On 19/10/2016 21:14, Anthony Griffiths wrote: > On Wed, Oct 19, 2016 at 6:27 PM, Nick Howitt <n...@howitts.co.uk> wrote: >> You'll want a jail something like: >> >> [pbx-gui] >> enabled = true >> port = 80,443 >> logpath = /var/log/asterisk/freepbx_security.log* >> maxretry = 2 >> >> >> This assumes a default action of iptables-multiport. I've put a * in the >> log path to pick up old log files as well. >> >> Then filter file /etc/fail2ban/filter.d/pbx-gui with: >> >> [INCLUDES] >> before = common.conf >> >> [Definition] >> failregex = Authentication failure for \S* from <HOST>$ >> > thanks for your response Nick, I did your suggestions however the it > is still not working, although I think I'm getting close. Please bear > in mind this is fail2ban-0.9.4-2.el6.noarch and the jail.local file > looks very different to previous versions. If I do: > # fail2ban-regex /var/log/asterisk/freepbx_security.log > /etc/fail2ban/filter.d/pbx-gui.conf > I get: > > Failregex: 56 total > |- #) [# of hits] regular expression > | 1) [56] Authentication failure for .* from <HOST>$ > > so that side of it is working but after repeated failed logins > fail2ban is not blocking any failed login attempts. The log > /var/log/fail2ban.log shows: > > Creating new jail 'pbx-gui' > INFO Jail 'pbx-gui' uses pyinotify > INFO Set jail log file encoding to UTF-8 > Initiated 'pyinotify' backend > INFO Added logfile = /var/log/asterisk/freepbx_security.log > INFO Set maxRetry = 2 > INFO Set jail log file encoding to UTF-8 > INFO Set banTime = 600 > INFO Set findtime = 600 > INFO Jail 'pbx-gui' started > > I watched /var/log/fail2ban.log while doing the failed logins and it > just sits there doing nothing and I don't understand why. > I tried your [pbx-gui] example in jail.local, I also tried this: > > [pbx-gui] > enabled = true > # port = http,https > action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", > protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] > %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] > filter = pbx-gui > logpath = /var/log/asterisk/freepbx_security.log > maxretry = 2 > > but still no joy.Thanks for any further advice. Please reply on list.
From the changelog, 0.9.4 is not much different from 0.9.3 syntax-wise so my jail and filter should be OK. When doing your failed logins, are they from any IP covered by the ignoreip parameter in jail.conf or jail.local? If loglevel is set to INFO you should get an f2b message every time you get a filter hit, but I'm not sure if it is covered by your ignoreip. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
