Quesiton about Fail2Ban



  • I make use of fail2ban with defualts and following guides.

    But I do not go into customizing things.

    So let me ask, can I trigger pretty much anything I want when fail2ban detects something?

    Obviously FreePBX sends emails from their intrusion detection process in SysAdmin. But I do not know if that is native fail2banor something else for the email part. I mean I think it is all just fail2ban.
    0_1529517522269_622621e4-1543-4117-a3e4-e07ce8738745-image.png

    So this means I should be able to create a script that it triggers to get other information right? such as grep the log for the IP.

    [[email protected] ~]# grep 207.244.157.130 /var/log/asterisk/full*
    /var/log/asterisk/full:[2018-06-20 10:07:39] NOTICE[7500] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '207.244.157.130:60579' (callid: 440117748-1426487594-1708530889) - No matching endpoint found
    /var/log/asterisk/full:[2018-06-20 10:10:59] NOTICE[26129] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '207.244.157.130:55658' (callid: 732056103-1336100019-1670180884) - No matching endpoint found
    /var/log/asterisk/full:[2018-06-20 10:10:59] NOTICE[16727] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '207.244.157.130:55658' (callid: 732056103-1336100019-1670180884) - No matching endpoint found
    /var/log/asterisk/full:[2018-06-20 10:10:59] NOTICE[16727] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '207.244.157.130:55658' (callid: 732056103-1336100019-1670180884) - Failed to authenticate
    /var/log/asterisk/full:[2018-06-20 10:14:41] NOTICE[8483] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '207.244.157.130:50026' (callid: 1583251357-694948444-323072118) - No matching endpoint found
    /var/log/asterisk/full:[2018-06-20 11:16:07] NOTICE[8483] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '207.244.157.130:51658' (callid: 809034197-44985811-303606027) - No matching endpoint found
    /var/log/asterisk/full:[2018-06-20 11:16:07] NOTICE[16727] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '207.244.157.130:51658' (callid: 809034197-44985811-303606027) - No matching endpoint found
    /var/log/asterisk/full:[2018-06-20 11:16:07] NOTICE[16727] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '207.244.157.130:51658' (callid: 809034197-44985811-303606027) - Failed to authenticate
    /var/log/asterisk/full:[2018-06-20 11:19:49] NOTICE[8483] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '207.244.157.130:61528' (callid: 1663334653-914004430-1069925843) - No matching endpoint found
    /var/log/asterisk/full:[2018-06-20 11:19:49] NOTICE[26129] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '207.244.157.130:61528' (callid: 1663334653-914004430-1069925843) - No matching endpoint found
    /var/log/asterisk/full:[2018-06-20 11:19:49] NOTICE[26129] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '207.244.157.130:61528' (callid: 1663334653-914004430-1069925843) - Failed to authenticate
    /var/log/asterisk/full:[2018-06-20 12:20:30] NOTICE[8483] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '207.244.157.130:65228' (callid: 752774497-292723182-1345574746) - No matching endpoint found
    /var/log/asterisk/full:[2018-06-20 12:24:09] NOTICE[23383] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '207.244.157.130:49243' (callid: 1595416130-1756415394-1659043822) - No matching endpoint found
    /var/log/asterisk/full:[2018-06-20 12:27:54] NOTICE[7500] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '207.244.157.130:63387' (callid: 319443898-28209702-968196798) - No matching endpoint found
    /var/log/asterisk/full:[2018-06-20 12:38:02] NOTICE[26129] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '207.244.157.130:58039' (callid: 1526317031-1376553401-1884849216) - No matching endpoint found
    /var/log/asterisk/full:[2018-06-20 12:41:40] NOTICE[26129] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '207.244.157.130:57654' (callid: 1076021835-2054345086-2092340332) - No matching endpoint found
    /var/log/asterisk/full:[2018-06-20 12:45:14] NOTICE[7500] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '207.244.157.130:50166' (callid: 525071097-1219899127-962187490) - No matching endpoint found
    /var/log/asterisk/full:[2018-06-20 12:45:14] NOTICE[26129] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '207.244.157.130:50166' (callid: 525071097-1219899127-962187490) - No matching endpoint found
    /var/log/asterisk/full:[2018-06-20 12:45:14] NOTICE[26129] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '207.244.157.130:50166' (callid: 525071097-1219899127-962187490) - Failed to authenticate
    

    and also look up the IP in ARIN or something.

    [[email protected] ~]# xmllint --format http://whois.arin.net/rest/ip/207.244.157.130
    <?xml version="1.0"?>
    <?xml-stylesheet type='text/xsl' href='http://whois.arin.net/xsl/website.xsl' ?>
    <net xmlns="http://www.arin.net/whoisrws/core/v1" xmlns:ns2="http://www.arin.net/whoisrws/rdns/v1" xmlns:ns3="http://www.arin.net/whoisrws/netref/v2" inaccuracyReportUrl="https://www.arin.net/resources/whois_reporting/index.html" termsOfUse="https://www.arin.net/whois_tou.html">
      <registrationDate>2005-07-01T13:54:44-04:00</registrationDate>
      <ref>https://whois.arin.net/rest/net/NET-207-244-144-0-1</ref>
      <endAddress>207.244.159.255</endAddress>
      <handle>NET-207-244-144-0-1</handle>
      <name>WORLDLINK-1</name>
      <netBlocks>
        <netBlock>
          <cidrLength>20</cidrLength>
          <endAddress>207.244.159.255</endAddress>
          <description>Direct Allocation</description>
          <type>DA</type>
          <startAddress>207.244.144.0</startAddress>
        </netBlock>
      </netBlocks>
      <originASes>
        <originAS>AS27323</originAS>
      </originASes>
      <resources inaccuracyReportUrl="https://www.arin.net/resources/whois_reporting/index.html" termsOfUse="https://www.arin.net/whois_tou.html">
        <limitExceeded limit="256">false</limitExceeded>
      </resources>
      <orgRef handle="WOWTEC-1" name="Wowrack.com">https://whois.arin.net/rest/org/WOWTEC-1</orgRef>
      <parentNetRef handle="NET-207-0-0-0-0" name="NET207">https://whois.arin.net/rest/net/NET-207-0-0-0-0</parentNetRef>
      <startAddress>207.244.144.0</startAddress>
      <updateDate>2015-11-09T09:30:54-05:00</updateDate>
      <version>4</version>
    </net>
    


  • The ACTIONS section of Fail2ban config allows you to select to send emails. Default setting is
    action = %(action_)s which bans the IP address but changing this to action = %(action_mwl)s bans the IP as well as sends an email to the defined email address including a whois report. If you use action = %(action_xraf)s it will auto send an email to the abuse email contact from the whois lookup.

    Here is a sample email that Fail2ban sends after banning the IP

    Hi,
    
    The IP 218.78.247.169 has just been banned by Fail2Ban after
    3 attempts against sshd.
    
    
    Here is more information about 218.78.247.169 :
    
    % [whois.apnic.net]
    % Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html
    
    % Information related to '218.78.240.0 - 218.78.247.255'
    
    % Abuse contact for '218.78.240.0 - 218.78.247.255' is '[email protected]'
    
    inetnum:        218.78.240.0 - 218.78.247.255
    netname:        SHANGHAI-EDU-COMMISSION
    descr:          Shanghai Education Commission
    country:        CN
    admin-c:        CHQ1-AP
    tech-c:         CHQ1-AP
    mnt-by:         MAINT-CHINANET-SH
    status:         ASSIGNED NON-PORTABLE
    last-modified:  2008-09-04T06:51:55Z
    source:         APNIC
    
    person:         Chen Hai Qiang
    address:        460 Yuyuan Road, Shanghai
    country:        CN
    phone:          +86-21-62173455
    fax-no:         +86-21-62538495
    e-mail:         [email protected]
    nic-hdl:        CHQ1-AP
    mnt-by:         MAINT-CHINANET-SH
    last-modified:  2008-09-04T07:30:36Z
    source:         APNIC
    
    % This query was served by the APNIC Whois Service version 1.88.15-46 (WHOIS-US4)
    
    
    Lines containing IP:218.78.247.169 in /var/log/auth.log
    
    Jun 20 18:40:34 xxxxxxxxxxxxxxxx sshd[116180]: Invalid user jesus from 218.78.247.169 Jun 20 18:40:34 xxxxxxxxxxx sshd[116180]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.78.247.169 Jun 20 18:40:35 xxxxxxxxxxxx sshd[116180]: Failed password for invalid user jesus from 218.78.247.169 port 8155 ssh2 Jun 20 18:40:36 xxxxxxxxxxxxxxx sshd[116180]: Connection closed by 218.78.247.169 port 8155 [preauth]
    
    
    Regards,
    
    Fail2Ban
    
    


  • FreePBX's jail.local doesn't use that syntax.

    [[email protected] ~]# cat /etc/fail2ban/jail.local 
    # Configuration automatically generated via the Sysadmin Module
    # This file will be overwritten by Sysadmin on startup. If you modify
    # this file, your changes will be lost. DO NOT MODIFY THIS FILE!
    # generated: Thu, 21 Jun 2018 02:53:21 +0000
    
    [DEFAULT]
    ignoreip = 127.0.0.1
    bantime = 3600
    findtime = 600
    maxretry = 5
    backend = auto
    
    [asterisk-iptables]
    enabled = true
    filter = asterisk-security
    action = iptables-allports[name=SIP, protocol=all]
         sendmail[name=SIP, [email protected], [email protected]]
    logpath = /var/log/asterisk/fail2ban
    

Log in to reply