This is an old revision of the document!
# apt install fail2ban # cd /etc/fail2ban/
# pkg install py27-fail2ban # cat /etc/rc.conf
... fail2ban_enable="YES"
# cd /usr/local/etc/fail2ban/
# cat jail.conf # ls jail.d/ # cat filter.d/sshd.conf # cat filter.d/asterisk.conf
# cat jail.local
[sshd] maxretry = 6 [asterisk] enabled = true maxretry = 3
# cat jail.local
[sshd] enabled = true filter = sshd action = pf maxretry = 6 logpath = /var/log/auth.log [asterisk] # ignoreip = 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 enabled = true action = pf maxretry = 3
# service fail2ban reload
# service fail2ban start
# tail -f /var/log/fail2ban.log
# fail2ban-client status # fail2ban-client status asterisk # fail2ban-client set asterisk unbanip 172.16.1.21 # tail -f /var/log/fail2ban.log
# cat jail.d/snort_jail.conf
[snort] enabled = true bantime = 30 filter = snort_filter maxretry = 3 logpath = /var/log/auth.log #action = tmp_file_action #action = iptables-allports
# cat filter.d/snort_filter.conf
[INCLUDES] [Definition] failregex = .*Directory traversal attempt.*} <HOST>.* .*WEB-IIS CodeRed v2 root.exe access.*} <HOST>.* ignoreregex =
# fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/snort_filter.conf
# cat action.d/tmp_file_action.conf
[Definition] actionban = echo "`date` f2ban detect ip: <ip>, hostname: <fq-hostname>" >> /tmp/file_action.log
# iptables -A FORWARD -j f2b-default
# less filter.d/asterisk.conf
[INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>\S+) # Values: TEXT # failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Wrong password NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Username/auth name mismatch NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Peer is not supposed to register NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - ACL error (permit/deny) NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>:.*' - No matching peer found NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>:.*' - Wrong password NOTICE.* <HOST> failed to authenticate as '.*'$ NOTICE.* .*: No registration for peer '.*' \(from <HOST>\) NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*) NOTICE.* .*: Failed to authenticate user .*@<HOST>.* NOTICE.* .*: <HOST> failed to authenticate as '.*' NOTICE.* .*: <HOST> tried to authenticate with nonexistent user '.*' VERBOSE.*SIP/<HOST>-.*Received incoming SIP connection from unknown peer NOTICE.* .*: Sending fake auth rejection for device.* \(<HOST>:.*\) NOTICE.* .*: Sending fake auth rejection for device .*\<sip:.*\@.*\>;tag=.* \(<HOST>:.*\) NOTICE.* .*: Failed to authenticate device .*\<sip:.*\@.*\>;tag=.* \(<HOST>:.*\) NOTICE.* .*: Sending fake auth rejection for device.* \(<HOST>:.*\) NOTICE.* .*: Sending fake auth rejection for device .*\;tag=.* \(<HOST>:.*\) # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =
failregex = SECURITY.* SecurityEvent="FailedACL".*RemoteAddress=".+?/.+?/<HOST>/.+?".* SECURITY.* SecurityEvent="InvalidAccountID".*RemoteAddress=".+?/.+?/<HOST>/.+?".* SECURITY.* SecurityEvent="ChallengeResponseFailed".*RemoteAddress=".+?/.+?/<HOST>/.+?".* SECURITY.* SecurityEvent="InvalidPassword".*RemoteAddress=".+?/.+?/<HOST>/.+?".*