail2ban/client/jailreader.py", line 75, in getOptions
ret = self.__filter.read()
File "/usr/share/fail2ban/client/filterreader.py", line 53, in read
return ConfigReader.read(self, "filter.d/" + self.__file)
File "/usr/share/fail2ban/client/configreader.py", line 59, in read
SafeConfigParserWithIncludes.read(self, [bConf, bLocal])
File "/usr/share/fail2ban/client/configparserinc.py", line 105, in read
fileNamesFull += SafeConfigParserWithIncludes.getIncludes(filename)
File "/usr/share/fail2ban/client/configparserinc.py", line 76, in getIncludes
parser.read(resource)
File "/usr/lib64/python2.4/ConfigParser.py", line 267, in read
self._read(fp, filename)
File "/usr/lib64/python2.4/ConfigParser.py", line 490, in _read
raise e
ConfigParser.ParsingError: File contains parsing errors: /etc/fail2ban/filter.d/asterisk.conf
[line 6]: ' # Notes.: regex to match the password failures messages in the logfile. The\n'
[line 7]: ' # host must be matched by a group named "host". The tag "<HOST>" can\n'
[line 8]: ' # be used for standard IP/hostname matching and is only an alias for\n'
[line 9]: ' # (?:::f{4,6}?(?P<host>\\S+)\n'
[line 10]: ' # Values: TEXT\n'


Any ideas? I have gone through the previous posts.


asterisk.conf:

[Definition]

#_daemon = asterisk

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}?(?P<host>\S+)
# Values: TEXT

failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Wrong password
NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Username/auth name mismatch
NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
NOTICE.*.*: <HOST> failed to authenticate as '.*'$
NOTICE.* .*: No registration for peer '.*' (from <HOST>)
NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing 'ss-noservice' (language '.*')

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

Jail.conf:

[asterisk-iptables]

enabled = true
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
sendmail-whois[name=ASTERISK, dest=root, [email=sender=fail2ban@example.org]sender=fail2ban@example.org[/email]]
logpath = /var/log/asterisk/fail2ban
maxretry = 3
bantime = 600
 

Members online

No members online now.

Latest posts

Forum statistics

Threads
30,902
Messages
130,887
Members
17,565
Latest member
omarmenichetti
Top