我正在尝试在 CentOS7(无 SELinux)上运行 fail2ban,它使用防火墙。我的目标是将其设置为禁止 Asterisk 密码失败。
安装为默认 yum install fail2ban
配置方面我仅添加了jail.local,内容如下:
[DEFAULT]
backend = systemd
banaction = firewallcmd-ipset
destemail = [email protected]
sender = [email protected]
[asterisk]
enabled = true
#filter = asterisk
#logpath = /var/log/asterisk/messages
maxretry = 5
bantime = 86400
现在,当我重新启动 fail2ban 服务时,我会得到如下 fail2ban.log 条目:
2015-04-26 13:35:18,149 fail2ban.server [2820]: INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.1
2015-04-26 13:35:18,151 fail2ban.database [2820]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2015-04-26 13:35:18,158 fail2ban.jail [2820]: INFO Creating new jail 'asterisk'
2015-04-26 13:35:18,182 fail2ban.jail [2820]: INFO Jail 'asterisk' uses systemd
2015-04-26 13:35:18,213 fail2ban.jail [2820]: INFO Initiated 'systemd' backend
2015-04-26 13:35:18,220 fail2ban.filter [2820]: INFO Set maxRetry = 5
2015-04-26 13:35:18,222 fail2ban.actions [2820]: INFO Set banTime = 86400
2015-04-26 13:35:18,223 fail2ban.filter [2820]: INFO Set findtime = 600
2015-04-26 13:35:18,309 fail2ban.filtersystemd [2820]: NOTICE Jail started without 'journalmatch' set. Jail regexs will be checked against all journal entries, which is not advised for performance reasons.
2015-04-26 13:35:18,331 fail2ban.jail [2820]: INFO Jail 'asterisk' started
2015-04-26 13:35:18,488 fail2ban [2820]: CRITICAL Unhandled exception in Fail2Ban:
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/fail2ban/server/jailthread.py", line 64, in run_with_except_hook
run(*args, **kwargs)
File "/usr/lib/python2.7/site-packages/fail2ban/server/filtersystemd.py", line 244, in run
*self.formatJournalEntry(logentry))
File "/usr/lib/python2.7/site-packages/fail2ban/server/filtersystemd.py", line 172, in formatJournalEntry
'SYSLOG_PID', logentry['_PID']))
KeyError: '_PID'
2015-04-26 13:35:19,211 fail2ban.actions [2820]: NOTICE [asterisk] Ban 212.129.1.26
2015-04-26 13:35:19,534 fail2ban.actions [2820]: NOTICE [asterisk] Ban 212.83.187.182
我不明白遗漏了什么。日志中的这 2 个“禁止”操作实际上并未发生(我仍然在 Asterisk 日志中看到来自这些 IP 的尝试)
答案1
我认为你走错了路。Asterisk 正在从简单的安全事件日志记录(到平面文件)转向通过 AMI 记录安全事件。考虑根据 AMI 事件而不是安全日志进行阻止。有许多免费的 fail2ban 替代方案(查看http://www.voip-info.org/wiki/view/Asterisk+security举些例子)。
更重要的是,随着 Asterisk 从 SIP 更改为 PJSIP,日志消息也发生了变化(并且仍在变化),因此您必须定期更新正则表达式条目,否则安全事件可能会漏过您的 fail2ban 设置。这是一种打地鼠的方法……
答案2
在您的asterisk配置块中,您已将filter和logpath选项注释掉。这可能是应用程序抱怨的原因。验证路径并取消注释这两个块。