Post a Reply
4586 views

FOP2 logs

  1. 9 years ago

    sbasan

    25 Oct 2015

    Hi,

    I want to add the fop2 login attempts to fail2ban.
    There are no logs for login attempts under httpd log.
    How can I add the login attempts or login failures to fail2ban?

    זה בלובינט IP מרכזיות

    Answered by avayax

    See post in context

    This is working.
    Just posting the working config I used for other users who want to do the same. This is for PIAF and FreePBX distro, which come with a preconfigured fail2ban setup.

    Create a fop2.conf file in /etc/fail2ban/filter.d/ and put the following content in there:
    [INCLUDES]

    # Read common prefixes. If any customizations available -- read them from
    # common.local
    before = common.conf

    [Definition]

    _daemon = fop2_server

    # Option: failregex
    # Notes.: regex to match the password failures messages in the logfile. The
    # host must be matched by a group named "host". The tag "<HOST>" can
    # be used for standard IP/hostname matching and is only an alias for
    # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
    # Values: TEXT
    #
    failregex = GENERAL\|FAILED LOGIN \(bad password\)\|<HOST>

    # Option: ignoreregex
    # Notes.: regex to ignore. If this regex matches, the line is ignored.
    # Values: TEXT
    #
    ignoreregex =

    Then add below content to /etc/fail2ban/jail.conf:
    [fop2]
    enabled = true
    filter = fop2
    action = iptables-allports[name=FOP2, protocol=all]
    sendmail[name=FOP2, dest="your destination email", sender=root@"hostname"]
    logpath = /var/log/fop2_audit.log
    bantime = 1800
    findtime = 600
    maxretry = 8
    backend = auto

    Adjust the bantime, etc. settings and change the action if you want to block custom ports and not all.
    A failed login attempt in /var/log/fop2_audit.log looks like this:

    1447099540|8800|GENERAL|FAILED LOGIN (bad password)|192.168.1.254:49379
    1447099545|8800|GENERAL|FAILED LOGIN (bad password)|192.168.1.254:49396

    Good luck!

  2. admin

    25 Oct 2015 Administrator

    Enable the audit log with the -a command line variable. Edit /etc/sysconfig/fop2 and change the OPTIONS variable to include it, something similar to this:

    OPTIONS="-d -a /var/log/fop2_audit.log"

    Then you can add that log to fail2ban rules.

    Best regards,

  3. avayax

    9 Nov 2015

    Also trying to accomplish that.
    I got this in /etc/sysconfig/fop2:
    OPTIONS="-d -a /var/log/fop2_audit.log"

    Created fop2_audit.log in /var/log/.
    Now nothing gets written into fop2_audit.log, the file stays empty.
    What am I missing?

  4. admin

    9 Nov 2015 Administrator

    Do not create the file, it should be created by fop2.. if you create the file you might do it with incorrect permissions, so it is better to let the software do it for you. Also, are you sure you restarted FOP2? what is the output from

    ps uax | grep fop2

    ?

  5. avayax

    9 Nov 2015

    Yes. It is working now after a fop2 restart.
    Can you verify that this entry in /etc/sysconfig is correct?
    Running High Availability and my Ethernet interface is em1.
    OPTIONS="-d -i em1 -c /etc/asterisk/fop2 -a /var/log/fop2_audit.log"

  6. admin

    9 Nov 2015 Administrator

    Seems correct, rough human translation:

    daemonize, use interface em1 MAC address for license, use /etc/asterisk/fop2 for configuration directories and generate an audit log in /var/log/fop2_audit.log

  7. avayax

    10 Nov 2015 Answer

    This is working.
    Just posting the working config I used for other users who want to do the same. This is for PIAF and FreePBX distro, which come with a preconfigured fail2ban setup.

    Create a fop2.conf file in /etc/fail2ban/filter.d/ and put the following content in there:
    [INCLUDES]

    # Read common prefixes. If any customizations available -- read them from
    # common.local
    before = common.conf

    [Definition]

    _daemon = fop2_server

    # Option: failregex
    # Notes.: regex to match the password failures messages in the logfile. The
    # host must be matched by a group named "host". The tag "<HOST>" can
    # be used for standard IP/hostname matching and is only an alias for
    # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
    # Values: TEXT
    #
    failregex = GENERAL\|FAILED LOGIN \(bad password\)\|<HOST>

    # Option: ignoreregex
    # Notes.: regex to ignore. If this regex matches, the line is ignored.
    # Values: TEXT
    #
    ignoreregex =

    Then add below content to /etc/fail2ban/jail.conf:
    [fop2]
    enabled = true
    filter = fop2
    action = iptables-allports[name=FOP2, protocol=all]
    sendmail[name=FOP2, dest="your destination email", sender=root@"hostname"]
    logpath = /var/log/fop2_audit.log
    bantime = 1800
    findtime = 600
    maxretry = 8
    backend = auto

    Adjust the bantime, etc. settings and change the action if you want to block custom ports and not all.
    A failed login attempt in /var/log/fop2_audit.log looks like this:

    1447099540|8800|GENERAL|FAILED LOGIN (bad password)|192.168.1.254:49379
    1447099545|8800|GENERAL|FAILED LOGIN (bad password)|192.168.1.254:49396

    Good luck!

  8. admin

    10 Nov 2015 Administrator

    Thanks for sharing your fail2ban config!

  9. avayax

    11 Nov 2015
    Edited 9 years ago by avayax

    Adding a slight correction here.
    Put that into /etc/fail2ban/filter.d/fop2.conf:
    failregex = GENERAL\|FAILED LOGIN \(bad password\)\|<HOST>:\d+
    GENERAL\|FAILED LOGIN \(non existant user\)\|<HOST>:\d+

    Also don't forget to do service fail2ban restart. Do fail2ban-client status to see if your jail got added.

or Sign Up to reply!