我在Fedora 21上使用IPTables使用Asterisk 11的fail2ban 0.9.1。
攻击我的服务器的IP地址不会自动写入IP表(参见下面关于它们在手动运行banip时的工作)。您是否看到任何可能导致此问题的错误?
我在我的/var/log/asterisk/messages日志中得到关于不法分子尝试错误扩展的消息
我的Regex工作,因为当我运行
fail2ban-regex /var/log/asterisk/messages /etc/fail2ban/filter.d/asterisk.conf
Lines: 2985 lines, 0 ignored, 597 matched, 2388 missed [processed in 0.66 sec]
这意味着597行匹配正则表达式。对吧?有办法显示匹配的行吗?变量是什么?
我也可以这样做:
fail2ban-client set asterisk banip 107.150.44.222
和IPTables被正确更新,IP被禁止。(是的,我知道我使用了一个真实的IP地址——就我而言,欢迎每个人都禁止这个ba$%*$#rd)
jail.local
[asterisk]
enabled=yes
filter=asterisk
protocol=all
logpath = /var/log/asterisk/messages
banaction=iptables-multiport
port = 5060,5061
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
maxretry = 3
bantime=432000
findtime =86400
我在jail.conf中删除了对Asterisk的引用,以避免冲突
filter.d/asterisk.conf
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT
#
log_prefix= []s*(?:NOTICE|SECURITY)%(__pid_re)s:?(?:[S+d*])? S+:d*
failregex = ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:d+)?' - Wrong password$
^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:d+)?' - No matching peer found$
^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:d+)?' - Username/auth name mismatch$
^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:d+)?' - Device does not match ACL$
^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:d+)?' - Peer is not supposed to register$
^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:d+)?' - ACL error (permit/deny)$
^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:d+)?' - Not a local domain$
^%(log_prefix)s Call from '[^']*' (<HOST>:d+) to extension 'd+' rejected because extension not found in context 'default'.$
^%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$
^%(log_prefix)s No registration for peer '[^']*' (from <HOST>)$
^%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' ([^)]+)$
^%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>S*$
^%(log_prefix)s (?:handle_request_subscribe: )?Sending fake auth rejection for (device|user) d*<sip:[^@]+@<HOST>>;tag=w+S*$
^%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[d-]+",Severity="[w]+",Service="[w]+",EventVersion="d+",AccountID="d+",SessionID="0x[da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[da-fA-F:.]+/d+",RemoteAddress="IPV[46]/(UD|TC)P/(<HOST>)/[0-9]{4}"(,Challenge="w+",ReceivedChallenge="w+")?(,ReceivedHash="[da-f]+")?$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
你的asterisk.conf和jail。本地条目看起来不错,不过我通常会在banaction后面添加监狱名称。例如:banaction=iptables-multiport[name=asterisk]
重新启动fail2ban服务并检查fail2ban日志是否有任何错误。一个常见的直到v0.9.2才得到修复的错误是:
Error in FilterPyinotify callback: 'module' object has no attribute '_strptime_time'
要修复它,请将fail2ban更新到v0.9.2或编辑文件:/usr/share/fail2ban/common/__init__.py
,并在文件末尾添加以下文本:
from time import strptime
# strptime thread safety hack-around - http://bugs.python.org/issue7980
strptime("2012", "%Y")
是否有一种方法可以显示匹配的行?变量是什么?
您需要使用fail2ban-regex的-v选项。它不会给出匹配的变量,但会列出与匹配行相关联的每个IP地址。然后,您可以在星号日志中检查该IP的详细信息。
fail2ban-regex -v /var/log/asterisk/messages /etc/fail2ban/filter.d/asterisk.conf