Re: [Fail2ban-users] asterisk and fail2ban

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

According to the asterisk devs, asterisk does not buffer it's messages log,
please keep in mind i had this originally setup for fail2ban to check
/var/log/asterisk/messages but i switched it to /var/log/messages because i
thought it might help resolve this issue.

On Mon, Mar 28, 2011 at 10:46 AM, Tom Hendrikx <to...@wh...> wrote:

> On 28/03/11 15:56, vip killa wrote:
> > On Mon, Mar 28, 2011 at 9:46 AM, Tom Hendrikx <to...@wh...
> > <mailto:to...@wh...>> wrote:
> >
> >     On 28/03/11 15:34, vip killa wrote:
> >     > Is anyone using asterisk with fail2ban? I have it working except it
> >     > takes way more break-in attempts than what is set in "maxretry" in
> >     jail.conf
> >     > For example, I get an email saying:
> >     > "The IP 199.204.45.19 has just been banned by Fail2Ban after 181
> >     > attempts against ASTERISK."
> >     >
> >     > when "maxretry = 5" in jail.conf
> >     >
> >     > I asked asterisk-users about this and they said:
> >     > "How often does fail2ban check the logs? It can only block that
> often,
> >     > so if more attempts happen in that time period it can't do anything
> >     > until it knows."
> >     > Perhaps someone else is experiencing this or has resolved it,
> >     thank you
> >     > in advance for your time.
> >     >
> >
> >     This can be caused by many things, f.i. log output buffering by the
> >     application writing the logfiles, or the attackers sending many
> attempts
> >     in a small timeframe.
> >
> >     Could you first look at the asterisk logfile and check what in
> timeframe
> >     the 181 attempts are?
> >
> > Log shows break-in attempt began at 09:06:51 and ended at 09:07:08
> >
>
> So the attacker sends more than 10 requests per second. This should
> trigger fail2ban with maxretry=5 after 1 second of logging. It seems to
> take much longer (~17 seconds until the block is effective). Read [0] on
> why this could be happening.
>
> According to [1], you're monitoring the syslog output for asterisk.
>
> Depending on which backend fail2ban is using, and how often the logfile
> is updated (many syslog implementations use buffered logging), the
> actual blocking could take some time.
>
> My first guess is your syslog is buffering output, so fail2ban does not
> see the failed attempts soon enough.
>
> [0] http://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Reaction_time
> [1] http://www.fail2ban.org/wiki/index.php/Asterisk
>
>
>
> ------------------------------------------------------------------------------
> Enable your software for Intel(R) Active Management Technology to meet the
> growing manageability and security demands of your customers. Businesses
> are taking advantage of Intel(R) vPro (TM) technology - will your software
> be a part of the solution? Download the Intel(R) Manageability Checker
> today! http://p.sf.net/sfu/intel-dev2devmar
> _______________________________________________
> Fail2ban-users mailing list
> Fai...@li...
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
>