darmock
PIAF Developer
- Joined
- Oct 18, 2007
- Messages
- 2,891
- Reaction score
- 97
Hi All
After much testing we have decided to add fail2ban to all PBX in a Flash Version 1.2 installs.
What is fail2ban?
(from their wiki)
Fail2ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address.
Here is their homepage
http://www.fail2ban.org/wiki/index.php/Main_Page
If you have any questions about configuration etc please refer to their pages.
How do I get it?
All new installs of PIAF 1.2 will have it installed, preconfigured, and running. Versions 1.0 and 1.1 will not. It works with either 32 or 64 bit versions of asterisk.
Currently installed and running versions of PBX in a Flash version 1.2 - either asterisk 1.4 or 1.6 -- 32 or 64 bit will get it the next time they run both update-scripts and update-fixes.
Ok you forced me to install it and I don't want it.
Simply run disable-fail2ban to turn it off. Note the enable/disable programs are only available to you after you run update-scripts and update-fixes for the first time. I am not sure why anyone would not want this installed. I run it on all of my client machines plus all of my personal machines!
How is it preconfigured?
various options have been entered into the /etc/fail2ban.conf files that most closely meet the needs of a PIAF system. That being said your needs will differ so have a look and edit it as needed. It is fully documented.
Currently the ssh and apache modules are activated. Various log files are parsed looking for bad passwords after 3 tries the ip address where the bad passwords originated from are banned for 30 minutes.
An email message is sent to root@localhost with the information pertaining to the banned ip.
After the 30 minutes the banned IP is allowed to try again.
All of this is configurable! Please read through the conf file prior to posting questions..... Currently I ban ip addresses for 9999 seconds!
<insert your favorite complaint here> doesn't work!
"well it works over here on ALL types of PBX in a Flash Version 1.2! PBX in a Flash 1.1 is not supported sorry."
RTFM before posting. Available as above. BTW this is the simplified version of fail2ban. The complex version is a true client server which we chose not to implement. fail2ban is installed from an rpm. All of the source and a copy of the original conf file are located in /usr/src/fail2ban.
This helps keep the software police at bay.... Remember their moto
"Protecting users from themselves at any cost"
Hey someone tried to break into my machine and they managed to attempt it 9 times when I have set the maximum number of password retries to 3! What gives? Does this software really work?
From the fail2ban manual:
http://www.fail2ban.org/wiki/index.php/MANUAL_0_8
<scroll down near the bottom>
" Reaction time First of all, remember that Fail2ban is a log parser. It cannot do anything before something is written in the log files. Lots of syslog daemons buffer their outputs. This can impact performance of Fail2ban. Thus, it could be good to disable buffering of your syslog daemon.
It is quite difficult to evaluate the reaction time. Fail2ban waits 1 second before checking for new logs to be scanned. This should be fine in most cases. However, it is possible to get more login failures than specified by maxretry."
Summary
One of the more common avenues that a PIAF system can be compromised is by using software that will do a dictionary attack and attempt to find a valid user/password combo. This software can help make this avenue of attack time consuming for the evil doer. Plus you will get an email message every time an ip is banned.
Is this the only security you will need? NO! Do not rely on a single defense paradigm. You really do need multiple layers to help protect your system from hack attacks.
Fail2ban also must have iptables running! If it is not running then it won't work. Thus if you have disabled iptables you must re-enable it.
Enjoy
Tom
After much testing we have decided to add fail2ban to all PBX in a Flash Version 1.2 installs.
What is fail2ban?
(from their wiki)
Fail2ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address.
Here is their homepage
http://www.fail2ban.org/wiki/index.php/Main_Page
If you have any questions about configuration etc please refer to their pages.
How do I get it?
All new installs of PIAF 1.2 will have it installed, preconfigured, and running. Versions 1.0 and 1.1 will not. It works with either 32 or 64 bit versions of asterisk.
Currently installed and running versions of PBX in a Flash version 1.2 - either asterisk 1.4 or 1.6 -- 32 or 64 bit will get it the next time they run both update-scripts and update-fixes.
Ok you forced me to install it and I don't want it.
Simply run disable-fail2ban to turn it off. Note the enable/disable programs are only available to you after you run update-scripts and update-fixes for the first time. I am not sure why anyone would not want this installed. I run it on all of my client machines plus all of my personal machines!
How is it preconfigured?
various options have been entered into the /etc/fail2ban.conf files that most closely meet the needs of a PIAF system. That being said your needs will differ so have a look and edit it as needed. It is fully documented.
Currently the ssh and apache modules are activated. Various log files are parsed looking for bad passwords after 3 tries the ip address where the bad passwords originated from are banned for 30 minutes.
An email message is sent to root@localhost with the information pertaining to the banned ip.
After the 30 minutes the banned IP is allowed to try again.
All of this is configurable! Please read through the conf file prior to posting questions..... Currently I ban ip addresses for 9999 seconds!
<insert your favorite complaint here> doesn't work!
"well it works over here on ALL types of PBX in a Flash Version 1.2! PBX in a Flash 1.1 is not supported sorry."
RTFM before posting. Available as above. BTW this is the simplified version of fail2ban. The complex version is a true client server which we chose not to implement. fail2ban is installed from an rpm. All of the source and a copy of the original conf file are located in /usr/src/fail2ban.
This helps keep the software police at bay.... Remember their moto
"Protecting users from themselves at any cost"
Hey someone tried to break into my machine and they managed to attempt it 9 times when I have set the maximum number of password retries to 3! What gives? Does this software really work?
From the fail2ban manual:
http://www.fail2ban.org/wiki/index.php/MANUAL_0_8
<scroll down near the bottom>
" Reaction time First of all, remember that Fail2ban is a log parser. It cannot do anything before something is written in the log files. Lots of syslog daemons buffer their outputs. This can impact performance of Fail2ban. Thus, it could be good to disable buffering of your syslog daemon.
It is quite difficult to evaluate the reaction time. Fail2ban waits 1 second before checking for new logs to be scanned. This should be fine in most cases. However, it is possible to get more login failures than specified by maxretry."
Summary
One of the more common avenues that a PIAF system can be compromised is by using software that will do a dictionary attack and attempt to find a valid user/password combo. This software can help make this avenue of attack time consuming for the evil doer. Plus you will get an email message every time an ip is banned.
Is this the only security you will need? NO! Do not rely on a single defense paradigm. You really do need multiple layers to help protect your system from hack attacks.
Fail2ban also must have iptables running! If it is not running then it won't work. Thus if you have disabled iptables you must re-enable it.
Enjoy
Tom
Phone System 