VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

Support forum for the ViciBox ISO Server Install and ISO LiveCD Demo

Moderators: enjay, williamconley, Staydog, mflorell, MJCoate, mcargile, Kumba

VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

Postby dito » Sat Feb 17, 2018 11:49 am

Hi all,
saw some confused posts turning around firewall and security on vicibox server.
Fail2ban is a log-parsing application that monitors system logs for symptoms of an automated attack on your Vicibox.
When an attempted compromise is located, using the defined parameters, Fail2ban will add a new rule to iptables to block the IP address of the attacker, either for a set amount of time or permanently. Fail2ban can also alert you through email that an attack is occurring.
Steps To setup fail2ban working on your system, this will protect from ATTACKS AGAINST ASTERISK, APACHE, AND SSH:

1- fail2ban install:
Code: Select all
yast2 -i fail2ban

2 - configure fail2ban:
Code: Select all
vi /etc/fail2ban/jail.local

add those lines:

# Do all your modifications to the jail's configuration in jail.local!
Code: Select all
[DEFAULT]
ignoreip = 127.0.0.1
bantime  = 6048000
findtime  = 600
maxretry = 5
backend = auto

[asterisk-iptables]
enabled  = true
filter   = asterisk
action   = iptables-allports[name=SIP, protocol=all]
           sendmail[name=VICIBOX-ASTERISK-DETECTOR, dest=support@crm.tn, sender=vicibox@crm.tn]
logpath  = /var/log/asterisk/messages
maxretry = 3
bantime = 6048000

[ssh-iptables]
enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail[name=VICIBOX-SSH-DETECTOR, dest=yourmail, sender=yourmail]
logpath  = /var/log/messages
maxretry = 3
bantime = 6048000

[apache-tcpwrapper]
enabled  = true
filter   = apache-auth
action   = iptables-allports[name=apache-auth, port=http, protocol=tcp]
           sendmail[name=VICIBOX-APACHE-DETECTOR, dest=yourmail, sender=yourmail]
logpath  = /var/log/apache2/error_log
maxretry = 3

[apache-badbots]
enabled  = true
filter   = apache-badbots
action   = iptables-multiport[name=BadBots, port="http,https"]
           sendmail[name=VICIBOX-BadBots-DETECTOR, dest=yourmail, sender=yourmail]
logpath  = /var/log/apache2/*access_log
bantime  = 6048000
maxretry = 1

# Jail for more extended banning of persistent abusers
# !!! WARNING !!!
#   Make sure that your loglevel specified in fail2ban.conf/.local
#   is not at DEBUG level -- which might then cause fail2ban to fall into
#   an infinite loop constantly feeding itself with non-informative lines
[recidive]
enabled  = true
filter   = recidive
logpath  = /var/log/fail2ban.log*
action   = iptables-allports[name=recidive, protocol=all]
           sendmail[name=VICIBOX-BADBOY-DETECTOR, dest=yourmail, sender=yourmail]
bantime  = 6048000  ; 10 weeks
#findtime = 60480000   ; 5 hours
findtime = 43200   ; 12 hours
maxretry = 5


3 - launch and check fail2ban
launch fail2ban :
Code: Select all
service fail2ban start

check if jails are on:
Code: Select all
fail2ban-client status

you will have to see sth like this:
Code: Select all
Status
|- Number of jail:      5
`- Jail list:   apache-badbots, apache-tcpwrapper, asterisk-iptables, recidive, ssh-iptables


check your mailbox if all is ok you will recieve sth like this:

Image
Advice: add your own ip as ignoreip to avoid risk getting banned from your own server
Code: Select all
ignoreip = 127.0.0.1
ignoreip = yourserverip
ignoreip = yourofficeip

VoIP TUNISIE
support@crm.tn - https://crm.tn
dito
 
Posts: 49
Joined: Wed Nov 11, 2015 9:29 pm

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

Postby williamconley » Sun Feb 18, 2018 2:16 pm

Cool.

Does this take into account SIP registration attacks?
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20018
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

Postby dito » Mon Feb 19, 2018 4:49 am

williamconley wrote:Cool.

Does this take into account SIP registration attacks?


Yes take a look into the jail code above you will see what is exactly parsed from asterisk log.
it's located in
/etc/fail2ban/filter.d/asterisk.conf

Code: Select all
log_prefix= (?:NOTICE|SECURITY|WARNING)%(__pid_re)s:?(?:\[C-[\da-f]*\])? [^:]+:\d*(?:(?: in)? \w+:)?

failregex = ^%(__prefix_line)s%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
            ^%(__prefix_line)s%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '[^']*' rejected because extension not found in context
            ^%(__prefix_line)s%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$
            ^%(__prefix_line)s%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$
            ^%(__prefix_line)s%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
            ^%(__prefix_line)s%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$
            ^%(__prefix_line)s%(log_prefix)s hacking attempt detected '<HOST>'$
            ^%(__prefix_line)s%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="(\d*|<unknown>)",SessionID=".+",LocalAddress="IPV[46]/(UDP|TCP|WS)/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UDP|TCP|WS)/<HOST>/\d+"(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",ExpectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$
            ^%(__prefix_line)s%(log_prefix)s "Rejecting unknown SIP connection from <HOST>"$
            ^%(__prefix_line)s%(log_prefix)s Request (?:'[^']*' )?from '[^']*' failed for '<HOST>(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching
VoIP TUNISIE
support@crm.tn - https://crm.tn
dito
 
Posts: 49
Joined: Wed Nov 11, 2015 9:29 pm

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

Postby williamconley » Mon Feb 19, 2018 10:28 am

How does it handle rotating IP SIP registration attacks?

And how does it handle the situation when a single agent in a call center has a bad password? (Will it lock out the entire call center from that server for one bad password?)
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20018
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

Postby dito » Mon Feb 19, 2018 1:18 pm

williamconley wrote:How does it handle rotating IP SIP registration attacks?

And how does it handle the situation when a single agent in a call center has a bad password? (Will it lock out the entire call center from that server for one bad password?)


as i said in the first post ignoreip line kind of whitelist ips in "jail.local" not jail.conf
to add the server ip to avoid the ban of the server ip cause some attacks display only server ip "device attack"
then your own adresses.

Code: Select all
ignoreip = 127.0.0.1,5.135.123.123,182.121.123.123,41.321.321.321

Image
VoIP TUNISIE
support@crm.tn - https://crm.tn
dito
 
Posts: 49
Joined: Wed Nov 11, 2015 9:29 pm

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

Postby williamconley » Mon Feb 19, 2018 2:33 pm

You missed this one:
williamconley wrote:How does it handle rotating IP SIP registration attacks?
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20018
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

Postby dito » Mon Feb 19, 2018 4:27 pm

williamconley wrote:You missed this one:
williamconley wrote:How does it handle rotating IP SIP registration attacks?


didn't know what you meant by rotating my english is not so good..
but rotating (coming back after unban) or rotating changing ip's
there is a jail called recidive after re"attaking the ip is banned for more long time in this example
recidive check each 12 hours if the unbanned ip reattack the ip is banned for 10 weeks
Code: Select all
[recidive]
enabled  = true
filter   = recidive
logpath  = /var/log/fail2ban.log*
action   = iptables-allports[name=recidive, protocol=all]
           sendmail[name=VICIBOX-BADBOY-DETECTOR, dest=yourmail, sender=yourmail]
bantime  = 6048000  ; 10 weeks
findtime = 43200   ; 12 hours
maxretry = 5


if rotating = changing ip multiple ip from subnet etcy , you can try replacing <ip> in your action(s) with this:whois <ip> | grep route: | awk '{print $2}'. It will ban the whole subnet according to the whois data, not only /24 which may be not enough.

https://github.com/XaF/fail2ban-subnets
fail2ban-subnets aims to provide a way to ban subnets of IPs repeatingly banned by fail2ban for multiple offenses. It thus uses the fail2ban logfiles and calculates the most restricted subnet to be banned for these IPs. Using the log file generated by fail2ban-subnets, and a new action.d script, we can thus create a specific jail in fail2ban for banning those subnets.

fail2ban-subnets is here to provide what's currently impossible in fail2ban, even if there are issues that are progressing on that side.
VoIP TUNISIE
support@crm.tn - https://crm.tn
dito
 
Posts: 49
Joined: Wed Nov 11, 2015 9:29 pm

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

Postby cyberlinux » Fri Feb 23, 2018 10:26 pm

Thank you for posting this, and how do I filtered or block all IPs accessing viciserver that have not listed in ignoreip?
cyberlinux
 
Posts: 6
Joined: Tue Feb 13, 2018 1:06 am

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

Postby dito » Sun Feb 25, 2018 10:00 am

cyberlinux wrote:Thank you for posting this, and how do I filtered or block all IPs accessing viciserver that have not listed in ignoreip?

if you want to block ALL IP's only permit your own ip you don't need fail2ban ... just do it on your iptables.
this fail2ban is in certain way permitting vicibox to be "public"
example of use "homeshoring" with dynamic changing ip's etc...
VoIP TUNISIE
support@crm.tn - https://crm.tn
dito
 
Posts: 49
Joined: Wed Nov 11, 2015 9:29 pm

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

Postby dito » Fri Mar 23, 2018 6:27 am

hi there,
someone used my mail in the fail2ban install procedure please change it :lol: i am recieving email from your server
server name : BMI
thx
Code: Select all
Hi,

The IP 192.168.1.117 has just been banned by Fail2Ban after
14 attempts against VICIBOX-ASTERISK-DETECTOR.

Regards,
VoIP TUNISIE
support@crm.tn - https://crm.tn
dito
 
Posts: 49
Joined: Wed Nov 11, 2015 9:29 pm

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

Postby kashinc » Sat May 19, 2018 12:36 pm

my jail's are not loading.... I have created the jail.local file but still the output I get is

sudo fail2ban-client status
Status
|- Number of jail: 0
`- Jail list:
kashinc
 
Posts: 71
Joined: Thu Apr 23, 2015 12:04 pm

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

Postby dito » Sat May 19, 2018 9:33 pm

kashinc wrote:my jail's are not loading.... I have created the jail.local file but still the output I get is

sudo fail2ban-client status
Status
|- Number of jail: 0
`- Jail list:


Hello,
please provide more informations ... vicibox version you are running under ..
you said you've created jail.local ... in fact if you installed fail2ban you will have to edit it ..
so may be you did the vi un the wrong place the jail.local should be in /etc/fail2ban/
cheers
VoIP TUNISIE
support@crm.tn - https://crm.tn
dito
 
Posts: 49
Joined: Wed Nov 11, 2015 9:29 pm

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

Postby kashinc » Sat May 19, 2018 9:54 pm

vicibox 8.0.1
Asterisk 13.21.0-vici

TEL1:/etc/fail2ban # ls
action.d fail2ban.conf fail2ban.d filter.d jail.conf jail.conf.rpmsave jail.d jail.local jail.local.rpmsave paths-common.conf paths-opensuse.conf

TEL1:/etc/fail2ban # cat jail.local
# Do all your modifications to the jail's configuration in jail.local!

[DEFAULT]
ignoreip = 127.0.0.1,12.X.X.X
bantime  = 6048000
findtime = 600
maxretry = 5
backend = auto

[asterisk-iptables]
enabled  = true
filter   = asterisk
action   = iptables-allports[name=SIP, protocol=all]
           sendmail[name=VICIBOX-ASTERISK-DETECTOR, dest=admin@xxxxx.com, sender=vicibox@xxxxx.com]
logpath  = /var/log/asterisk/messages
maxretry = 3
bantime = 6048000

[ssh-iptables]
enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail[name=VICIBOX-SSH-DETECTOR, dest=yourmail, sender=yourmail]
logpath  = /var/log/messages
maxretry = 3
bantime = 6048000

[apache-tcpwrapper]
enabled  = true
filter   = apache-auth
action   = iptables-allports[name=apache-auth, port=http, protocol=tcp]
           sendmail[name=VICIBOX-APACHE-DETECTOR, dest=yourmail, sender=yourmail]
logpath  = /var/log/apache2/error_log
maxretry = 3

[apache-badbots]
enabled  = true
filter   = apache-badbots
action   = iptables-multiport[name=BadBots, port="http,https"]
           sendmail[name=VICIBOX-BadBots-DETECTOR, dest=yourmail, sender=yourmail]
logpath  = /var/log/apache2/*access_log
bantime  = 6048000
maxretry = 1

# Jail for more extended banning of persistent abusers
# !!! WARNING !!!
#   Make sure that your loglevel specified in fail2ban.conf/.local
#   is not at DEBUG level -- which might then cause fail2ban to fall into
#   an infinite loop constantly feeding itself with non-informative lines
[recidive]
enabled  = true
filter   = recidive
logpath  = /var/log/fail2ban.log*
action   = iptables-allports[name=recidive, protocol=all]
           sendmail[name=VICIBOX-BADBOY-DETECTOR, dest=yourmail, sender=yourmail]
bantime  = 6048000  ; 10 weeks
#findtime = 60480000   ; 5 hours
findtime = 43200   ; 12 hours
maxretry = 5
kashinc
 
Posts: 71
Joined: Thu Apr 23, 2015 12:04 pm

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

Postby dito » Tue May 22, 2018 6:14 pm

kashinc wrote:vicibox 8.0.1
Asterisk 13.21.0-vici

just do
Code: Select all
fail2ban-client reload

then
Code: Select all
fail2ban-client status

best regards
VoIP TUNISIE
support@crm.tn - https://crm.tn
dito
 
Posts: 49
Joined: Wed Nov 11, 2015 9:29 pm

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

Postby bigape » Wed Jul 25, 2018 10:24 am

I had to create /var/log/fail2ban.log in order to get fail2ban-0.9.7-3.1.noarch to startup successfully using instructions provided and vicibox 8.01.
bigape
 
Posts: 3
Joined: Thu Jul 19, 2018 11:01 am

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

Postby rmathur2588 » Mon Dec 03, 2018 5:40 pm

Hello Everyone,


I am getting this error message when i try start fail2ban service (service fail2ban start)

ERROR: Job for fail2ban.service failed because the control process exited with error code. See "systemctl status fail2ban.service" and "journalctl -xe" for details.

My Setup:

- ViciBox v.8.0.1
VERSION: 2.14-695a
BUILD: 181116-1133
Hosted on a dedicated server in Frankfurt using OVH Cloud Services.
rmathur2588
 
Posts: 6
Joined: Thu Oct 27, 2016 4:53 pm

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

Postby williamconley » Mon Dec 03, 2018 6:13 pm

rmathur2588 wrote:See "systemctl status fail2ban.service" and "journalctl -xe" for details.

And when you checked using those method for the error causing the fail ... what did you find?
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20018
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

Postby rmathur2588 » Mon Dec 03, 2018 6:24 pm

Command : "systemctl status fail2ban.service"
Output:
fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; disabled; vendor preset: disabled)
Active: failed (Result: start-limit) since Mon 2018-12-03 18:03:36 EST; 18min ago
Docs: man:fail2ban(1)
Process: 24308 ExecStart=/usr/bin/fail2ban-client -x $FAIL2BAN_OPTIONS start (code=exited, status=255)

Dec 03 18:03:36 vicibox8 systemd[1]: Failed to start Fail2Ban Service.
Dec 03 18:03:36 vicibox8 systemd[1]: fail2ban.service: Unit entered failed state.
Dec 03 18:03:36 vicibox8 systemd[1]: fail2ban.service: Failed with result 'exit-code'.
Dec 03 18:03:36 vicibox8 systemd[1]: fail2ban.service: Service hold-off time over, scheduling restart.
Dec 03 18:03:36 vicibox8 systemd[1]: Stopped Fail2Ban Service.
Dec 03 18:03:36 vicibox8 systemd[1]: fail2ban.service: Start request repeated too quickly.
Dec 03 18:03:36 vicibox8 systemd[1]: Failed to start Fail2Ban Service.
Dec 03 18:03:36 vicibox8 systemd[1]: fail2ban.service: Unit entered failed state.
Dec 03 18:03:36 vicibox8 systemd[1]: fail2ban.service: Failed with result 'start-limit'.
fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; disabled; vendor preset: disabled)
Active: failed (Result: start-limit) since Mon 2018-12-03 18:03:36 EST; 18min ago
Docs: man:fail2ban(1)
Process: 24308 ExecStart=/usr/bin/fail2ban-client -x $FAIL2BAN_OPTIONS start (code=exited, status=255)

Dec 03 18:03:36 vicibox8 systemd[1]: Failed to start Fail2Ban Service.
Dec 03 18:03:36 vicibox8 systemd[1]: fail2ban.service: Unit entered failed state.
Dec 03 18:03:36 vicibox8 systemd[1]: fail2ban.service: Failed with result 'exit-code'.
Dec 03 18:03:36 vicibox8 systemd[1]: fail2ban.service: Service hold-off time over, scheduling restart.
Dec 03 18:03:36 vicibox8 systemd[1]: Stopped Fail2Ban Service.
Dec 03 18:03:36 vicibox8 systemd[1]: fail2ban.service: Start request repeated too quickly.
Dec 03 18:03:36 vicibox8 systemd[1]: Failed to start Fail2Ban Service.
Dec 03 18:03:36 vicibox8 systemd[1]: fail2ban.service: Unit entered failed state.
Dec 03 18:03:36 vicibox8 systemd[1]: fail2ban.service: Failed with result 'start-limit'.


Command : journalctl -xe

Output:
Dec 03 18:23:01 vicibox8 systemd[1]: Started Session 820 of user root.
-- Subject: Unit session-820.scope has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/li ... temd-devel
--
-- Unit session-820.scope has finished starting up.
--
-- The start-up result is done.
Dec 03 18:23:01 vicibox8 systemd[1]: Started Session 821 of user root.
-- Subject: Unit session-821.scope has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/li ... temd-devel
--
-- Unit session-821.scope has finished starting up.
--
-- The start-up result is done.
Dec 03 18:23:01 vicibox8 systemd[1]: Started Session 822 of user root.
-- Subject: Unit session-822.scope has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/li ... temd-devel
--
-- Unit session-822.scope has finished starting up.
--
-- The start-up result is done.
Dec 03 18:23:01 vicibox8 systemd[1]: Started Session 823 of user root.
-- Subject: Unit session-823.scope has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/li ... temd-devel
--
-- Unit session-823.scope has finished starting up.
--
-- The start-up result is done.
Dec 03 18:23:01 vicibox8 CRON[6623]: (root) CMD (/usr/share/astguiclient/AST_inbound_email_parser.pl)
Dec 03 18:23:01 vicibox8 CRON[6624]: (root) CMD (/usr/share/astguiclient/AST_VDhopper.pl -q)
Dec 03 18:23:01 vicibox8 CRON[6625]: (root) CMD (/usr/share/astguiclient/ADMIN_keepalive_ALL.pl)
Dec 03 18:23:01 vicibox8 CRON[6627]: (root) CMD (/usr/share/astguiclient/AST_manager_kill_hung_congested.pl)
Dec 03 18:23:01 vicibox8 CRON[6628]: (root) CMD (/usr/share/astguiclient/AST_vm_update.pl)
Dec 03 18:23:01 vicibox8 CRON[6626]: (root) CMD (/usr/share/astguiclient/AST_conf_update.pl)
Dec 03 18:23:01 vicibox8 CRON[6616]: pam_unix(crond:session): session closed for user root
Dec 03 18:23:02 vicibox8 CRON[6615]: pam_unix(crond:session): session closed for user root
Dec 03 18:23:02 vicibox8 CRON[6614]: pam_unix(crond:session): session closed for user root
Dec 03 18:23:02 vicibox8 CRON[6612]: pam_unix(crond:session): session closed for user root
Dec 03 18:23:06 vicibox8 CRON[6611]: pam_unix(crond:session): session closed for user root
rmathur2588
 
Posts: 6
Joined: Thu Oct 27, 2016 4:53 pm

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

Postby rmathur2588 » Mon Dec 03, 2018 7:20 pm

bigape wrote:I had to create /var/log/fail2ban.log in order to get fail2ban-0.9.7-3.1.noarch to startup successfully using instructions provided and vicibox 8.01.


How you create this log file.

Can you post the instructions for my ref. please.

Thanks in Advance
rmathur2588
 
Posts: 6
Joined: Thu Oct 27, 2016 4:53 pm

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

Postby williamconley » Mon Dec 03, 2018 9:48 pm

Creating a file can be as easy as
Code: Select all
touch /var/log/fail2ban.log
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20018
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

Postby rmathur2588 » Tue Dec 04, 2018 4:54 pm

Thanks. I worked like charm.

Cheers!!
rmathur2588
 
Posts: 6
Joined: Thu Oct 27, 2016 4:53 pm

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

Postby m@rio » Tue Jan 15, 2019 7:47 pm

Hi,

I tried this but it doesnt block the IPs who are trying to hack me by SIP registration. Fail2ban is active but i still can see the same IP trying over and over to hack me.
Any ideas?
m@rio
 
Posts: 19
Joined: Mon May 07, 2018 9:09 am

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

Postby williamconley » Tue Jan 15, 2019 7:56 pm

fail2ban closes the barn door after the cows have left. you are already on a list of "active sip servers" and will be attacked.

whitelist lockdown is the actual solution. the newest vicibox has a firewall system capable of whitelisting. All OpenSuSE installations with iptables active can whitelist from "yast firewall".

Dynamic Good Guys was published many years ago for easing the use of a whitelisted Vicibox server by adding simplistic web pages to authorize IPs (no cli needed for adding each new good ip address). It also includes instructions for whitelisting without installing ... but then you have to use yast firewall's custom IP authorization to whitelist IPs and subnets.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20018
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

Postby m@rio » Sun Jan 20, 2019 12:41 pm

The link for Dynamic Good Guys its not working. Do you now where I can find it?
m@rio
 
Posts: 19
Joined: Mon May 07, 2018 9:09 am

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

Postby williamconley » Sun Jan 20, 2019 2:35 pm

m@rio wrote:The link for Dynamic Good Guys its not working. Do you now where I can find it?

WHAT link isn't working?
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20018
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

Postby waleed » Wed Jan 30, 2019 8:31 am

Ignoreip did not worked. I have entered wrong password of ssh on purpose and it blocked my ip even though i put it in ignore ip.
Waleed Sabir
waleed
 
Posts: 23
Joined: Thu Sep 14, 2017 1:17 am
Location: Pakistan

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

Postby rameez.amjad4 » Wed Aug 21, 2019 8:22 pm

I have installed fail2ban in my server today its Vicibox 8.1.2

Version: 2.14b0.5
SVN Version: 3130
DB Schema Version: 1574
DB Schema Update Date: 2019-08-21 20:46:07
Password Encryption: DISABLED - S1 - C1
Auto User-add Value: 101
Recording Prompt Count: 0
Install Date: 2019-08-21

when i try to execute command " service fail2ban start " i get the following error, please help, Thanks.

Job for fail2ban.service failed because the control process exited with error code. See "systemctl status fail2ban.service" and "journalctl -xe" for details.

journalctl -xe

Aug 21 21:20:43 Eishal systemd[1]: Failed to start Fail2Ban Service.
-- Subject: Unit fail2ban.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/li ... temd-devel
--
-- Unit fail2ban.service has failed.
--
-- The result is failed.
Aug 21 21:20:43 Eishal systemd[1]: fail2ban.service: Unit entered failed state.
Aug 21 21:20:43 Eishal systemd[1]: fail2ban.service: Failed with result 'exit-code'.
Aug 21 21:20:43 Eishal systemd[1]: fail2ban.service: Service RestartSec=100ms expired, scheduling restart.
Aug 21 21:20:43 Eishal systemd[1]: Stopped Fail2Ban Service.
-- Subject: Unit fail2ban.service has finished shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/li ... temd-devel
--
-- Unit fail2ban.service has finished shutting down.
Aug 21 21:20:43 Eishal systemd[1]: fail2ban.service: Start request repeated too quickly.
Aug 21 21:20:43 Eishal systemd[1]: Failed to start Fail2Ban Service.
-- Subject: Unit fail2ban.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/li ... temd-devel
--
-- Unit fail2ban.service has failed.
--
-- The result is failed.
Aug 21 21:20:43 Eishal systemd[1]: fail2ban.service: Unit entered failed state.
Aug 21 21:20:43 Eishal systemd[1]: fail2ban.service: Failed with result 'start-limit'.
Aug 21 21:20:46 Eishal CRON[7408]: pam_unix(crond:session): session closed for user root

Please help how to fix and get it up & running, Thanks.
rameez.amjad4
 
Posts: 91
Joined: Wed Oct 03, 2018 1:23 pm

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

Postby williamconley » Wed Aug 21, 2019 8:31 pm

These are the two lines with the real information:

Code: Select all
Aug 21 21:20:43 Eishal systemd[1]: fail2ban.service: Start request repeated too quickly.
Aug 21 21:20:43 Eishal systemd[1]: fail2ban.service: Failed with result 'start-limit'.


How you could have made the request too often is interesting. But I suggest you check for a cause for these two lines and determine if some other process attempted to start it (unless you actually requested the start twice?).
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20018
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

Postby rameez.amjad4 » Wed Aug 21, 2019 9:04 pm

Actually I didn't tried to open it twice I just installed and followed the mentioned steps but it's not working can you tell me how to fix it and keep it working ???
rameez.amjad4
 
Posts: 91
Joined: Wed Oct 03, 2018 1:23 pm

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

Postby rameez.amjad4 » Thu Aug 22, 2019 11:29 am

any one can help to fix this issue?
rameez.amjad4
 
Posts: 91
Joined: Wed Oct 03, 2018 1:23 pm

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

Postby rameez.amjad4 » Sat Sep 07, 2019 4:30 pm

I did installed vicibox 8.1.2 again and still having same issue can some one help me to fix it ?


service fail2ban start
Job for fail2ban.service failed because the control process exited with error code. See "systemctl status fail2ban.service" and "journalctl -xe" for details.

=========================================

systemctl status fail2ban.service
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
Active: failed (Result: start-limit) since Sat 2019-09-07 17:27:42 EDT; 9s ago
Docs: man:fail2ban(1)
Process: 11469 ExecStart=/usr/bin/fail2ban-client -x $FAIL2BAN_OPTIONS start (code=exited, status=255)

Sep 07 17:27:42 Esha systemd[1]: Failed to start Fail2Ban Service.
Sep 07 17:27:42 Esha systemd[1]: fail2ban.service: Unit entered failed state.
Sep 07 17:27:42 Esha systemd[1]: fail2ban.service: Failed with result 'exit-code'.
Sep 07 17:27:42 Esha systemd[1]: fail2ban.service: Service RestartSec=100ms expired, scheduling restart.
Sep 07 17:27:42 Esha systemd[1]: Stopped Fail2Ban Service.
Sep 07 17:27:42 Esha systemd[1]: fail2ban.service: Start request repeated too quickly.
Sep 07 17:27:42 Esha systemd[1]: Failed to start Fail2Ban Service.
Sep 07 17:27:42 Esha systemd[1]: fail2ban.service: Unit entered failed state.
Sep 07 17:27:42 Esha systemd[1]: fail2ban.service: Failed with result 'start-limit'.

=========================================

journalctl -xe
-- Support: http://lists.freedesktop.org/mailman/li ... temd-devel
--
-- Unit session-220.scope has finished starting up.
--
-- The start-up result is done.
Sep 07 17:29:01 Esha systemd[1]: Started Session 223 of user root.
-- Subject: Unit session-223.scope has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/li ... temd-devel
--
-- Unit session-223.scope has finished starting up.
--
-- The start-up result is done.
Sep 07 17:29:01 Esha systemd[1]: Started Session 221 of user root.
-- Subject: Unit session-221.scope has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/li ... temd-devel
--
-- Unit session-221.scope has finished starting up.
--
-- The start-up result is done.
Sep 07 17:29:01 Esha CRON[11630]: (root) CMD (/usr/share/astguiclient/AST_conf_update.pl)
Sep 07 17:29:01 Esha CRON[11631]: (root) CMD (/usr/share/astguiclient/AST_vm_update.pl)
Sep 07 17:29:01 Esha CRON[11632]: (root) CMD (/usr/share/astguiclient/AST_VDhopper.pl -q)
Sep 07 17:29:01 Esha CRON[11633]: (root) CMD (/usr/share/astguiclient/AST_manager_kill_hung_congested.pl)
Sep 07 17:29:01 Esha CRON[11634]: (root) CMD (/usr/share/astguiclient/ADMIN_keepalive_ALL.pl)
Sep 07 17:29:01 Esha CRON[11635]: (root) CMD (/usr/share/astguiclient/AST_inbound_email_parser.pl)
Sep 07 17:29:02 Esha CRON[11619]: pam_unix(crond:session): session closed for user root
Sep 07 17:29:02 Esha CRON[11620]: pam_unix(crond:session): session closed for user root
Sep 07 17:29:02 Esha CRON[11616]: pam_unix(crond:session): session closed for user root
Sep 07 17:29:02 Esha CRON[11618]: pam_unix(crond:session): session closed for user root
Sep 07 17:29:07 Esha CRON[11615]: pam_unix(crond:session): session closed for user root
rameez.amjad4
 
Posts: 91
Joined: Wed Oct 03, 2018 1:23 pm

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

Postby rameez.amjad4 » Fri Sep 13, 2019 2:14 pm

Any one can help in resolving issue fail2ban not working with vicibox 8.1.2 , error: quick start

Any help???
rameez.amjad4
 
Posts: 91
Joined: Wed Oct 03, 2018 1:23 pm

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

Postby susam » Tue Jun 23, 2020 7:56 am

dito wrote:Hi all,
saw some confused posts turning around firewall and security on vicibox server.
Fail2ban is a log-parsing application that monitors system logs for symptoms of an automated attack on your Vicibox.
When an attempted compromise is located, using the defined parameters, Fail2ban will add a new rule to iptables to block the IP address of the attacker, either for a set amount of time or permanently. Fail2ban can also alert you through email that an attack is occurring.
Steps To setup fail2ban working on your system, this will protect from ATTACKS AGAINST ASTERISK, APACHE, AND SSH:

1- fail2ban install:
Code: Select all
yast2 -i fail2ban

2 - configure fail2ban:
Code: Select all
vi /etc/fail2ban/jail.local

add those lines:

# Do all your modifications to the jail's configuration in jail.local!
Code: Select all
[DEFAULT]
ignoreip = 127.0.0.1
bantime  = 6048000
findtime  = 600
maxretry = 5
backend = auto

[asterisk-iptables]
enabled  = true
filter   = asterisk
action   = iptables-allports[name=SIP, protocol=all]
           sendmail[name=VICIBOX-ASTERISK-DETECTOR, dest=support@crm.tn, sender=vicibox@crm.tn]
logpath  = /var/log/asterisk/messages
maxretry = 3
bantime = 6048000

[ssh-iptables]
enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail[name=VICIBOX-SSH-DETECTOR, dest=yourmail, sender=yourmail]
logpath  = /var/log/messages
maxretry = 3
bantime = 6048000

[apache-tcpwrapper]
enabled  = true
filter   = apache-auth
action   = iptables-allports[name=apache-auth, port=http, protocol=tcp]
           sendmail[name=VICIBOX-APACHE-DETECTOR, dest=yourmail, sender=yourmail]
logpath  = /var/log/apache2/error_log
maxretry = 3

[apache-badbots]
enabled  = true
filter   = apache-badbots
action   = iptables-multiport[name=BadBots, port="http,https"]
           sendmail[name=VICIBOX-BadBots-DETECTOR, dest=yourmail, sender=yourmail]
logpath  = /var/log/apache2/*access_log
bantime  = 6048000
maxretry = 1

# Jail for more extended banning of persistent abusers
# !!! WARNING !!!
#   Make sure that your loglevel specified in fail2ban.conf/.local
#   is not at DEBUG level -- which might then cause fail2ban to fall into
#   an infinite loop constantly feeding itself with non-informative lines
[recidive]
enabled  = true
filter   = recidive
logpath  = /var/log/fail2ban.log*
action   = iptables-allports[name=recidive, protocol=all]
           sendmail[name=VICIBOX-BADBOY-DETECTOR, dest=yourmail, sender=yourmail]
bantime  = 6048000  ; 10 weeks
#findtime = 60480000   ; 5 hours
findtime = 43200   ; 12 hours
maxretry = 5


3 - launch and check fail2ban
launch fail2ban :
Code: Select all
service fail2ban start

check if jails are on:
Code: Select all
fail2ban-client status

you will have to see sth like this:
Code: Select all
Status
|- Number of jail:      5
`- Jail list:   apache-badbots, apache-tcpwrapper, asterisk-iptables, recidive, ssh-iptables


check your mailbox if all is ok you will recieve sth like this:

Image
Advice: add your own ip as ignoreip to avoid risk getting banned from your own server
Code: Select all
ignoreip = 127.0.0.1
ignoreip = yourserverip
ignoreip = yourofficeip




Thanks for such a nice post, I am using 8.0.1 and it is working fine, now I have two questions 1) someone try to register sip account taking my own IP(IP Spoofing) how to block that one and 2) how to block sip port scanning ? I will be grateful if you provide me step by step as same like fail2ban.
susam
 
Posts: 30
Joined: Wed Oct 11, 2017 9:27 am

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

Postby carpenox » Mon Jul 13, 2020 7:36 am

is this fully working on v9? I can get the setup done but I am not receiving banned IP's to my email, only when it stops and starts.... its not bannnig failed attempts...
Alma Linux 9.3 | Version: 2.14-911a | SVN Version: 3815 | DB Schema Version: 1710 | Asterisk 18.18.1
www.dialer.one -:- 1-833-DIALER-1 -:- https://linktr.ee/CyburDial -:- WhatsApp: +19549477572 -:- Skype: live:carpenox_3
carpenox
 
Posts: 2223
Joined: Wed Apr 08, 2020 2:02 am
Location: Coral Springs, FL

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

Postby carpenox » Wed Jul 15, 2020 12:15 am

OK so I got fail2ban working on vicibox v9.0.3 - it was setting the logs to use "systemd" instead of auto or polling
Alma Linux 9.3 | Version: 2.14-911a | SVN Version: 3815 | DB Schema Version: 1710 | Asterisk 18.18.1
www.dialer.one -:- 1-833-DIALER-1 -:- https://linktr.ee/CyburDial -:- WhatsApp: +19549477572 -:- Skype: live:carpenox_3
carpenox
 
Posts: 2223
Joined: Wed Apr 08, 2020 2:02 am
Location: Coral Springs, FL

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

Postby IanGP » Mon Nov 23, 2020 7:39 am

Much Appreciated!
Works like a charm on 9.0.3.

Just must remember to set F2B to start at boot:

Code: Select all
chkconfig --add fail2ban
IanGP
 
Posts: 57
Joined: Thu Jul 28, 2016 1:27 am

Re: VICIBOX 8 FAIL2BAN SETUP - 100 % WORKING

Postby carpenox » Tue Nov 24, 2020 8:21 am

yea i did it using systemctl but im glad its working for ya ;)
Alma Linux 9.3 | Version: 2.14-911a | SVN Version: 3815 | DB Schema Version: 1710 | Asterisk 18.18.1
www.dialer.one -:- 1-833-DIALER-1 -:- https://linktr.ee/CyburDial -:- WhatsApp: +19549477572 -:- Skype: live:carpenox_3
carpenox
 
Posts: 2223
Joined: Wed Apr 08, 2020 2:02 am
Location: Coral Springs, FL


Return to ViciBox Server Install and Demo

Who is online

Users browsing this forum: No registered users and 19 guests