Como fica o log dos ataques?<br><br><div class="gmail_quote">Em 4 de janeiro de 2011 17:18, João Marcelo Queiroz <span dir="ltr"><<a href="mailto:jmbq@bol.com.br">jmbq@bol.com.br</a>></span> escreveu:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div style="word-wrap: break-word;">Estou com problemas para fazer o fail2ban bloquear alguns ataques que estou recebendo em um servidor. Já li e re-li alguns artigos sobre a sua configuração, sem sucesso. Minhas fontes foram:<br>
<a href="http://www.voip-info.org/wiki/view/Fail2Ban+%28with+iptables%29+And+Asterisk" target="_blank">http://www.voip-info.org/wiki/view/Fail2Ban+(with+iptables)+And+Asterisk</a><br><a href="http://iceburn.info/linux/instalar-fail2ban-em-centos.html" target="_blank">http://iceburn.info/linux/instalar-fail2ban-em-centos.html</a><br>
<br>Estou rodando o Trixbox 2.6.2.3<br><br><br>Agradeceria muito qualquer ajuda, segue abaixo algumas informações que podem ajudar:<br><br>-----------------------------<br><br>[trixbox1.localdomain ~]# iptables -L<br>Chain INPUT (policy ACCEPT)<br>
target prot opt source destination <br>fail2ban-ASTERISK all -- anywhere anywhere <br>ACCEPT all -- anywhere anywhere <br>ACCEPT all -- <a href="http://192.168.0.0/24" target="_blank">192.168.0.0/24</a> anywhere <br>
DROP all -- <a href="http://ns1.oiss10.net/" target="_blank">ns1.oiss10.net</a> anywhere -> alguns IPs que bloqueie na mão<br>DROP all -- 93.114.196.109 anywhere <br>DROP all -- 109.203.99.88 anywhere <br>
DROP all -- <a href="http://reverse.completel.net/" target="_blank">reverse.completel.net</a> anywhere <br>DROP all -- <a href="http://server77-68-52-218.live-servers.net/" target="_blank">server77-68-52-218.live-servers.net</a> anywhere <br>
DROP all -- <a href="http://server1.boundlessflight.com/" target="_blank">server1.boundlessflight.com</a> anywhere <br>DROP all -- <a href="http://ns1.oiss10.net/" target="_blank">ns1.oiss10.net</a> anywhere <br>
DROP all -- <a href="http://184-106-165-224.static.cloud-ips.com/" target="_blank">184-106-165-224.static.cloud-ips.com</a> anywhere <br>DROP all -- <a href="http://midphase.com/" target="_blank">midphase.com</a> anywhere <br>
DROP all -- 188.161.224.232 anywhere <br>DROP all -- <a href="http://14-64-245-83.packetexchange.net/" target="_blank">14-64-245-83.packetexchange.net</a> anywhere <br>DROP all -- <a href="http://174-143-246-25.static.slicehost.net/" target="_blank">174-143-246-25.static.slicehost.net</a> anywhere <br>
DROP all -- 168.188.130.184 anywhere <br>DROP all -- <a href="http://static.206.17.4.46.clients.your-server.de" target="_blank">static.206.17.4.46.clients.your-server.de</a> anywhere <br>
DROP all -- 91.220.62.36 anywhere <br>DROP all -- 59.39.66.30 anywhere <br>ACCEPT all -- <a href="http://XXX.XXX.XXX.XX.static.gvt.net.br" target="_blank">XXX.XXX.XXX.XX.static.gvt.net.br</a> anywhere <br>
ACCEPT udp -- anywhere anywhere udp dpts:sip:5070 <br>ACCEPT udp -- anywhere anywhere udp dpts:ndmp:dnp <br>ACCEPT udp -- anywhere anywhere udp dpt:domain <br>
ACCEPT udp -- anywhere anywhere udp dpt:iax <br>DROP icmp -- anywhere anywhere icmp echo-request <br>ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED <br>
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN <br><br>Chain FORWARD (policy ACCEPT)<br>target prot opt source destination <br><br>Chain OUTPUT (policy ACCEPT)<br>
target prot opt source destination <br><br>Chain fail2ban-ASTERISK (1 references)<br>target prot opt source destination <br>RETURN all -- anywhere anywhere <br>
<br>Chain fail2ban-SSH (0 references)<br>target prot opt source destination <br>RETURN all -- anywhere anywhere <br>[trixbox1.localdomain ~]# <br><br>-----------------------------<br>
FAIL2BAN.CONF<br>-----------------------------<br><br><div># Fail2Ban configuration file<br>#<br># Author: Cyril Jaquier<br>#<br># $Revision: 629 $<br>#<br><br>[Definition]<br><br># Option: loglevel<br># Notes.: Set the log level output.<br>
# 1 = ERROR<br># 2 = WARN<br># 3 = INFO<br># 4 = DEBUG<br># Values: NUM Default: 3<br>#<br>loglevel = 3<br><br># Option: logtarget<br># Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.<br>
# Only one log target can be specified.<br># Values: STDOUT STDERR SYSLOG file Default: /var/log/fail2ban.log<br>#<br>logtarget = /var/log/fail2ban.log<br><br># Option: socket<br># Notes.: Set the socket file. This is used to communicate with the daemon. Do<br>
# not remove this file when Fail2ban runs. It will not be possible to<br># communicate with the server afterwards.<br># Values: FILE Default: /var/run/fail2ban/fail2ban.sock<br>#<br>socket = /var/run/fail2ban/fail2ban.sock<br>
<br><br><br>-----------------------------<br>JAIL.CONF (apenas o final).<br>-----------------------------<br></div><div><br>[asterisk-iptables]<br><br>enabled = true<br>filter = asterisk <br>
action = iptables-allports[name=ASTERISK, protocol=all]<br> sendmail-whois[name=ASTERISK, <a href="mailto:dest=xxxx@xxx.com.br" target="_blank">dest=xxxx@xxx.com.br</a>, sender=<a href="mailto:fail2ban@example.org" target="_blank">fail2ban@example.org</a>]<br>
logpath = /var/log/messages<br>maxretry = 3<br>bantime = 259200<br><br><br>-----------------------------<br>ASTERISK.CONF (filter.d)<br>-----------------------------<br></div><div><br># Fail2Ban configuration file<br>#<br>
#<br># $Revision: 250 $<br>#<br><br>[INCLUDES]<br><br># Read common prefixes. If any customizations available -- read them from<br># common.local<br>#before = common.conf<br><br><br>[Definition]<br><br>#_daemon = asterisk<br>
<br># Option: failregex<br># Notes.: regex to match the password failures messages in the logfile. The<br># host must be matched by a group named "host". The tag "<HOST>" can<br># be used for standard IP/hostname matching and is only an alias for<br>
# (?:::f{4,6}:)?(?P<host>\S+)<br># Values: TEXT<br>#<br><br>failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password<br> NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found<br>
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch<br> NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL<br>
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Peer is not supposed to register<br> NOTICE.* <HOST> failed to authenticate as '.*'$<br> NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)<br>
NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)<br> NOTICE.* .*: Failed to authenticate user .*@<HOST>.*<br>ignoreregex =<br><br><br></div><div>-----------------------------<br>
LOGGER.CONF<br>-----------------------------<br></div><div><br>[general]<br>; dateformat=%F %T<br><br>;<br>; Logging Configuration<br>;<br>; In this file, you configure logging to files or to<br>; the syslog system.<br>;<br>
; For each file, specify what to log.<br>;<br>; For console logging, you set options at start of<br>; Asterisk with -v for verbose and -d for debug<br>; See 'asterisk -h' for more information.<br>;<br>; Directory for log files is configures in asterisk.conf<br>
; option astlogdir<br>;<br>[logfiles]<br>syslog.local0 => notice<br>;<br>; Format is "filename" and then "levels" of debugging to be included:<br>; debug<br>; notice<br>; warning<br>; error<br>
; verbose<br>;<br>; Special filename "console" represents the system console<br>;<br>;debug => debug<br>;console => notice,warning,error<br>console => notice,warning,error,debug,verbose<br>;messages => notice,warning,error<br>
full => notice,warning,error,debug,verbose<br><br>;syslog keyword : This special keyword logs to syslog facility<br>;<br>;syslog.local0 => notice,warning,error<br>;<br><br></div><div>-----------------------------<br>
<br><br>Aqui tentei descomentar o "; dateformat=%F %T" e apontar o "[asterisk-iptables]" para /var/log/asterisk/full mas também não obtive sucesso.<br><br>Qualquer ajuda será de grande valia.<br><br>Atenciosamente,<br>
<font color="#888888"><br>João Queiroz</font></div></div><br>_______________________________________________<br>
KHOMP: qualidade em placas de E1, GSM, FXS e FXO para Asterisk.<br>
- Hardware com alta disponibilidade de recursos e qualidade KHOMP<br>
- Suporte técnico local qualificado e gratuito<br>
Conheça a linha completa de produtos KHOMP em <a href="http://www.khomp.com.br" target="_blank">www.khomp.com.br</a><br>
_______________________________________________<br>
Headsets Plantronics com o melhor preço do Brasil.<br>
Acesse agora <a href="http://www.voipmania.com.br" target="_blank">www.voipmania.com.br</a><br>
VOIPMANIA STORE<br>
________<br>
Lista de discussões AsteriskBrasil.org<br>
<a href="mailto:AsteriskBrasil@listas.asteriskbrasil.org">AsteriskBrasil@listas.asteriskbrasil.org</a><br>
<a href="http://listas.asteriskbrasil.org/mailman/listinfo/asteriskbrasil" target="_blank">http://listas.asteriskbrasil.org/mailman/listinfo/asteriskbrasil</a><br>
______________________________________________<br>
Para remover seu email desta lista, basta enviar um email em branco para <a href="mailto:asteriskbrasil-unsubscribe@listas.asteriskbrasil.org">asteriskbrasil-unsubscribe@listas.asteriskbrasil.org</a><br></blockquote></div>
<br>