Page 1 of 1

Fail2Ban on Vicibox v9.0.3 Working!!

PostPosted: Wed Jul 15, 2020 12:22 am
by carpenox
I have gotten fail2ban working on vicibox 9 if anyone is interested.

Re: Fail2Ban on Vicibox v9.0.3 Working!!

PostPosted: Wed Jul 15, 2020 9:02 pm
by Kumba
If you can post a walk-through here that's 90% complete I can look at how I can integrate that with ViciBox.

Re: Fail2Ban on Vicibox v9.0.3 Working!!

PostPosted: Thu Jul 16, 2020 11:09 am
by carpenox
OK no problem. I will setup one of my other servers with it today and write down the steps i used to get it working.

Re: Fail2Ban on Vicibox v9.0.3 Working!!

PostPosted: Thu Jul 16, 2020 4:21 pm
by Kumba
Mostly I'd be using it to catch SIP scanners and try to feed that back into voipbl.org so that all of vicibox becomes one large crowd-sourced SIP blacklist generator.

That's my true ulterior motive. :)

Re: Fail2Ban on Vicibox v9.0.3 Working!!

PostPosted: Thu Jul 16, 2020 9:22 pm
by carpenox
OK here it goes, its pretty much the same as the 8 install with a few minor changes.

zypper in fail2ban


nano /etc/fail2ban/jail.local


Code: Select all
[DEFAULT]
ignoreip = 127.0.0.1
bantime  = 6048000
findtime  = 600
maxretry = 5
backend = systemd

[asterisk-iptables]
enabled  = true
filter   = asterisk
action   = iptables-allports[name=SIP, protocol=all]
           sendmail[name=VICIBOX-ASTERISK-DETECTOR, dest=yourmail, sender=yourmail]
logpath  = /var/log/asterisk/messages
maxretry = 3
bantime = 6048000

[ssh-iptables]
enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail[name=VICIBOX-SSH-DETECTOR, dest=yourmail, sender=yourmail]
logpath  = /var/log/messages
maxretry = 3
bantime = 6048000

[apache-tcpwrapper]
enabled  = true
filter   = apache-auth
action   = iptables-allports[name=apache-auth, port=http, protocol=tcp]
           sendmail[name=VICIBOX-APACHE-DETECTOR, dest=yourmail, sender=yourmail]
logpath  = /var/log/apache2/error_log
maxretry = 3

[apache-badbots]
enabled  = true
filter   = apache-badbots
action   = iptables-multiport[name=BadBots, port="http,https"]
           sendmail[name=VICIBOX-BadBots-DETECTOR, dest=yourmail, sender=yourmail]
logpath  = /var/log/apache2/error_log
bantime  = 6048000
maxretry = 1

[pam-generic]
mode = normal
filter = pam-generic
action   = iptables-allports[name=pam-generic]
           sendmail[name=VICIBOX-PAM-DETECTOR, dest=yourmail, sender=yourmail]
bantime  = 6048000
maxretry = 5
enabled = true

[phpmyadmin-syslog]
mode = normal
filter = phpmyadmin-syslog
action   = iptables-allports[name=phpmyadmin-syslog, port=https, protocol=tcp]
           sendmail[name=VICIBOX-PHPMYADMIN-DETECTOR, dest=yourmail, sender=yourmail]
logpath  = /var/log/apache2/error_log
bantime  = 6048000
maxretry = 2
enabled = true


# Jail for more extended banning of persistent abusers
# !!! WARNING !!!
#   Make sure that your loglevel specified in fail2ban.conf/.local
#   is not at DEBUG level -- which might then cause fail2ban to fall into
#   an infinite loop constantly feeding itself with non-informative lines
[recidive]
enabled  = true
filter   = recidive
logpath  = /var/log/fail2ban.log*
action   = iptables-allports[name=recidive, protocol=all]
           sendmail[name=VICIBOX-BADBOY-DETECTOR, dest=yourmail, sender=yourmail]
bantime  = 6048000  ; 10 weeks
#findtime = 60480000   ; 5 hours
findtime = 43200   ; 12 hours
maxretry = 5


systemctl enable fail2ban


systemctl start fail2ban


fail2ban-client status


Advice: add your own ip as ignoreip to avoid risk getting banned from your own server
ignoreip = 127.0.0.1
ignoreip = yourserverip
ignoreip = yourofficeip




Let me know if it works.

Re: Fail2Ban on Vicibox v9.0.3 Working!!

PostPosted: Sat Jul 18, 2020 6:52 am
by carpenox
I have a HUGE list of ip's if you want them, over 1700

Image

Re: Fail2Ban on Vicibox v9.0.3 Working!!

PostPosted: Sat Jul 18, 2020 9:12 pm
by carpenox
Kumba wrote:Mostly I'd be using it to catch SIP scanners and try to feed that back into voipbl.org so that all of vicibox becomes one large crowd-sourced SIP blacklist generator.

That's my true ulterior motive. :)



you would have to turn whitelist off for that right? not a bad idea though. Maybe setup a honeypot just for that....

here is a failed list of ssh and pam failed tries.... https://www.cyburity.tk/d0wnl0ads/ssh-iptables.txt - theres like 1900 here in just a couple days

Re: Fail2Ban on Vicibox v9.0.3 Working!!

PostPosted: Mon May 17, 2021 9:32 am
by dv8inpp
Any chance you could share your asterisk.conf and logger.conf. I find working with regex frustrating to say the least.

Thanks either way

Re: Fail2Ban on Vicibox v9.0.3 Working!!

PostPosted: Mon May 17, 2021 12:00 pm
by carpenox
yea when i get into the office ill check it out for you and share it

Re: Fail2Ban on Vicibox v9.0.3 Working!!

PostPosted: Thu Jul 28, 2022 12:36 pm
by jayboo876
do you need to turn on asterisk cli sip debugging (sip set debug on) ?

Re: Fail2Ban on Vicibox v9.0.3 Working!!

PostPosted: Tue Aug 02, 2022 6:23 pm
by carpenox
actually i wouldnt use fail2ban with vicidial, it ends up bogging down the system after a few months and eventually puts it to a crawl, go with the dynamic portal method, you can follow either of my articles from my blog to do it. If you are using centos, alma or rocky linux, you can follow this article:

Https://dialer.one/how-to-scratch-insta ... ky-centos/

If you are using leap 15.* or Vicibox then you can follow this article:

https://dialer.one/how-to-use-the-built ... r-vicibox/

Or you can also check out this one overall:

https://dialer.one/how-to-secure-vicidi ... ly-part-1/

Goodluck and I hope this helps

Chris aka carpenox

Re: Fail2Ban on Vicibox v9.0.3 Working!!

PostPosted: Fri Aug 12, 2022 2:54 pm
by jayboo876
Know where I can find documentation around the dynamic portal app? I have checked both the agent and manager manuals and nothing.

Re: Fail2Ban on Vicibox v9.0.3 Working!!

PostPosted: Fri Aug 12, 2022 11:58 pm
by carpenox
there isnt really any "documentation" but what are you looking for? perhaps i can help.

Re: Fail2Ban on Vicibox v9.0.3 Working!!

PostPosted: Mon Aug 15, 2022 8:34 am
by jayboo876
carpenox wrote:there isnt really any "documentation" but what are you looking for? perhaps i can help.


So is dyna portal only whitelisting for agents using vici embedded webtrc phone? So agent logs into dyna portal, then login to agent console? How does it apply to a sip soft/hard phone behind dynamic IP addresses? It seems the agent will find period where they are unable to connect (internet ip changes), so they will need to relogin to dyna portal to update/whitelist new IP? How does it apply to carriers or maybe that'll be a manual entry in IP tables? I like the idea of dyna portal, since the bad traffic doesn't make it to the sip stack and protects system resource, unlike fail2ban, but just wondering if it will be a one size fill all solution.

Re: Fail2Ban on Vicibox v9.0.3 Working!!

PostPosted: Tue Aug 16, 2022 1:33 am
by carpenox
yea itll work for sip phones as well, although anytime someone's IP changes, they would need to re-login to the dynamic portal to have there new IP added to the firewall. That goes for sip/hard and web phones. You can add carrier IP's to the ViciWhite list as well as any static IP's for managers or agents because the dynamic portal is set to clear allowed IP's every 14 days by default although this can be changed as needed. Check out these article's below to help you get started with the dynportal:

https://dialer.one/how-to-secure-vicidi ... ly-part-1/

https://dialer.one/how-to-use-the-built ... r-vicibox/

https://dialer.one/how-to-turn-on-ip-wh ... -vicidial/


Https://dialer.one/how-to-scratch-insta ... ky-centos/

Hopefully this helps

Chris aka carpenox

Re: Fail2Ban on Vicibox v9.0.3 Working!!

PostPosted: Wed Aug 17, 2022 10:42 am
by jayboo876
Thanks for the feedback. I'll give it a try in lab and see how it works.

Re: Fail2Ban on Vicibox v9.0.3 Working!!

PostPosted: Sun Jul 09, 2023 2:03 am
by newbie
would be great if your site is up again @carpenox. Ive been following your guides but now i can't access your site anymore. would be great if its gonna up again :)