Difference between revisions of "Extending Fail2Ban configuration"

From Kolmisoft Wiki
Jump to navigationJump to search
Line 121: Line 121:
'''IMPORTANT:'''  
'''IMPORTANT:'''  
* If you use action (like sendmail-banned which will send the email) you do not need the '''sendmail[name=Asterisk_HGC_200, dest=your@mail.com]''' in a rule anymore.
* If you use action (like sendmail-banned which will send the email) you do not need the '''sendmail[name=Asterisk_HGC_200, dest=your@mail.com]''' in a rule anymore.
* '''After any fail2ban configuration changes, restart is required to apply changes.'''
* '''After any fail2ban configuration changes, fail2ban restart is required to apply changes.'''

Revision as of 10:06, 10 September 2018

About

This page explains how to tune/extend Fail2Ban the right way, so that Kolmisoft update scripts would not overwrite your changes.

Please note that in order for these extended rules to work Fail2Ban has to be updated. You can update Fail2Ban by running the following script:

/usr/src/mor/sh_scripts/fail2ban_install.sh

Fail2Ban configuration options explained

/etc/fail2ban/jail.conf

For example we will take HGC 200 ban configurations which by default ban IP's sending unauthenticated (devices are not registered to MOR system and IP based authentication is not selected) calls after 20 attempts/ 1 minute:

[ast-hgc-200]
enabled  = true           
filter   = asterisk_hgc_200     
action   = iptables-allports[name=AST_HGC_200, port=5060, protocol=all]
          sendmail-banned[name=Asterisk_HGC_200]
logpath  = /var/log/asterisk/messages
maxretry = 20
bantime = -1

Options explained

enabled = {true,false} - filter enabled or not.

filter = asterisk_hgc_200 # Filter name. This name matches file /etc/fail2ban/filter.d/asterisk_hgc_200.conf . This file structure is very simple and is self explaining. It contains patterns the fail2ban has to scan in log files. You have to be able read / write perl regexp syntax in order to modify this file.

action = iptables-allports[name=AST_HGC_200, port=5060, protocol=all] # Action configuration, it matches file /etc/fail2ban/action.d/iptables-allports

sendmail-banned[name=Asterisk_HGC_200] # Action configuration, it matches file /etc/fail2ban/action.d/sendmail-banned

logpath = /var/log/asterisk/messages # Which log has to be scanned by filter

maxretry = 20 # How many attempts we tolerate per minute. If there are more entries in log file than defined maxretry value = actions configuration files defined above are launched.

bantime = -1 # <0 - ban will be forever (till you restart fail2ban/system). >0 - seconds.

Writing your own modifications for Fail2Ban

In order Kolmisoft update scripts would not overwrite your changes - you have to put it in file named the same way except the extension - it has to be named ".local" at the end instead of ".conf".

For example - if you would like to modify main configuration jail.conf - you would have to create your own configuration file named jail.local. Put all your changes there and Fail2Ban will use your configuration instead of Kolmisoft.


Important - you don't have to copy the whole jail.conf file to jail.local, you can just put there only one section you would like to behave differently. For example - default Kolmisoft Fail2Ban configuration file jail.conf has these rules:

[ast-hgc-200]
enabled  = true           
filter   = asterisk_hgc_200     
action   = iptables-allports[name=AST_HGC_200, port=5060, protocol=all]
          sendmail-banned[name=Asterisk_HGC_200]
logpath  = /var/log/asterisk/messages
maxretry = 20
bantime = -1

If you are an experienced user and you know that there should not be any unauthenticated calls in your system - it is advised to modify this configuration to look like this:

[ast-hgc-200]
enabled  = true           
filter   = asterisk_hgc_200     
action   = iptables-allports[name=AST_HGC_200, port=5060, protocol=all]
          sendmail-banned[name=Asterisk_HGC_200]
logpath  = /var/log/asterisk/messages
maxretry = 1
bantime = -1



You have to put this configuration to /etc/fail2ban/jail.local. This modification will ensure, that the offender will get ban from the first try.


Important

Every Fail2Ban configuration can be extended the same way - just create another file with same name with ".local" as file extension.

Extending Fail2Ban to send you an email

In order Fail2Ban would send you an email on various events you can extend existing Fail2Ban rules by creating jail.local file and adding modified configuration. For example in order on HGC 200 attack you would get an email - you should extend the configuration of jail.local like this:

[ast-hgc-200]
enabled  = true           
filter   = asterisk_hgc_200     
action   = iptables-allports[name=AST_HGC_200, port=5060, protocol=all]
          sendmail-banned[name=Asterisk_HGC_200]
          sendmail[name=Asterisk_HGC_200, dest=your@mail.com]
logpath  = /var/log/asterisk/messages
maxretry = 1
bantime = -1


The important line here is this: sendmail[name=Asterisk_HGC_200, dest=your@mail.com]

Or, if you need modified email template, you need to modifye the action sendmail-banned or the one you use for specific rule. In our Example it is sendmail-banned. It can be modified in /etc/fail2ban/action.d/sendmail-banned. The exact function is actionban:

actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip>
            From: Fail2Ban <<sender>>
            To: <dest>\n
            Hi,\n
            The IP <ip> has just been banned by Fail2Ban after
            <failures> attempts against <name>.\n\n
            Here are more information about <ip>:\n
            `/usr/bin/whois <ip>`\n
            Regards,\n
            Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>

In the end of file, DO NOT FORGET to change the destination email in same file:

# Defaut name of the chain
#
name = default
# Destination/Addressee of the mail
#
dest = your@mail.com
# Sender of the mail
#
sender = valid@senderMail.com

IMPORTANT:

  • If you use action (like sendmail-banned which will send the email) you do not need the sendmail[name=Asterisk_HGC_200, dest=your@mail.com] in a rule anymore.
  • After any fail2ban configuration changes, fail2ban restart is required to apply changes.