Fail2Ban

From Kolmisoft Wiki
Revision as of 10:16, 30 August 2010 by Admin (talk | contribs) (Created page with '=Fail2Ban= ==What is a Fail2Ban?== Fail2Ban is an intrusion prevention framework, it protects you sip devices from brute force registration attacks =How can I install Fail2Ban?=…')
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

Fail2Ban

What is a Fail2Ban?

Fail2Ban is an intrusion prevention framework, it protects you sip devices from brute force registration attacks

How can I install Fail2Ban?

Just run the script /usr/src/mor/sh_scripts/fail2ban_install_vX.sh, where X is the script version number, to install this software.

/usr/src/mor/sh_scripts/fail2ban_install_vX.sh

How Fail2Ban works?

Fail2Ban checks Asterisk log: /var/log/asterisk/messages and counts unsuccessful sip registration attempts. When it counts to 5 - bans the abusive user for a specified amount of time (600 seconds by default).

These settings can be adjusted in /etc/fail2ban/jail.conf:

[asterisk-iptables]
enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, port=5060, protocol=udp]
logpath  = /var/log/asterisk/messages
maxretry = 5
bantime = 600

maxretry - maximum number of retries allowed bantime - ban time is seconds

You will also find a section [DEFAULT] in jail.conf. In this section you will find variable ignoreip here mor install script places addresses that are ignored and will not be banned. Add here additional addresses if you find you need to do this.

[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 192.168.0.1/16 10.0.0.0/8 127.0.0.1/8 172.16.0.0/12 213.197.141.162  192.168.0.158

213.197.141.162 is the address of KolmiSoft support office. Please leave it here.