Difference between revisions of "Extending Fail2Ban configuration"
Line 56: | Line 56: | ||
maxretry = 1 | maxretry = 1 | ||
bantime = -1 | bantime = -1 | ||
The important line here is this: '''sendmail[name=Asterisk_HGC_200, dest=your@mail.com]''' |
Revision as of 12:28, 17 July 2013
About
This page explains how to tune/extend Fail2Ban the right way, so that Kolmisoft update scripts would not overwrite your changes.
Writing your own modifications for Fail2Ban
In order Kolmisoft update scripts would not overwrite your changes - you have to put it in file named the same way except the extension - it has to be named ".local" at the end instead of ".conf".
For example - if you would like to modify main configuration jail.conf - you would have to create your own configuration file named jail.local. Put all your changes there and Fail2Ban will use your configuration instead of Kolmisoft.
Important - you don't have to copy the whole jail.conf file to jail.local, you can just put there only one section you would like to behave differently. For example - default Kolmisoft Fail2Ban configuration file jail.conf has these rules:
[ast-hgc-200] enabled = true filter = asterisk_hgc_200 action = iptables-allports[name=AST_HGC_200, port=5060, protocol=all] sendmail-banned[name=Asterisk_HGC_200] logpath = /var/log/asterisk/messages maxretry = 20 bantime = -1
If you are an experienced user and you know that there should not be any unauthenticated calls in your system - it is advised to modify this configuration to look like this:
[ast-hgc-200] enabled = true filter = asterisk_hgc_200 action = iptables-allports[name=AST_HGC_200, port=5060, protocol=all] sendmail-banned[name=Asterisk_HGC_200]
logpath = /var/log/asterisk/messages maxretry = 1 bantime = -1
You have to put this configuration to /etc/fail2ban/jail.local. This modification will ensure, that the offender will get ban from the first try.
Important
Every Fail2Ban configuration can be extended the same way - just create another file with same name with ".local" as file extension.
Extending Fail2Ban to send you an email
In order Fail2Ban would send you an email on various events you can extend existing Fail2Ban rules by creating jail.local file and adding modified configuration. For example in order on HGC 200 attack you would get an email - you should extend the configuration of jail.local like this:
[ast-hgc-200] enabled = true filter = asterisk_hgc_200 action = iptables-allports[name=AST_HGC_200, port=5060, protocol=all] sendmail-banned[name=Asterisk_HGC_200] sendmail[name=Asterisk_HGC_200, dest=your@mail.com] logpath = /var/log/asterisk/messages maxretry = 1 bantime = -1
The important line here is this: sendmail[name=Asterisk_HGC_200, dest=your@mail.com]