Difference between revisions of "Fail2Ban"
m (Created page with '=Fail2Ban= ==What is a Fail2Ban?== Fail2Ban is an intrusion prevention framework, it protects you sip devices from brute force registration attacks =How can I install Fail2Ban?=…') |
|||
| Line 23: | Line 23: | ||
'''maxretry''' - maximum number of retries allowed | '''maxretry''' - maximum number of retries allowed | ||
'''bantime''' - ban time is seconds | '''bantime''' - ban time is seconds | ||
Revision as of 10:16, 30 August 2010
Fail2Ban
What is a Fail2Ban?
Fail2Ban is an intrusion prevention framework, it protects you sip devices from brute force registration attacks
How can I install Fail2Ban?
Just run the script /usr/src/mor/sh_scripts/fail2ban_install_vX.sh, where X is the script version number, to install this software.
/usr/src/mor/sh_scripts/fail2ban_install_vX.sh
How Fail2Ban works?
Fail2Ban checks Asterisk log: /var/log/asterisk/messages and counts unsuccessful sip registration attempts. When it counts to 5 - bans the abusive user for a specified amount of time (600 seconds by default).
These settings can be adjusted in /etc/fail2ban/jail.conf:
[asterisk-iptables] enabled = true filter = asterisk action = iptables-allports[name=ASTERISK, port=5060, protocol=udp] logpath = /var/log/asterisk/messages maxretry = 5 bantime = 600
maxretry - maximum number of retries allowed
bantime - ban time is seconds
You will also find a section [DEFAULT] in jail.conf. In this section you will find variable ignoreip here mor install script places addresses that are ignored and will not be banned. Add here additional addresses if you find you need to do this.
[DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 192.168.0.1/16 10.0.0.0/8 127.0.0.1/8 172.16.0.0/12 213.197.141.162 192.168.0.158
213.197.141.162 is the address of KolmiSoft support office. Please leave it here.
