Attack report for asterisk is not counted

Alle Fragen, die rund um Fail2Ban (Konfiguration, Fehler, Filter...) sind.
Antworten
dgrechka
Beiträge: 2
Registriert: 11. Jul 2015, 12:07

Attack report for asterisk is not counted

Beitrag von dgrechka » 14. Jul 2015, 16:50

Hi,

I have configured fail2ban to report attacks to blocklist.de. I've set up server record at blocklist.de.

Now I see that reports from my server is counted for ssh filter. But all reports generated by asterisk filter are not counted.
The reporting configuration for both ssh and asterisk is the same.
The action sending reports is "sendmail-whois-lines" both for ssh and for asterisk.

Why my asterisk reports are not counted and how can I fix it?

Regards,
Dmitry.

Benutzeravatar
Martin
Beiträge: 400
Registriert: 14. Sep 2010, 11:54
Kontaktdaten:

Re: Attack report for asterisk is not counted

Beitrag von Martin » 14. Jul 2015, 17:02

Hello Dmitry,

we got your Reports, but without Logfiles:
Subject: [Fail2Ban] asterisk: banned 107.150.50.90 from cube.xxxxxxxxxx

Code: Alles auswählen

Hi,

The IP 107.150.50.90 has just been banned by Fail2Ban after
10 attempts against asterisk.


Here is more information about 107.150.50.90:


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#

......
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# http://www.arin.net/public/whoisinaccuracy/index.xhtml
#

---> here needs to save the logfiles.

Regards,

Fail2Ban
Can you check, which Logfile is set in your jail.conf-File?
Are there more then one Logfile like:
logpath = /var/log/xxxx/xxxx/*

so, fail2ban does not send the Logfiles in the Mail.
Please check the Logfiles to only one File like:
logpath = /var/log/xxxx/xxxx/error.log

After the reload/restart of Fail2ban, normally, the Logfiles was included in the Mail.
Mfg Martin
http://www.blocklist.de/de/ Fail2Ban Reporting Service

dgrechka
Beiträge: 2
Registriert: 11. Jul 2015, 12:07

Re: Attack report for asterisk is not counted

Beitrag von dgrechka » 14. Jul 2015, 19:01

Hi,

Thanks for pointing me to the problem. Now I've fixed it and my reports seem to be counted.

For others having the same problem.
I use jail.local and set common action for all of the jails in [DEFAULT] section. Asterisk jail in jail.local did not contain any "action = ..." redefinition as lots of other jails (e.g. ssh).
The cause of log absence was the "action = ..." was set to sendmail-whois (thus without logs) for asterisk filter in jail.conf and thus it redefined my common action.
After explicitly duplicating my common action in asterisk jail in jail.local it overrided the sendmail-whois with sendmail-whois-lines and the logs are now included to the reports.

Antworten