PmWiki.Fail2ban HistoryHide minor edits - Show changes to markup September 01, 2010, at 01:10 PM
by - September 01, 2010, at 01:09 PM
by -
Changed lines 1-100 from:
Fail2ban is a daemon that you can install to control the intrusion attempts to your systems, we can adapt it to ban attackers after they have tried to login with wrong authentication credentials. Opensips configuration To make opensips work with fail2ban, you will have to send the logs to a different file than /var/log/syslog Change from:
To:
And from: if (!www_authorize("", "subscriber")) {
www_challenge("", "0");
exit;
}
To:
$var(auth_code) = www_authorize("", "subscriber");
if ( $var(auth_code) == -1 || $var(auth_code) == -2 ) {
xlog("L_NOTICE","Auth error for $fU@$fd from $si cause $var(auth_code)");
}
if ( $var(auth_code) < 0 ) {
www_challenge("", "0");
exit;
}
rsyslog configuration Add to /etc/rsyslog.conf
Fail2ban configuration Install fail2ban
Add to the end of /etc/fail2ban/jail.conf this content:
[opensips]
enabled = true
filter = opensips
action = iptables-allports[name=opensips, protocol=all]
sendmail-whois[name=opensips, dest=destination@example.com, sender=source@example.com]
logpath = /var/log/opensips.log
maxretry = 5
bantime = 3600
Create a file in /etc/fail2ban/filter.d/opensips.conf with the content:
# Fail2Ban configuration file
#
#
# $Revision: 250 $
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf
[Definition]
#_daemon = opensips
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex = Auth error for .* from <HOST> cause -[0-9]
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
Restart fail2ban
to:
Moved content to docs_tut_fail2ban? August 30, 2010, at 03:05 PM
by -
Added lines 12-39:
And from: if (!www_authorize("", "subscriber")) {
www_challenge("", "0");
exit;
}
To:
$var(auth_code) = www_authorize("", "subscriber");
if ( $var(auth_code) == -1 || $var(auth_code) == -2 ) {
xlog("L_NOTICE","Auth error for $fU@$fd from $si cause $var(auth_code)");
}
if ( $var(auth_code) < 0 ) {
www_challenge("", "0");
exit;
}
rsyslog configuration Add to /etc/rsyslog.conf
August 30, 2010, at 03:00 PM
by -
Added lines 1-72:
Fail2ban is a daemon that you can install to control the intrusion attempts to your systems, we can adapt it to ban attackers after they have tried to login with wrong authentication credentials. Opensips configuration To make opensips work with fail2ban, you will have to send the logs to a different file than /var/log/syslog Change from:
To:
Fail2ban configuration Install fail2ban
Add to the end of /etc/fail2ban/jail.conf this content:
[opensips]
enabled = true
filter = opensips
action = iptables-allports[name=opensips, protocol=all]
sendmail-whois[name=opensips, dest=destination@example.com, sender=source@example.com]
logpath = /var/log/opensips.log
maxretry = 5
bantime = 3600
Create a file in /etc/fail2ban/filter.d/opensips.conf with the content:
# Fail2Ban configuration file
#
#
# $Revision: 250 $
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf
[Definition]
#_daemon = opensips
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex = Auth error for .* from <HOST> cause -[0-9]
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
Restart fail2ban
|