[AsteriskBrasil] Fail2Ban não bloqueia ataque
Sylvio Carlos Jollenbeck
sylvio.sdr em gmail.com
Terça Janeiro 4 17:27:07 BRST 2011
Sugestão,
Desencana de fail2ban ou de qualquer outra ferramenta desse nível, a solução
é impedir o acesso externo ao servidor e apenas utilizar ramais externos via
vpn.
Já tive muitos problemas com isso!
Abs
# ---------------------------------------------------------------
Sylvio Carlos Jollenbeck Borin
# ----------------------------------------------------------------
Em 4 de janeiro de 2011 17:18, João Marcelo Queiroz <jmbq em bol.com.br>escreveu:
> Estou com problemas para fazer o fail2ban bloquear alguns ataques que estou
> recebendo em um servidor. Já li e re-li alguns artigos sobre a sua
> configuração, sem sucesso. Minhas fontes foram:
> http://www.voip-info.org/wiki/view/Fail2Ban+(with+iptables)+And+Asterisk<http://www.voip-info.org/wiki/view/Fail2Ban+%28with+iptables%29+And+Asterisk>
> http://iceburn.info/linux/instalar-fail2ban-em-centos.html
>
> Estou rodando o Trixbox 2.6.2.3
>
>
> Agradeceria muito qualquer ajuda, segue abaixo algumas informações que
> podem ajudar:
>
> -----------------------------
>
> [trixbox1.localdomain ~]# iptables -L
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> fail2ban-ASTERISK all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
> ACCEPT all -- 192.168.0.0/24 anywhere
> DROP all -- ns1.oiss10.net anywhere -> alguns IPs
> que bloqueie na mão
> DROP all -- 93.114.196.109 anywhere
> DROP all -- 109.203.99.88 anywhere
> DROP all -- reverse.completel.net anywhere
> DROP all -- server77-68-52-218.live-servers.net anywhere
>
> DROP all -- server1.boundlessflight.com anywhere
> DROP all -- ns1.oiss10.net anywhere
> DROP all -- 184-106-165-224.static.cloud-ips.com anywhere
>
> DROP all -- midphase.com anywhere
> DROP all -- 188.161.224.232 anywhere
> DROP all -- 14-64-245-83.packetexchange.net anywhere
> DROP all -- 174-143-246-25.static.slicehost.net anywhere
>
> DROP all -- 168.188.130.184 anywhere
> DROP all -- static.206.17.4.46.clients.your-server.de anywhere
>
> DROP all -- 91.220.62.36 anywhere
> DROP all -- 59.39.66.30 anywhere
> ACCEPT all -- XXX.XXX.XXX.XX.static.gvt.net.br anywhere
> ACCEPT udp -- anywhere anywhere udp
> dpts:sip:5070
> ACCEPT udp -- anywhere anywhere udp
> dpts:ndmp:dnp
> ACCEPT udp -- anywhere anywhere udp
> dpt:domain
> ACCEPT udp -- anywhere anywhere udp dpt:iax
> DROP icmp -- anywhere anywhere icmp
> echo-request
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> DROP tcp -- anywhere anywhere tcp
> flags:FIN,SYN,RST,ACK/SYN
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain fail2ban-ASTERISK (1 references)
> target prot opt source destination
> RETURN all -- anywhere anywhere
>
> Chain fail2ban-SSH (0 references)
> target prot opt source destination
> RETURN all -- anywhere anywhere
> [trixbox1.localdomain ~]#
>
> -----------------------------
> FAIL2BAN.CONF
> -----------------------------
>
> # Fail2Ban configuration file
> #
> # Author: Cyril Jaquier
> #
> # $Revision: 629 $
> #
>
> [Definition]
>
> # Option: loglevel
> # Notes.: Set the log level output.
> # 1 = ERROR
> # 2 = WARN
> # 3 = INFO
> # 4 = DEBUG
> # Values: NUM Default: 3
> #
> loglevel = 3
>
> # Option: logtarget
> # Notes.: Set the log target. This could be a file, SYSLOG, STDERR or
> STDOUT.
> # Only one log target can be specified.
> # Values: STDOUT STDERR SYSLOG file Default: /var/log/fail2ban.log
> #
> logtarget = /var/log/fail2ban.log
>
> # Option: socket
> # Notes.: Set the socket file. This is used to communicate with the daemon.
> Do
> # not remove this file when Fail2ban runs. It will not be possible
> to
> # communicate with the server afterwards.
> # Values: FILE Default: /var/run/fail2ban/fail2ban.sock
> #
> socket = /var/run/fail2ban/fail2ban.sock
>
>
>
> -----------------------------
> JAIL.CONF (apenas o final).
> -----------------------------
>
> [asterisk-iptables]
>
> enabled = true
> filter = asterisk
>
> action = iptables-allports[name=ASTERISK, protocol=all]
> sendmail-whois[name=ASTERISK, dest=xxxx em xxx.com.br, sender=
> fail2ban em example.org]
> logpath = /var/log/messages
> maxretry = 3
> bantime = 259200
>
>
> -----------------------------
> ASTERISK.CONF (filter.d)
> -----------------------------
>
> # Fail2Ban configuration file
> #
> #
> # $Revision: 250 $
> #
>
> [INCLUDES]
>
> # Read common prefixes. If any customizations available -- read them from
> # common.local
> #before = common.conf
>
>
> [Definition]
>
> #_daemon = asterisk
>
> # Option: failregex
> # Notes.: regex to match the password failures messages in the logfile.
> The
> # host must be matched by a group named "host". The tag "<HOST>"
> can
> # be used for standard IP/hostname matching and is only an alias
> for
> # (?:::f{4,6}:)?(?P<host>\S+)
> # Values: TEXT
> #
>
> failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong
> password
> NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No
> matching peer found
> NOTICE.* .*: Registration from '.*' failed for '<HOST>' -
> Username/auth name mismatch
> NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device
> does not match ACL
> NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Peer
> is not supposed to register
> NOTICE.* <HOST> failed to authenticate as '.*'$
> NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
> NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
> NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
> ignoreregex =
>
>
> -----------------------------
> LOGGER.CONF
> -----------------------------
>
> [general]
> ; dateformat=%F %T
>
> ;
> ; Logging Configuration
> ;
> ; In this file, you configure logging to files or to
> ; the syslog system.
> ;
> ; For each file, specify what to log.
> ;
> ; For console logging, you set options at start of
> ; Asterisk with -v for verbose and -d for debug
> ; See 'asterisk -h' for more information.
> ;
> ; Directory for log files is configures in asterisk.conf
> ; option astlogdir
> ;
> [logfiles]
> syslog.local0 => notice
> ;
> ; Format is "filename" and then "levels" of debugging to be included:
> ; debug
> ; notice
> ; warning
> ; error
> ; verbose
> ;
> ; Special filename "console" represents the system console
> ;
> ;debug => debug
> ;console => notice,warning,error
> console => notice,warning,error,debug,verbose
> ;messages => notice,warning,error
> full => notice,warning,error,debug,verbose
>
> ;syslog keyword : This special keyword logs to syslog facility
> ;
> ;syslog.local0 => notice,warning,error
> ;
>
> -----------------------------
>
>
> Aqui tentei descomentar o "; dateformat=%F %T" e apontar o
> "[asterisk-iptables]" para /var/log/asterisk/full mas também não obtive
> sucesso.
>
> Qualquer ajuda será de grande valia.
>
> Atenciosamente,
>
> João Queiroz
>
> _______________________________________________
> KHOMP: qualidade em placas de E1, GSM, FXS e FXO para Asterisk.
> - Hardware com alta disponibilidade de recursos e qualidade KHOMP
> - Suporte técnico local qualificado e gratuito
> Conheça a linha completa de produtos KHOMP em www.khomp.com.br
> _______________________________________________
> Headsets Plantronics com o melhor preço do Brasil.
> Acesse agora www.voipmania.com.br
> VOIPMANIA STORE
> ________
> Lista de discussões AsteriskBrasil.org
> AsteriskBrasil em listas.asteriskbrasil.org
> http://listas.asteriskbrasil.org/mailman/listinfo/asteriskbrasil
> ______________________________________________
> Para remover seu email desta lista, basta enviar um email em branco para
> asteriskbrasil-unsubscribe em listas.asteriskbrasil.org
>
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: http://listas.asteriskbrasil.org/pipermail/asteriskbrasil/attachments/20110104/127d66c5/attachment.htm
Mais detalhes sobre a lista de discussão AsteriskBrasil