<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Estou com problemas para fazer o fail2ban bloquear alguns ataques que estou recebendo em um servidor. Já li e re-li alguns artigos sobre a sua configuração, sem sucesso. Minhas fontes foram:<br><a href="http://www.voip-info.org/wiki/view/Fail2Ban+(with+iptables)+And+Asterisk">http://www.voip-info.org/wiki/view/Fail2Ban+(with+iptables)+And+Asterisk</a><br><a href="http://iceburn.info/linux/instalar-fail2ban-em-centos.html">http://iceburn.info/linux/instalar-fail2ban-em-centos.html</a><br><br>Estou rodando o Trixbox 2.6.2.3<br><br><br>Agradeceria muito qualquer ajuda, segue abaixo algumas informações que podem ajudar:<br><br>-----------------------------<br><br>[trixbox1.localdomain ~]# iptables -L<br>Chain INPUT (policy ACCEPT)<br>target prot opt source destination <br>fail2ban-ASTERISK all -- anywhere anywhere <br>ACCEPT all -- anywhere anywhere <br>ACCEPT all -- 192.168.0.0/24 anywhere <br>DROP all -- <a href="http://ns1.oiss10.net/">ns1.oiss10.net</a> anywhere -> alguns IPs que bloqueie na mão<br>DROP all -- 93.114.196.109 anywhere <br>DROP all -- 109.203.99.88 anywhere <br>DROP all -- <a href="http://reverse.completel.net/">reverse.completel.net</a> anywhere <br>DROP all -- <a href="http://server77-68-52-218.live-servers.net/">server77-68-52-218.live-servers.net</a> anywhere <br>DROP all -- <a href="http://server1.boundlessflight.com/">server1.boundlessflight.com</a> anywhere <br>DROP all -- <a href="http://ns1.oiss10.net/">ns1.oiss10.net</a> anywhere <br>DROP all -- <a href="http://184-106-165-224.static.cloud-ips.com/">184-106-165-224.static.cloud-ips.com</a> anywhere <br>DROP all -- <a href="http://midphase.com/">midphase.com</a> anywhere <br>DROP all -- 188.161.224.232 anywhere <br>DROP all -- <a href="http://14-64-245-83.packetexchange.net/">14-64-245-83.packetexchange.net</a> anywhere <br>DROP all -- <a href="http://174-143-246-25.static.slicehost.net/">174-143-246-25.static.slicehost.net</a> anywhere <br>DROP all -- 168.188.130.184 anywhere <br>DROP all -- static.206.17.4.46.clients.your-server.de anywhere <br>DROP all -- 91.220.62.36 anywhere <br>DROP all -- 59.39.66.30 anywhere <br>ACCEPT all -- XXX.XXX.XXX.XX.static.gvt.net.br anywhere <br>ACCEPT udp -- anywhere anywhere udp dpts:sip:5070 <br>ACCEPT udp -- anywhere anywhere udp dpts:ndmp:dnp <br>ACCEPT udp -- anywhere anywhere udp dpt:domain <br>ACCEPT udp -- anywhere anywhere udp dpt:iax <br>DROP icmp -- anywhere anywhere icmp echo-request <br>ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED <br>DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN <br><br>Chain FORWARD (policy ACCEPT)<br>target prot opt source destination <br><br>Chain OUTPUT (policy ACCEPT)<br>target prot opt source destination <br><br>Chain fail2ban-ASTERISK (1 references)<br>target prot opt source destination <br>RETURN all -- anywhere anywhere <br><br>Chain fail2ban-SSH (0 references)<br>target prot opt source destination <br>RETURN all -- anywhere anywhere <br>[trixbox1.localdomain ~]# <br><br>-----------------------------<br>FAIL2BAN.CONF<br>-----------------------------<br><br><div># Fail2Ban configuration file<br>#<br># Author: Cyril Jaquier<br>#<br># $Revision: 629 $<br>#<br><br>[Definition]<br><br># Option: loglevel<br># Notes.: Set the log level output.<br># 1 = ERROR<br># 2 = WARN<br># 3 = INFO<br># 4 = DEBUG<br># Values: NUM Default: 3<br>#<br>loglevel = 3<br><br># Option: logtarget<br># Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.<br># Only one log target can be specified.<br># Values: STDOUT STDERR SYSLOG file Default: /var/log/fail2ban.log<br>#<br>logtarget = /var/log/fail2ban.log<br><br># Option: socket<br># Notes.: Set the socket file. This is used to communicate with the daemon. Do<br># not remove this file when Fail2ban runs. It will not be possible to<br># communicate with the server afterwards.<br># Values: FILE Default: /var/run/fail2ban/fail2ban.sock<br>#<br>socket = /var/run/fail2ban/fail2ban.sock<br><br><br><br>-----------------------------<br>JAIL.CONF (apenas o final).<br>-----------------------------<br></div><div><br>[asterisk-iptables]<br><br>enabled = true<br>filter = asterisk <br>action = iptables-allports[name=ASTERISK, protocol=all]<br> sendmail-whois[name=ASTERISK, <a href="mailto:dest=xxxx@xxx.com.br">dest=xxxx@xxx.com.br</a>, sender=fail2ban@example.org]<br>logpath = /var/log/messages<br>maxretry = 3<br>bantime = 259200<br><br><br>-----------------------------<br>ASTERISK.CONF (filter.d)<br>-----------------------------<br></div><div><br># Fail2Ban configuration file<br>#<br>#<br># $Revision: 250 $<br>#<br><br>[INCLUDES]<br><br># Read common prefixes. If any customizations available -- read them from<br># common.local<br>#before = common.conf<br><br><br>[Definition]<br><br>#_daemon = asterisk<br><br># Option: failregex<br># Notes.: regex to match the password failures messages in the logfile. The<br># host must be matched by a group named "host". The tag "<HOST>" can<br># be used for standard IP/hostname matching and is only an alias for<br># (?:::f{4,6}:)?(?P<host>\S+)<br># Values: TEXT<br>#<br><br>failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password<br> NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found<br> NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch<br> NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL<br> NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Peer is not supposed to register<br> NOTICE.* <HOST> failed to authenticate as '.*'$<br> NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)<br> NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)<br> NOTICE.* .*: Failed to authenticate user .*@<HOST>.*<br>ignoreregex =<br><br><br></div><div>-----------------------------<br>LOGGER.CONF<br>-----------------------------<br></div><div><br>[general]<br>; dateformat=%F %T<br><br>;<br>; Logging Configuration<br>;<br>; In this file, you configure logging to files or to<br>; the syslog system.<br>;<br>; For each file, specify what to log.<br>;<br>; For console logging, you set options at start of<br>; Asterisk with -v for verbose and -d for debug<br>; See 'asterisk -h' for more information.<br>;<br>; Directory for log files is configures in asterisk.conf<br>; option astlogdir<br>;<br>[logfiles]<br>syslog.local0 => notice<br>;<br>; Format is "filename" and then "levels" of debugging to be included:<br>; debug<br>; notice<br>; warning<br>; error<br>; verbose<br>;<br>; Special filename "console" represents the system console<br>;<br>;debug => debug<br>;console => notice,warning,error<br>console => notice,warning,error,debug,verbose<br>;messages => notice,warning,error<br>full => notice,warning,error,debug,verbose<br><br>;syslog keyword : This special keyword logs to syslog facility<br>;<br>;syslog.local0 => notice,warning,error<br>;<br><br></div><div>-----------------------------<br><br><br>Aqui tentei descomentar o "; dateformat=%F %T" e apontar o "[asterisk-iptables]" para /var/log/asterisk/full mas também não obtive sucesso.<br><br>Qualquer ajuda será de grande valia.<br><br>Atenciosamente,<br><br>João Queiroz</div></body></html>