FOP2 logs

sbasansbasan
in Support
Hi,

I want to add the fop2 login attempts to fail2ban.
There are no logs for login attempts under httpd log.
How can I add the login attempts or login failures to fail2ban?

זה בלובינט IP מרכזיות

Comments

  • nicolasnicolas
    Enable the audit log with the -a command line variable. Edit /etc/sysconfig/fop2 and change the OPTIONS variable to include it, something similar to this:

    OPTIONS="-d -a /var/log/fop2_audit.log"

    Then you can add that log to fail2ban rules.

    Best regards,
  • avayaxavayax
    Also trying to accomplish that.
    I got this in /etc/sysconfig/fop2:
    OPTIONS="-d -a /var/log/fop2_audit.log"

    Created fop2_audit.log in /var/log/.
    Now nothing gets written into fop2_audit.log, the file stays empty.
    What am I missing?
  • nicolasnicolas
    Do not create the file, it should be created by fop2.. if you create the file you might do it with incorrect permissions, so it is better to let the software do it for you. Also, are you sure you restarted FOP2? what is the output from

    ps uax | grep fop2

    ?
  • avayaxavayax
    Yes. It is working now after a fop2 restart.
    Can you verify that this entry in /etc/sysconfig is correct?
    Running High Availability and my Ethernet interface is em1.
    OPTIONS="-d -i em1 -c /etc/asterisk/fop2 -a /var/log/fop2_audit.log"
  • nicolasnicolas
    Seems correct, rough human translation:

    daemonize, use interface em1 MAC address for license, use /etc/asterisk/fop2 for configuration directories and generate an audit log in /var/log/fop2_audit.log

  • avayaxavayax
    This is working.
    Just posting the working config I used for other users who want to do the same. This is for PIAF and FreePBX distro, which come with a preconfigured fail2ban setup.

    Create a fop2.conf file in /etc/fail2ban/filter.d/ and put the following content in there:
    [INCLUDES]

    # Read common prefixes. If any customizations available -- read them from
    # common.local
    before = common.conf

    [Definition]

    _daemon = fop2_server

    # Option: failregex
    # Notes.: regex to match the password failures messages in the logfile. The
    # host must be matched by a group named "host". The tag "<HOST>" can
    # be used for standard IP/hostname matching and is only an alias for
    # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
    # Values: TEXT
    #
    failregex = GENERAL\|FAILED LOGIN \(bad password\)\|<HOST>

    # Option: ignoreregex
    # Notes.: regex to ignore. If this regex matches, the line is ignored.
    # Values: TEXT
    #
    ignoreregex =


    Then add below content to /etc/fail2ban/jail.conf:
    [fop2]
    enabled = true
    filter = fop2
    action = iptables-allports[name=FOP2, protocol=all]
    sendmail[name=FOP2, dest="your destination email", sender=root@"hostname"]
    logpath = /var/log/fop2_audit.log
    bantime = 1800
    findtime = 600
    maxretry = 8
    backend = auto

    Adjust the bantime, etc. settings and change the action if you want to block custom ports and not all.
    A failed login attempt in /var/log/fop2_audit.log looks like this:

    1447099540|8800|GENERAL|FAILED LOGIN (bad password)|192.168.1.254:49379
    1447099545|8800|GENERAL|FAILED LOGIN (bad password)|192.168.1.254:49396

    Good luck!
  • nicolasnicolas
    Thanks for sharing your fail2ban config!
  • avayaxavayax
    edited November 2015
    Adding a slight correction here.
    Put that into /etc/fail2ban/filter.d/fop2.conf:
    failregex = GENERAL\|FAILED LOGIN \(bad password\)\|<HOST>:\d+
    GENERAL\|FAILED LOGIN \(non existant user\)\|<HOST>:\d+

    Also don't forget to do service fail2ban restart. Do fail2ban-client status to see if your jail got added.
Sign In or Register to comment.

© Asternic Corp 2024