Quesiton about Fail2Ban

JaredBusch

I make use of fail2ban with defualts and following guides.

But I do not go into customizing things.

So let me ask, can I trigger pretty much anything I want when fail2ban detects something?

Obviously FreePBX sends emails from their intrusion detection process in SysAdmin. But I do not know if that is native fail2banor something else for the email part. I mean I think it is all just fail2ban.

So this means I should be able to create a script that it triggers to get other information right? such as grep the log for the IP.

[root@pbx ~]# grep 207.244.157.130 /var/log/asterisk/full*
/var/log/asterisk/full:[2018-06-20 10:07:39] NOTICE[7500] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '207.244.157.130:60579' (callid: 440117748-1426487594-1708530889) - No matching endpoint found
/var/log/asterisk/full:[2018-06-20 10:10:59] NOTICE[26129] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '207.244.157.130:55658' (callid: 732056103-1336100019-1670180884) - No matching endpoint found
/var/log/asterisk/full:[2018-06-20 10:10:59] NOTICE[16727] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '207.244.157.130:55658' (callid: 732056103-1336100019-1670180884) - No matching endpoint found
/var/log/asterisk/full:[2018-06-20 10:10:59] NOTICE[16727] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '207.244.157.130:55658' (callid: 732056103-1336100019-1670180884) - Failed to authenticate
/var/log/asterisk/full:[2018-06-20 10:14:41] NOTICE[8483] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '207.244.157.130:50026' (callid: 1583251357-694948444-323072118) - No matching endpoint found
/var/log/asterisk/full:[2018-06-20 11:16:07] NOTICE[8483] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '207.244.157.130:51658' (callid: 809034197-44985811-303606027) - No matching endpoint found
/var/log/asterisk/full:[2018-06-20 11:16:07] NOTICE[16727] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '207.244.157.130:51658' (callid: 809034197-44985811-303606027) - No matching endpoint found
/var/log/asterisk/full:[2018-06-20 11:16:07] NOTICE[16727] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '207.244.157.130:51658' (callid: 809034197-44985811-303606027) - Failed to authenticate
/var/log/asterisk/full:[2018-06-20 11:19:49] NOTICE[8483] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '207.244.157.130:61528' (callid: 1663334653-914004430-1069925843) - No matching endpoint found
/var/log/asterisk/full:[2018-06-20 11:19:49] NOTICE[26129] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '207.244.157.130:61528' (callid: 1663334653-914004430-1069925843) - No matching endpoint found
/var/log/asterisk/full:[2018-06-20 11:19:49] NOTICE[26129] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '207.244.157.130:61528' (callid: 1663334653-914004430-1069925843) - Failed to authenticate
/var/log/asterisk/full:[2018-06-20 12:20:30] NOTICE[8483] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '207.244.157.130:65228' (callid: 752774497-292723182-1345574746) - No matching endpoint found
/var/log/asterisk/full:[2018-06-20 12:24:09] NOTICE[23383] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '207.244.157.130:49243' (callid: 1595416130-1756415394-1659043822) - No matching endpoint found
/var/log/asterisk/full:[2018-06-20 12:27:54] NOTICE[7500] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '207.244.157.130:63387' (callid: 319443898-28209702-968196798) - No matching endpoint found
/var/log/asterisk/full:[2018-06-20 12:38:02] NOTICE[26129] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '207.244.157.130:58039' (callid: 1526317031-1376553401-1884849216) - No matching endpoint found
/var/log/asterisk/full:[2018-06-20 12:41:40] NOTICE[26129] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '207.244.157.130:57654' (callid: 1076021835-2054345086-2092340332) - No matching endpoint found
/var/log/asterisk/full:[2018-06-20 12:45:14] NOTICE[7500] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '207.244.157.130:50166' (callid: 525071097-1219899127-962187490) - No matching endpoint found
/var/log/asterisk/full:[2018-06-20 12:45:14] NOTICE[26129] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '207.244.157.130:50166' (callid: 525071097-1219899127-962187490) - No matching endpoint found
/var/log/asterisk/full:[2018-06-20 12:45:14] NOTICE[26129] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '207.244.157.130:50166' (callid: 525071097-1219899127-962187490) - Failed to authenticate

and also look up the IP in ARIN or something.

[root@pbx ~]# xmllint --format http://whois.arin.net/rest/ip/207.244.157.130
<?xml version="1.0"?>
<?xml-stylesheet type='text/xsl' href='http://whois.arin.net/xsl/website.xsl' ?>
<net xmlns="http://www.arin.net/whoisrws/core/v1" xmlns:ns2="http://www.arin.net/whoisrws/rdns/v1" xmlns:ns3="http://www.arin.net/whoisrws/netref/v2" inaccuracyReportUrl="https://www.arin.net/resources/whois_reporting/index.html" termsOfUse="https://www.arin.net/whois_tou.html">
  <registrationDate>2005-07-01T13:54:44-04:00</registrationDate>
  <ref>https://whois.arin.net/rest/net/NET-207-244-144-0-1</ref>
  <endAddress>207.244.159.255</endAddress>
  <handle>NET-207-244-144-0-1</handle>
  <name>WORLDLINK-1</name>
  <netBlocks>
    <netBlock>
      <cidrLength>20</cidrLength>
      <endAddress>207.244.159.255</endAddress>
      <description>Direct Allocation</description>
      <type>DA</type>
      <startAddress>207.244.144.0</startAddress>
    </netBlock>
  </netBlocks>
  <originASes>
    <originAS>AS27323</originAS>
  </originASes>
  <resources inaccuracyReportUrl="https://www.arin.net/resources/whois_reporting/index.html" termsOfUse="https://www.arin.net/whois_tou.html">
    <limitExceeded limit="256">false</limitExceeded>
  </resources>
  <orgRef handle="WOWTEC-1" name="Wowrack.com">https://whois.arin.net/rest/org/WOWTEC-1</orgRef>
  <parentNetRef handle="NET-207-0-0-0-0" name="NET207">https://whois.arin.net/rest/net/NET-207-0-0-0-0</parentNetRef>
  <startAddress>207.244.144.0</startAddress>
  <updateDate>2015-11-09T09:30:54-05:00</updateDate>
  <version>4</version>
</net>

NashBrydges

The ACTIONS section of Fail2ban config allows you to select to send emails. Default setting is
action = %(action_)s which bans the IP address but changing this to action = %(action_mwl)s bans the IP as well as sends an email to the defined email address including a whois report. If you use action = %(action_xraf)s it will auto send an email to the abuse email contact from the whois lookup.

Here is a sample email that Fail2ban sends after banning the IP

Hi,

The IP 218.78.247.169 has just been banned by Fail2Ban after
3 attempts against sshd.


Here is more information about 218.78.247.169 :

% [whois.apnic.net]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

% Information related to '218.78.240.0 - 218.78.247.255'

% Abuse contact for '218.78.240.0 - 218.78.247.255' is '[email protected]'

inetnum:        218.78.240.0 - 218.78.247.255
netname:        SHANGHAI-EDU-COMMISSION
descr:          Shanghai Education Commission
country:        CN
admin-c:        CHQ1-AP
tech-c:         CHQ1-AP
mnt-by:         MAINT-CHINANET-SH
status:         ASSIGNED NON-PORTABLE
last-modified:  2008-09-04T06:51:55Z
source:         APNIC

person:         Chen Hai Qiang
address:        460 Yuyuan Road, Shanghai
country:        CN
phone:          +86-21-62173455
fax-no:         +86-21-62538495
e-mail:         [email protected]
nic-hdl:        CHQ1-AP
mnt-by:         MAINT-CHINANET-SH
last-modified:  2008-09-04T07:30:36Z
source:         APNIC

% This query was served by the APNIC Whois Service version 1.88.15-46 (WHOIS-US4)


Lines containing IP:218.78.247.169 in /var/log/auth.log

Jun 20 18:40:34 xxxxxxxxxxxxxxxx sshd[116180]: Invalid user jesus from 218.78.247.169 Jun 20 18:40:34 xxxxxxxxxxx sshd[116180]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.78.247.169 Jun 20 18:40:35 xxxxxxxxxxxx sshd[116180]: Failed password for invalid user jesus from 218.78.247.169 port 8155 ssh2 Jun 20 18:40:36 xxxxxxxxxxxxxxx sshd[116180]: Connection closed by 218.78.247.169 port 8155 [preauth]


Regards,

Fail2Ban

JaredBusch

FreePBX's jail.local doesn't use that syntax.

[root@pbx ~]# cat /etc/fail2ban/jail.local 
# Configuration automatically generated via the Sysadmin Module
# This file will be overwritten by Sysadmin on startup. If you modify
# this file, your changes will be lost. DO NOT MODIFY THIS FILE!
# generated: Thu, 21 Jun 2018 02:53:21 +0000

[DEFAULT]
ignoreip = 127.0.0.1
bantime = 3600
findtime = 600
maxretry = 5
backend = auto

[asterisk-iptables]
enabled = true
filter = asterisk-security
action = iptables-allports[name=SIP, protocol=all]
     sendmail[name=SIP, [email protected], [email protected]]
logpath = /var/log/asterisk/fail2ban