Page 1 of 1

VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

PostPosted: Sat Feb 17, 2018 11:49 am
by dito
Hi all,
saw some confused posts turning around firewall and security on vicibox server.
Fail2ban is a log-parsing application that monitors system logs for symptoms of an automated attack on your Vicibox.
When an attempted compromise is located, using the defined parameters, Fail2ban will add a new rule to iptables to block the IP address of the attacker, either for a set amount of time or permanently. Fail2ban can also alert you through email that an attack is occurring.
Steps To setup fail2ban working on your system, this will protect from ATTACKS AGAINST ASTERISK, APACHE, AND SSH:

1- fail2ban install:
Code: Select all
yast2 -i fail2ban

2 - configure fail2ban:
Code: Select all
vi /etc/fail2ban/jail.local

add those lines:

# Do all your modifications to the jail's configuration in jail.local!
Code: Select all
[DEFAULT]
ignoreip = 127.0.0.1
bantime  = 6048000
findtime  = 600
maxretry = 5
backend = auto

[asterisk-iptables]
enabled  = true
filter   = asterisk
action   = iptables-allports[name=SIP, protocol=all]
           sendmail[name=VICIBOX-ASTERISK-DETECTOR, dest=support@crm.tn, sender=vicibox@crm.tn]
logpath  = /var/log/asterisk/messages
maxretry = 3
bantime = 6048000

[ssh-iptables]
enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail[name=VICIBOX-SSH-DETECTOR, dest=yourmail, sender=yourmail]
logpath  = /var/log/messages
maxretry = 3
bantime = 6048000

[apache-tcpwrapper]
enabled  = true
filter   = apache-auth
action   = iptables-allports[name=apache-auth, port=http, protocol=tcp]
           sendmail[name=VICIBOX-APACHE-DETECTOR, dest=yourmail, sender=yourmail]
logpath  = /var/log/apache2/error_log
maxretry = 3

[apache-badbots]
enabled  = true
filter   = apache-badbots
action   = iptables-multiport[name=BadBots, port="http,https"]
           sendmail[name=VICIBOX-BadBots-DETECTOR, dest=yourmail, sender=yourmail]
logpath  = /var/log/apache2/*access_log
bantime  = 6048000
maxretry = 1

# Jail for more extended banning of persistent abusers
# !!! WARNING !!!
#   Make sure that your loglevel specified in fail2ban.conf/.local
#   is not at DEBUG level -- which might then cause fail2ban to fall into
#   an infinite loop constantly feeding itself with non-informative lines
[recidive]
enabled  = true
filter   = recidive
logpath  = /var/log/fail2ban.log*
action   = iptables-allports[name=recidive, protocol=all]
           sendmail[name=VICIBOX-BADBOY-DETECTOR, dest=yourmail, sender=yourmail]
bantime  = 6048000  ; 10 weeks
#findtime = 60480000   ; 5 hours
findtime = 43200   ; 12 hours
maxretry = 5


3 - launch and check fail2ban
launch fail2ban :
Code: Select all
service fail2ban start

check if jails are on:
Code: Select all
fail2ban-client status

you will have to see sth like this:
Code: Select all
Status
|- Number of jail:      5
`- Jail list:   apache-badbots, apache-tcpwrapper, asterisk-iptables, recidive, ssh-iptables


check your mailbox if all is ok you will recieve sth like this:

Image
Advice: add your own ip as ignoreip to avoid risk getting banned from your own server
Code: Select all
ignoreip = 127.0.0.1
ignoreip = yourserverip
ignoreip = yourofficeip


Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

PostPosted: Sun Feb 18, 2018 2:16 pm
by williamconley
Cool.

Does this take into account SIP registration attacks?

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

PostPosted: Mon Feb 19, 2018 4:49 am
by dito
williamconley wrote:Cool.

Does this take into account SIP registration attacks?


Yes take a look into the jail code above you will see what is exactly parsed from asterisk log.
it's located in
/etc/fail2ban/filter.d/asterisk.conf

Code: Select all
log_prefix= (?:NOTICE|SECURITY|WARNING)%(__pid_re)s:?(?:\[C-[\da-f]*\])? [^:]+:\d*(?:(?: in)? \w+:)?

failregex = ^%(__prefix_line)s%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
            ^%(__prefix_line)s%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '[^']*' rejected because extension not found in context
            ^%(__prefix_line)s%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$
            ^%(__prefix_line)s%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$
            ^%(__prefix_line)s%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
            ^%(__prefix_line)s%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$
            ^%(__prefix_line)s%(log_prefix)s hacking attempt detected '<HOST>'$
            ^%(__prefix_line)s%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="(\d*|<unknown>)",SessionID=".+",LocalAddress="IPV[46]/(UDP|TCP|WS)/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UDP|TCP|WS)/<HOST>/\d+"(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",ExpectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$
            ^%(__prefix_line)s%(log_prefix)s "Rejecting unknown SIP connection from <HOST>"$
            ^%(__prefix_line)s%(log_prefix)s Request (?:'[^']*' )?from '[^']*' failed for '<HOST>(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

PostPosted: Mon Feb 19, 2018 10:28 am
by williamconley
How does it handle rotating IP SIP registration attacks?

And how does it handle the situation when a single agent in a call center has a bad password? (Will it lock out the entire call center from that server for one bad password?)

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

PostPosted: Mon Feb 19, 2018 1:18 pm
by dito
williamconley wrote:How does it handle rotating IP SIP registration attacks?

And how does it handle the situation when a single agent in a call center has a bad password? (Will it lock out the entire call center from that server for one bad password?)


as i said in the first post ignoreip line kind of whitelist ips in "jail.local" not jail.conf
to add the server ip to avoid the ban of the server ip cause some attacks display only server ip "device attack"
then your own adresses.

Code: Select all
ignoreip = 127.0.0.1,5.135.123.123,182.121.123.123,41.321.321.321

Image

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

PostPosted: Mon Feb 19, 2018 2:33 pm
by williamconley
You missed this one:
williamconley wrote:How does it handle rotating IP SIP registration attacks?

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

PostPosted: Mon Feb 19, 2018 4:27 pm
by dito
williamconley wrote:You missed this one:
williamconley wrote:How does it handle rotating IP SIP registration attacks?


didn't know what you meant by rotating my english is not so good..
but rotating (coming back after unban) or rotating changing ip's
there is a jail called recidive after re"attaking the ip is banned for more long time in this example
recidive check each 12 hours if the unbanned ip reattack the ip is banned for 10 weeks
Code: Select all
[recidive]
enabled  = true
filter   = recidive
logpath  = /var/log/fail2ban.log*
action   = iptables-allports[name=recidive, protocol=all]
           sendmail[name=VICIBOX-BADBOY-DETECTOR, dest=yourmail, sender=yourmail]
bantime  = 6048000  ; 10 weeks
findtime = 43200   ; 12 hours
maxretry = 5


if rotating = changing ip multiple ip from subnet etcy , you can try replacing <ip> in your action(s) with this:whois <ip> | grep route: | awk '{print $2}'. It will ban the whole subnet according to the whois data, not only /24 which may be not enough.

https://github.com/XaF/fail2ban-subnets
fail2ban-subnets aims to provide a way to ban subnets of IPs repeatingly banned by fail2ban for multiple offenses. It thus uses the fail2ban logfiles and calculates the most restricted subnet to be banned for these IPs. Using the log file generated by fail2ban-subnets, and a new action.d script, we can thus create a specific jail in fail2ban for banning those subnets.

fail2ban-subnets is here to provide what's currently impossible in fail2ban, even if there are issues that are progressing on that side.

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

PostPosted: Fri Feb 23, 2018 10:26 pm
by cyberlinux
Thank you for posting this, and how do I filtered or block all IPs accessing viciserver that have not listed in ignoreip?

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

PostPosted: Sun Feb 25, 2018 10:00 am
by dito
cyberlinux wrote:Thank you for posting this, and how do I filtered or block all IPs accessing viciserver that have not listed in ignoreip?

if you want to block ALL IP's only permit your own ip you don't need fail2ban ... just do it on your iptables.
this fail2ban is in certain way permitting vicibox to be "public"
example of use "homeshoring" with dynamic changing ip's etc...

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

PostPosted: Fri Mar 23, 2018 6:27 am
by dito
hi there,
someone used my mail in the fail2ban install procedure please change it :lol: i am recieving email from your server
server name : BMI
thx
Code: Select all
Hi,

The IP 192.168.1.117 has just been banned by Fail2Ban after
14 attempts against VICIBOX-ASTERISK-DETECTOR.

Regards,

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

PostPosted: Sat May 19, 2018 12:36 pm
by kashinc
my jail's are not loading.... I have created the jail.local file but still the output I get is

sudo fail2ban-client status
Status
|- Number of jail: 0
`- Jail list:

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

PostPosted: Sat May 19, 2018 9:33 pm
by dito
kashinc wrote:my jail's are not loading.... I have created the jail.local file but still the output I get is

sudo fail2ban-client status
Status
|- Number of jail: 0
`- Jail list:


Hello,
please provide more informations ... vicibox version you are running under ..
you said you've created jail.local ... in fact if you installed fail2ban you will have to edit it ..
so may be you did the vi un the wrong place the jail.local should be in /etc/fail2ban/
cheers

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

PostPosted: Sat May 19, 2018 9:54 pm
by kashinc
vicibox 8.0.1
Asterisk 13.21.0-vici

TEL1:/etc/fail2ban # ls
action.d fail2ban.conf fail2ban.d filter.d jail.conf jail.conf.rpmsave jail.d jail.local jail.local.rpmsave paths-common.conf paths-opensuse.conf

TEL1:/etc/fail2ban # cat jail.local
# Do all your modifications to the jail's configuration in jail.local!

[DEFAULT]
ignoreip = 127.0.0.1,12.X.X.X
bantime  = 6048000
findtime = 600
maxretry = 5
backend = auto

[asterisk-iptables]
enabled  = true
filter   = asterisk
action   = iptables-allports[name=SIP, protocol=all]
           sendmail[name=VICIBOX-ASTERISK-DETECTOR, dest=admin@xxxxx.com, sender=vicibox@xxxxx.com]
logpath  = /var/log/asterisk/messages
maxretry = 3
bantime = 6048000

[ssh-iptables]
enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail[name=VICIBOX-SSH-DETECTOR, dest=yourmail, sender=yourmail]
logpath  = /var/log/messages
maxretry = 3
bantime = 6048000

[apache-tcpwrapper]
enabled  = true
filter   = apache-auth
action   = iptables-allports[name=apache-auth, port=http, protocol=tcp]
           sendmail[name=VICIBOX-APACHE-DETECTOR, dest=yourmail, sender=yourmail]
logpath  = /var/log/apache2/error_log
maxretry = 3

[apache-badbots]
enabled  = true
filter   = apache-badbots
action   = iptables-multiport[name=BadBots, port="http,https"]
           sendmail[name=VICIBOX-BadBots-DETECTOR, dest=yourmail, sender=yourmail]
logpath  = /var/log/apache2/*access_log
bantime  = 6048000
maxretry = 1

# Jail for more extended banning of persistent abusers
# !!! WARNING !!!
#   Make sure that your loglevel specified in fail2ban.conf/.local
#   is not at DEBUG level -- which might then cause fail2ban to fall into
#   an infinite loop constantly feeding itself with non-informative lines
[recidive]
enabled  = true
filter   = recidive
logpath  = /var/log/fail2ban.log*
action   = iptables-allports[name=recidive, protocol=all]
           sendmail[name=VICIBOX-BADBOY-DETECTOR, dest=yourmail, sender=yourmail]
bantime  = 6048000  ; 10 weeks
#findtime = 60480000   ; 5 hours
findtime = 43200   ; 12 hours
maxretry = 5

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

PostPosted: Tue May 22, 2018 6:14 pm
by dito
kashinc wrote:vicibox 8.0.1
Asterisk 13.21.0-vici

just do
Code: Select all
fail2ban-client reload

then
Code: Select all
fail2ban-client status

best regards

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

PostPosted: Wed Jul 25, 2018 10:24 am
by bigape
I had to create /var/log/fail2ban.log in order to get fail2ban-0.9.7-3.1.noarch to startup successfully using instructions provided and vicibox 8.01.

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

PostPosted: Mon Dec 03, 2018 5:40 pm
by rmathur2588
Hello Everyone,


I am getting this error message when i try start fail2ban service (service fail2ban start)

ERROR: Job for fail2ban.service failed because the control process exited with error code. See "systemctl status fail2ban.service" and "journalctl -xe" for details.

My Setup:

- ViciBox v.8.0.1
VERSION: 2.14-695a
BUILD: 181116-1133
Hosted on a dedicated server in Frankfurt using OVH Cloud Services.

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

PostPosted: Mon Dec 03, 2018 6:13 pm
by williamconley
rmathur2588 wrote:See "systemctl status fail2ban.service" and "journalctl -xe" for details.

And when you checked using those method for the error causing the fail ... what did you find?

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

PostPosted: Mon Dec 03, 2018 6:24 pm
by rmathur2588
Command : "systemctl status fail2ban.service"
Output:
fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; disabled; vendor preset: disabled)
Active: failed (Result: start-limit) since Mon 2018-12-03 18:03:36 EST; 18min ago
Docs: man:fail2ban(1)
Process: 24308 ExecStart=/usr/bin/fail2ban-client -x $FAIL2BAN_OPTIONS start (code=exited, status=255)

Dec 03 18:03:36 vicibox8 systemd[1]: Failed to start Fail2Ban Service.
Dec 03 18:03:36 vicibox8 systemd[1]: fail2ban.service: Unit entered failed state.
Dec 03 18:03:36 vicibox8 systemd[1]: fail2ban.service: Failed with result 'exit-code'.
Dec 03 18:03:36 vicibox8 systemd[1]: fail2ban.service: Service hold-off time over, scheduling restart.
Dec 03 18:03:36 vicibox8 systemd[1]: Stopped Fail2Ban Service.
Dec 03 18:03:36 vicibox8 systemd[1]: fail2ban.service: Start request repeated too quickly.
Dec 03 18:03:36 vicibox8 systemd[1]: Failed to start Fail2Ban Service.
Dec 03 18:03:36 vicibox8 systemd[1]: fail2ban.service: Unit entered failed state.
Dec 03 18:03:36 vicibox8 systemd[1]: fail2ban.service: Failed with result 'start-limit'.
fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; disabled; vendor preset: disabled)
Active: failed (Result: start-limit) since Mon 2018-12-03 18:03:36 EST; 18min ago
Docs: man:fail2ban(1)
Process: 24308 ExecStart=/usr/bin/fail2ban-client -x $FAIL2BAN_OPTIONS start (code=exited, status=255)

Dec 03 18:03:36 vicibox8 systemd[1]: Failed to start Fail2Ban Service.
Dec 03 18:03:36 vicibox8 systemd[1]: fail2ban.service: Unit entered failed state.
Dec 03 18:03:36 vicibox8 systemd[1]: fail2ban.service: Failed with result 'exit-code'.
Dec 03 18:03:36 vicibox8 systemd[1]: fail2ban.service: Service hold-off time over, scheduling restart.
Dec 03 18:03:36 vicibox8 systemd[1]: Stopped Fail2Ban Service.
Dec 03 18:03:36 vicibox8 systemd[1]: fail2ban.service: Start request repeated too quickly.
Dec 03 18:03:36 vicibox8 systemd[1]: Failed to start Fail2Ban Service.
Dec 03 18:03:36 vicibox8 systemd[1]: fail2ban.service: Unit entered failed state.
Dec 03 18:03:36 vicibox8 systemd[1]: fail2ban.service: Failed with result 'start-limit'.


Command : journalctl -xe

Output:
Dec 03 18:23:01 vicibox8 systemd[1]: Started Session 820 of user root.
-- Subject: Unit session-820.scope has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/li ... temd-devel
--
-- Unit session-820.scope has finished starting up.
--
-- The start-up result is done.
Dec 03 18:23:01 vicibox8 systemd[1]: Started Session 821 of user root.
-- Subject: Unit session-821.scope has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/li ... temd-devel
--
-- Unit session-821.scope has finished starting up.
--
-- The start-up result is done.
Dec 03 18:23:01 vicibox8 systemd[1]: Started Session 822 of user root.
-- Subject: Unit session-822.scope has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/li ... temd-devel
--
-- Unit session-822.scope has finished starting up.
--
-- The start-up result is done.
Dec 03 18:23:01 vicibox8 systemd[1]: Started Session 823 of user root.
-- Subject: Unit session-823.scope has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/li ... temd-devel
--
-- Unit session-823.scope has finished starting up.
--
-- The start-up result is done.
Dec 03 18:23:01 vicibox8 CRON[6623]: (root) CMD (/usr/share/astguiclient/AST_inbound_email_parser.pl)
Dec 03 18:23:01 vicibox8 CRON[6624]: (root) CMD (/usr/share/astguiclient/AST_VDhopper.pl -q)
Dec 03 18:23:01 vicibox8 CRON[6625]: (root) CMD (/usr/share/astguiclient/ADMIN_keepalive_ALL.pl)
Dec 03 18:23:01 vicibox8 CRON[6627]: (root) CMD (/usr/share/astguiclient/AST_manager_kill_hung_congested.pl)
Dec 03 18:23:01 vicibox8 CRON[6628]: (root) CMD (/usr/share/astguiclient/AST_vm_update.pl)
Dec 03 18:23:01 vicibox8 CRON[6626]: (root) CMD (/usr/share/astguiclient/AST_conf_update.pl)
Dec 03 18:23:01 vicibox8 CRON[6616]: pam_unix(crond:session): session closed for user root
Dec 03 18:23:02 vicibox8 CRON[6615]: pam_unix(crond:session): session closed for user root
Dec 03 18:23:02 vicibox8 CRON[6614]: pam_unix(crond:session): session closed for user root
Dec 03 18:23:02 vicibox8 CRON[6612]: pam_unix(crond:session): session closed for user root
Dec 03 18:23:06 vicibox8 CRON[6611]: pam_unix(crond:session): session closed for user root

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

PostPosted: Mon Dec 03, 2018 7:20 pm
by rmathur2588
bigape wrote:I had to create /var/log/fail2ban.log in order to get fail2ban-0.9.7-3.1.noarch to startup successfully using instructions provided and vicibox 8.01.


How you create this log file.

Can you post the instructions for my ref. please.

Thanks in Advance

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

PostPosted: Mon Dec 03, 2018 9:48 pm
by williamconley
Creating a file can be as easy as
Code: Select all
touch /var/log/fail2ban.log

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

PostPosted: Tue Dec 04, 2018 4:54 pm
by rmathur2588
Thanks. I worked like charm.

Cheers!!

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

PostPosted: Tue Jan 15, 2019 7:47 pm
by m@rio
Hi,

I tried this but it doesnt block the IPs who are trying to hack me by SIP registration. Fail2ban is active but i still can see the same IP trying over and over to hack me.
Any ideas?

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

PostPosted: Tue Jan 15, 2019 7:56 pm
by williamconley
fail2ban closes the barn door after the cows have left. you are already on a list of "active sip servers" and will be attacked.

whitelist lockdown is the actual solution. the newest vicibox has a firewall system capable of whitelisting. All OpenSuSE installations with iptables active can whitelist from "yast firewall".

Dynamic Good Guys was published many years ago for easing the use of a whitelisted Vicibox server by adding simplistic web pages to authorize IPs (no cli needed for adding each new good ip address). It also includes instructions for whitelisting without installing ... but then you have to use yast firewall's custom IP authorization to whitelist IPs and subnets.

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

PostPosted: Sun Jan 20, 2019 12:41 pm
by m@rio
The link for Dynamic Good Guys its not working. Do you now where I can find it?

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

PostPosted: Sun Jan 20, 2019 2:35 pm
by williamconley
m@rio wrote:The link for Dynamic Good Guys its not working. Do you now where I can find it?

WHAT link isn't working?

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

PostPosted: Wed Jan 30, 2019 8:31 am
by waleed
Ignoreip did not worked. I have entered wrong password of ssh on purpose and it blocked my ip even though i put it in ignore ip.

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

PostPosted: Wed Aug 21, 2019 8:22 pm
by rameez.amjad4
I have installed fail2ban in my server today its Vicibox 8.1.2

Version: 2.14b0.5
SVN Version: 3130
DB Schema Version: 1574
DB Schema Update Date: 2019-08-21 20:46:07
Password Encryption: DISABLED - S1 - C1
Auto User-add Value: 101
Recording Prompt Count: 0
Install Date: 2019-08-21

when i try to execute command " service fail2ban start " i get the following error, please help, Thanks.

Job for fail2ban.service failed because the control process exited with error code. See "systemctl status fail2ban.service" and "journalctl -xe" for details.

journalctl -xe

Aug 21 21:20:43 Eishal systemd[1]: Failed to start Fail2Ban Service.
-- Subject: Unit fail2ban.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/li ... temd-devel
--
-- Unit fail2ban.service has failed.
--
-- The result is failed.
Aug 21 21:20:43 Eishal systemd[1]: fail2ban.service: Unit entered failed state.
Aug 21 21:20:43 Eishal systemd[1]: fail2ban.service: Failed with result 'exit-code'.
Aug 21 21:20:43 Eishal systemd[1]: fail2ban.service: Service RestartSec=100ms expired, scheduling restart.
Aug 21 21:20:43 Eishal systemd[1]: Stopped Fail2Ban Service.
-- Subject: Unit fail2ban.service has finished shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/li ... temd-devel
--
-- Unit fail2ban.service has finished shutting down.
Aug 21 21:20:43 Eishal systemd[1]: fail2ban.service: Start request repeated too quickly.
Aug 21 21:20:43 Eishal systemd[1]: Failed to start Fail2Ban Service.
-- Subject: Unit fail2ban.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/li ... temd-devel
--
-- Unit fail2ban.service has failed.
--
-- The result is failed.
Aug 21 21:20:43 Eishal systemd[1]: fail2ban.service: Unit entered failed state.
Aug 21 21:20:43 Eishal systemd[1]: fail2ban.service: Failed with result 'start-limit'.
Aug 21 21:20:46 Eishal CRON[7408]: pam_unix(crond:session): session closed for user root

Please help how to fix and get it up & running, Thanks.

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

PostPosted: Wed Aug 21, 2019 8:31 pm
by williamconley
These are the two lines with the real information:

Code: Select all
Aug 21 21:20:43 Eishal systemd[1]: fail2ban.service: Start request repeated too quickly.
Aug 21 21:20:43 Eishal systemd[1]: fail2ban.service: Failed with result 'start-limit'.


How you could have made the request too often is interesting. But I suggest you check for a cause for these two lines and determine if some other process attempted to start it (unless you actually requested the start twice?).

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

PostPosted: Wed Aug 21, 2019 9:04 pm
by rameez.amjad4
Actually I didn't tried to open it twice I just installed and followed the mentioned steps but it's not working can you tell me how to fix it and keep it working ???

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

PostPosted: Thu Aug 22, 2019 11:29 am
by rameez.amjad4
any one can help to fix this issue?

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

PostPosted: Sat Sep 07, 2019 4:30 pm
by rameez.amjad4
I did installed vicibox 8.1.2 again and still having same issue can some one help me to fix it ?


service fail2ban start
Job for fail2ban.service failed because the control process exited with error code. See "systemctl status fail2ban.service" and "journalctl -xe" for details.

=========================================

systemctl status fail2ban.service
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
Active: failed (Result: start-limit) since Sat 2019-09-07 17:27:42 EDT; 9s ago
Docs: man:fail2ban(1)
Process: 11469 ExecStart=/usr/bin/fail2ban-client -x $FAIL2BAN_OPTIONS start (code=exited, status=255)

Sep 07 17:27:42 Esha systemd[1]: Failed to start Fail2Ban Service.
Sep 07 17:27:42 Esha systemd[1]: fail2ban.service: Unit entered failed state.
Sep 07 17:27:42 Esha systemd[1]: fail2ban.service: Failed with result 'exit-code'.
Sep 07 17:27:42 Esha systemd[1]: fail2ban.service: Service RestartSec=100ms expired, scheduling restart.
Sep 07 17:27:42 Esha systemd[1]: Stopped Fail2Ban Service.
Sep 07 17:27:42 Esha systemd[1]: fail2ban.service: Start request repeated too quickly.
Sep 07 17:27:42 Esha systemd[1]: Failed to start Fail2Ban Service.
Sep 07 17:27:42 Esha systemd[1]: fail2ban.service: Unit entered failed state.
Sep 07 17:27:42 Esha systemd[1]: fail2ban.service: Failed with result 'start-limit'.

=========================================

journalctl -xe
-- Support: http://lists.freedesktop.org/mailman/li ... temd-devel
--
-- Unit session-220.scope has finished starting up.
--
-- The start-up result is done.
Sep 07 17:29:01 Esha systemd[1]: Started Session 223 of user root.
-- Subject: Unit session-223.scope has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/li ... temd-devel
--
-- Unit session-223.scope has finished starting up.
--
-- The start-up result is done.
Sep 07 17:29:01 Esha systemd[1]: Started Session 221 of user root.
-- Subject: Unit session-221.scope has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/li ... temd-devel
--
-- Unit session-221.scope has finished starting up.
--
-- The start-up result is done.
Sep 07 17:29:01 Esha CRON[11630]: (root) CMD (/usr/share/astguiclient/AST_conf_update.pl)
Sep 07 17:29:01 Esha CRON[11631]: (root) CMD (/usr/share/astguiclient/AST_vm_update.pl)
Sep 07 17:29:01 Esha CRON[11632]: (root) CMD (/usr/share/astguiclient/AST_VDhopper.pl -q)
Sep 07 17:29:01 Esha CRON[11633]: (root) CMD (/usr/share/astguiclient/AST_manager_kill_hung_congested.pl)
Sep 07 17:29:01 Esha CRON[11634]: (root) CMD (/usr/share/astguiclient/ADMIN_keepalive_ALL.pl)
Sep 07 17:29:01 Esha CRON[11635]: (root) CMD (/usr/share/astguiclient/AST_inbound_email_parser.pl)
Sep 07 17:29:02 Esha CRON[11619]: pam_unix(crond:session): session closed for user root
Sep 07 17:29:02 Esha CRON[11620]: pam_unix(crond:session): session closed for user root
Sep 07 17:29:02 Esha CRON[11616]: pam_unix(crond:session): session closed for user root
Sep 07 17:29:02 Esha CRON[11618]: pam_unix(crond:session): session closed for user root
Sep 07 17:29:07 Esha CRON[11615]: pam_unix(crond:session): session closed for user root

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

PostPosted: Fri Sep 13, 2019 2:14 pm
by rameez.amjad4
Any one can help in resolving issue fail2ban not working with vicibox 8.1.2 , error: quick start

Any help???

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

PostPosted: Tue Jun 23, 2020 7:56 am
by susam
dito wrote:Hi all,
saw some confused posts turning around firewall and security on vicibox server.
Fail2ban is a log-parsing application that monitors system logs for symptoms of an automated attack on your Vicibox.
When an attempted compromise is located, using the defined parameters, Fail2ban will add a new rule to iptables to block the IP address of the attacker, either for a set amount of time or permanently. Fail2ban can also alert you through email that an attack is occurring.
Steps To setup fail2ban working on your system, this will protect from ATTACKS AGAINST ASTERISK, APACHE, AND SSH:

1- fail2ban install:
Code: Select all
yast2 -i fail2ban

2 - configure fail2ban:
Code: Select all
vi /etc/fail2ban/jail.local

add those lines:

# Do all your modifications to the jail's configuration in jail.local!
Code: Select all
[DEFAULT]
ignoreip = 127.0.0.1
bantime  = 6048000
findtime  = 600
maxretry = 5
backend = auto

[asterisk-iptables]
enabled  = true
filter   = asterisk
action   = iptables-allports[name=SIP, protocol=all]
           sendmail[name=VICIBOX-ASTERISK-DETECTOR, dest=support@crm.tn, sender=vicibox@crm.tn]
logpath  = /var/log/asterisk/messages
maxretry = 3
bantime = 6048000

[ssh-iptables]
enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail[name=VICIBOX-SSH-DETECTOR, dest=yourmail, sender=yourmail]
logpath  = /var/log/messages
maxretry = 3
bantime = 6048000

[apache-tcpwrapper]
enabled  = true
filter   = apache-auth
action   = iptables-allports[name=apache-auth, port=http, protocol=tcp]
           sendmail[name=VICIBOX-APACHE-DETECTOR, dest=yourmail, sender=yourmail]
logpath  = /var/log/apache2/error_log
maxretry = 3

[apache-badbots]
enabled  = true
filter   = apache-badbots
action   = iptables-multiport[name=BadBots, port="http,https"]
           sendmail[name=VICIBOX-BadBots-DETECTOR, dest=yourmail, sender=yourmail]
logpath  = /var/log/apache2/*access_log
bantime  = 6048000
maxretry = 1

# Jail for more extended banning of persistent abusers
# !!! WARNING !!!
#   Make sure that your loglevel specified in fail2ban.conf/.local
#   is not at DEBUG level -- which might then cause fail2ban to fall into
#   an infinite loop constantly feeding itself with non-informative lines
[recidive]
enabled  = true
filter   = recidive
logpath  = /var/log/fail2ban.log*
action   = iptables-allports[name=recidive, protocol=all]
           sendmail[name=VICIBOX-BADBOY-DETECTOR, dest=yourmail, sender=yourmail]
bantime  = 6048000  ; 10 weeks
#findtime = 60480000   ; 5 hours
findtime = 43200   ; 12 hours
maxretry = 5


3 - launch and check fail2ban
launch fail2ban :
Code: Select all
service fail2ban start

check if jails are on:
Code: Select all
fail2ban-client status

you will have to see sth like this:
Code: Select all
Status
|- Number of jail:      5
`- Jail list:   apache-badbots, apache-tcpwrapper, asterisk-iptables, recidive, ssh-iptables


check your mailbox if all is ok you will recieve sth like this:

Image
Advice: add your own ip as ignoreip to avoid risk getting banned from your own server
Code: Select all
ignoreip = 127.0.0.1
ignoreip = yourserverip
ignoreip = yourofficeip




Thanks for such a nice post, I am using 8.0.1 and it is working fine, now I have two questions 1) someone try to register sip account taking my own IP(IP Spoofing) how to block that one and 2) how to block sip port scanning ? I will be grateful if you provide me step by step as same like fail2ban.

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

PostPosted: Mon Jul 13, 2020 7:36 am
by carpenox
is this fully working on v9? I can get the setup done but I am not receiving banned IP's to my email, only when it stops and starts.... its not bannnig failed attempts...

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

PostPosted: Wed Jul 15, 2020 12:15 am
by carpenox
OK so I got fail2ban working on vicibox v9.0.3 - it was setting the logs to use "systemd" instead of auto or polling

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

PostPosted: Mon Nov 23, 2020 7:39 am
by IanGP
Much Appreciated!
Works like a charm on 9.0.3.

Just must remember to set F2B to start at boot:

Code: Select all
chkconfig --add fail2ban

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

PostPosted: Tue Nov 24, 2020 8:21 am
by carpenox
yea i did it using systemctl but im glad its working for ya ;)