From: vip k. <vip...@gm...> - 2011-03-28 17:41:18
|
According to the asterisk devs, asterisk does not buffer it's messages log, please keep in mind i had this originally setup for fail2ban to check /var/log/asterisk/messages but i switched it to /var/log/messages because i thought it might help resolve this issue. On Mon, Mar 28, 2011 at 10:46 AM, Tom Hendrikx <to...@wh...> wrote: > On 28/03/11 15:56, vip killa wrote: > > On Mon, Mar 28, 2011 at 9:46 AM, Tom Hendrikx <to...@wh... > > <mailto:to...@wh...>> wrote: > > > > On 28/03/11 15:34, vip killa wrote: > > > Is anyone using asterisk with fail2ban? I have it working except it > > > takes way more break-in attempts than what is set in "maxretry" in > > jail.conf > > > For example, I get an email saying: > > > "The IP 199.204.45.19 has just been banned by Fail2Ban after 181 > > > attempts against ASTERISK." > > > > > > when "maxretry = 5" in jail.conf > > > > > > I asked asterisk-users about this and they said: > > > "How often does fail2ban check the logs? It can only block that > often, > > > so if more attempts happen in that time period it can't do anything > > > until it knows." > > > Perhaps someone else is experiencing this or has resolved it, > > thank you > > > in advance for your time. > > > > > > > This can be caused by many things, f.i. log output buffering by the > > application writing the logfiles, or the attackers sending many > attempts > > in a small timeframe. > > > > Could you first look at the asterisk logfile and check what in > timeframe > > the 181 attempts are? > > > > Log shows break-in attempt began at 09:06:51 and ended at 09:07:08 > > > > So the attacker sends more than 10 requests per second. This should > trigger fail2ban with maxretry=5 after 1 second of logging. It seems to > take much longer (~17 seconds until the block is effective). Read [0] on > why this could be happening. > > According to [1], you're monitoring the syslog output for asterisk. > > Depending on which backend fail2ban is using, and how often the logfile > is updated (many syslog implementations use buffered logging), the > actual blocking could take some time. > > My first guess is your syslog is buffering output, so fail2ban does not > see the failed attempts soon enough. > > [0] http://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Reaction_time > [1] http://www.fail2ban.org/wiki/index.php/Asterisk > > > > ------------------------------------------------------------------------------ > Enable your software for Intel(R) Active Management Technology to meet the > growing manageability and security demands of your customers. Businesses > are taking advantage of Intel(R) vPro (TM) technology - will your software > be a part of the solution? Download the Intel(R) Manageability Checker > today! http://p.sf.net/sfu/intel-dev2devmar > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > |