我使用IPTables在Fedora 21上使用Asterisk 11进行了fail2ban 0.9.1。
攻击我的服务器的IP地址没有自动写入IP表(请参阅下面有关它们在手动运行banip时的工作情况)。你看到会导致这种错误吗?
我在/ var / log / asterisk / messages日志中收到有关不法分子尝试错误扩展的消息。
我的正则表达式有效,因为当我运行时
fail2ban-regex /var/log/asterisk/messages /etc/fail2ban/filter.d/asterisk.conf
我得到了
Lines: 2985 lines, 0 ignored, 597 matched, 2388 missed [processed in 0.66 sec]
这意味着597行符合正则表达式。对?有没有办法显示哪些线匹配?变量是什么?
我也可以这样做:
fail2ban-client set asterisk banip 107.150.44.222
和IPTables已正确更新,并且IP被禁止。 (是的,我知道我使用了一个真实的IP地址 - 据我所知,欢迎大家禁止ba $%$ $#rd)
jail.local
[asterisk]
enabled=yes
filter=asterisk
protocol=all
logpath = /var/log/asterisk/messages
banaction=iptables-multiport
port = 5060,5061
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
maxretry = 3
bantime=432000
findtime =86400
我在jail.conf中删除了对Asterisk的引用以避免冲突
filter.d/asterisk.conf
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT
#
log_prefix= \[\]\s*(?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[\S+\d*\])? \S+:\d*
failregex = ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - Wrong password$
^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - No matching peer found$
^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - Username/auth name mismatch$
^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - Device does not match ACL$
^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - Peer is not supposed to register$
^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - ACL error \(permit/deny\)$
^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - Not a local domain$
^%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension not found in context 'default'\.$
^%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$
^%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$
^%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
^%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$
^%(log_prefix)s (?:handle_request_subscribe: )?Sending fake auth rejection for (device|user) \d*<sip:[^@]+@<HOST>>;tag=\w+\S*$
^%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d+",SessionID="0x[\da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UD|TC)P/(<HOST>)/[0-9]{4}"(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
答案 0 :(得分:0)
你的asterisk.conf和jail.local条目看起来不错,不过我通常会在banaction之后添加jail名称。例如:banaction=iptables-multiport[name=asterisk]
重新启动fail2ban服务并检查fail2ban日志是否有任何错误。在v0.9.2之前没有修复的常见问题是:
Error in FilterPyinotify callback: 'module' object has no attribute '_strptime_time'
要解决此问题,请将fail2ban更新为v0.9.2或编辑文件:/usr/share/fail2ban/common/__init__.py
并将以下文本添加到文件末尾:
from time import strptime
# strptime thread safety hack-around - http://bugs.python.org/issue7980
strptime("2012", "%Y")
有没有办法显示匹配的线条?变量是什么?
您希望在fail2ban-regex中使用 -v 选项。它不会为您提供匹配的变量,但会列出与匹配行关联的每个IP地址。然后,您可以在星号日志中检查该IP的详细信息。
fail2ban-regex -v /var/log/asterisk/messages /etc/fail2ban/filter.d/asterisk.conf