[AsteriskBrasil] Fail2Ban não bloqueia ataque
João Marcelo Queiroz
jmbq em bol.com.br
Terça Janeiro 4 17:18:36 BRST 2011
Estou com problemas para fazer o fail2ban bloquear alguns ataques que estou recebendo em um servidor. Já li e re-li alguns artigos sobre a sua configuração, sem sucesso. Minhas fontes foram:
http://www.voip-info.org/wiki/view/Fail2Ban+(with+iptables)+And+Asterisk
http://iceburn.info/linux/instalar-fail2ban-em-centos.html
Estou rodando o Trixbox 2.6.2.3
Agradeceria muito qualquer ajuda, segue abaixo algumas informações que podem ajudar:
-----------------------------
[trixbox1.localdomain ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-ASTERISK all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- 192.168.0.0/24 anywhere
DROP all -- ns1.oiss10.net anywhere -> alguns IPs que bloqueie na mão
DROP all -- 93.114.196.109 anywhere
DROP all -- 109.203.99.88 anywhere
DROP all -- reverse.completel.net anywhere
DROP all -- server77-68-52-218.live-servers.net anywhere
DROP all -- server1.boundlessflight.com anywhere
DROP all -- ns1.oiss10.net anywhere
DROP all -- 184-106-165-224.static.cloud-ips.com anywhere
DROP all -- midphase.com anywhere
DROP all -- 188.161.224.232 anywhere
DROP all -- 14-64-245-83.packetexchange.net anywhere
DROP all -- 174-143-246-25.static.slicehost.net anywhere
DROP all -- 168.188.130.184 anywhere
DROP all -- static.206.17.4.46.clients.your-server.de anywhere
DROP all -- 91.220.62.36 anywhere
DROP all -- 59.39.66.30 anywhere
ACCEPT all -- XXX.XXX.XXX.XX.static.gvt.net.br anywhere
ACCEPT udp -- anywhere anywhere udp dpts:sip:5070
ACCEPT udp -- anywhere anywhere udp dpts:ndmp:dnp
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:iax
DROP icmp -- anywhere anywhere icmp echo-request
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-ASTERISK (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-SSH (0 references)
target prot opt source destination
RETURN all -- anywhere anywhere
[trixbox1.localdomain ~]#
-----------------------------
FAIL2BAN.CONF
-----------------------------
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 629 $
#
[Definition]
# Option: loglevel
# Notes.: Set the log level output.
# 1 = ERROR
# 2 = WARN
# 3 = INFO
# 4 = DEBUG
# Values: NUM Default: 3
#
loglevel = 3
# Option: logtarget
# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
# Only one log target can be specified.
# Values: STDOUT STDERR SYSLOG file Default: /var/log/fail2ban.log
#
logtarget = /var/log/fail2ban.log
# Option: socket
# Notes.: Set the socket file. This is used to communicate with the daemon. Do
# not remove this file when Fail2ban runs. It will not be possible to
# communicate with the server afterwards.
# Values: FILE Default: /var/run/fail2ban/fail2ban.sock
#
socket = /var/run/fail2ban/fail2ban.sock
-----------------------------
JAIL.CONF (apenas o final).
-----------------------------
[asterisk-iptables]
enabled = true
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
sendmail-whois[name=ASTERISK, dest=xxxx em xxx.com.br, sender=fail2ban em example.org]
logpath = /var/log/messages
maxretry = 3
bantime = 259200
-----------------------------
ASTERISK.CONF (filter.d)
-----------------------------
# Fail2Ban configuration file
#
#
# $Revision: 250 $
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf
[Definition]
#_daemon = asterisk
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Peer is not supposed to register
NOTICE.* <HOST> failed to authenticate as '.*'$
NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
ignoreregex =
-----------------------------
LOGGER.CONF
-----------------------------
[general]
; dateformat=%F %T
;
; Logging Configuration
;
; In this file, you configure logging to files or to
; the syslog system.
;
; For each file, specify what to log.
;
; For console logging, you set options at start of
; Asterisk with -v for verbose and -d for debug
; See 'asterisk -h' for more information.
;
; Directory for log files is configures in asterisk.conf
; option astlogdir
;
[logfiles]
syslog.local0 => notice
;
; Format is "filename" and then "levels" of debugging to be included:
; debug
; notice
; warning
; error
; verbose
;
; Special filename "console" represents the system console
;
;debug => debug
;console => notice,warning,error
console => notice,warning,error,debug,verbose
;messages => notice,warning,error
full => notice,warning,error,debug,verbose
;syslog keyword : This special keyword logs to syslog facility
;
;syslog.local0 => notice,warning,error
;
-----------------------------
Aqui tentei descomentar o "; dateformat=%F %T" e apontar o "[asterisk-iptables]" para /var/log/asterisk/full mas também não obtive sucesso.
Qualquer ajuda será de grande valia.
Atenciosamente,
João Queiroz
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: http://listas.asteriskbrasil.org/pipermail/asteriskbrasil/attachments/20110104/ecbd4fbb/attachment.htm
Mais detalhes sobre a lista de discussão AsteriskBrasil