CDR and fail2ban in Freepbx 15 - need help!

[Alexandr]

Hi!
I use "armbian bionic", with "orange pi one". Asterisk 16 + Freepbx 15.
After reading multiple tutorials i dont understand how to create mysql connector for arm cpu.
I think something like this - Copy from raspbx image files and configs, but nothing works.
One more thing...
Fail2ban works with another logrotate and "regx".
SSH - blocks
SIP - blocks
Wrong password sip - blocks
Freepbx bruteforce - NO.

Can someone make tutorial how to setup CDR logs and fail2ban in 2019?

If you want to help other people, i can make access to my "orange pi" for experiments.
Thanks for your time!

[Alexandr]

Ok.. i will start
ASTERISK 16 WITH FREEPBX 15 & fail2ban - simple tutorial.
apt-get install fail2ban

• wait for bla...bala...ballala

next what we gonna do, make some jails for loosers"hackers".
nano /etc/fail2ban/jail.local
insert in config data below:

---

[asterisk]
enabled = true
port = 5060,5061
action = iptables-allports[name=SIP, protocol=all]
logpath = /var/log/asterisk/security
findtime = 600
bantime = 600
maxretry = 3

[freepbx]
enabled = true
filter = freepbx
action = iptables-allports[name=SIP, protocol=all]
logpath = /var/log/asterisk/freepbx_security.log
maxretry = 3
findtime = 600
bantime = 600

[sshd]
enabled = true
port = 22
action = iptables-allports[name=SIP, protocol=all]
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
findtime = 600
bantime = 600

---

after this we have to make 2 new configs "asterisk" and "freepbx"
nano /etc/fail2ban/filter.d/freepbx.conf

[INCLUDES]
before = common.conf

[Definition]
datepattern = ^\[%%Y-%%b-%%d %%H:%%M:%%S\]

failregex = \[freepbx_security\.NOTICE\]: Authentication failure for .* from <HOST>

---

nano /etc/fail2ban/filter.d/asterisk.conf

[INCLUDES]
before = common.conf

[Definition]
_daemon = asterisk
__pid_re = (?:\s*\[\d+\])
iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4}

log_prefix= (?:NOTICE|SECURITY|WARNING)%(__pid_re)s:?(?:\[C-[\da-f]*\])? [^:]+:\d*(?:(?: in)? \w+:)?
prefregex = ^%(__prefix_line)s%(log_prefix)s <F-CONTENT>.+</F-CONTENT>$
failregex = ^Registration from '[^']*' failed for '<HOST>(:\d+)?' - (?:Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device doe$
            ^Call from '[^']*' \(<HOST>:\d+\) to extension '[^']*' rejected because extension not found in context
            ^(?:Host )?<HOST> (?:failed (?:to authenticate\b|MD5 authentication\b)|tried to authenticate with nonexistent user\b)
            ^No registration for peer '[^']*' \(from <HOST>\)$
            ^hacking attempt detected '<HOST>'$
            ^SecurityEvent="(?:FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)"(?:(?:,(?!RemoteAddress=)\w+="[^"]*")*|.*?),RemoteAddress="IPV[46]/$
            ^"Rejecting unknown SIP connection from <HOST>"$
            ^Request (?:'[^']*' )?from '(?:[^']*|.*?)' failed for '<HOST>(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching endpoint found|Not match Endpoint(?: Contact)$

ignoreregex =

datepattern = {^LN-BEG}

Now we have to add some "new log"

/etc/asterisk/logger.conf
put this to the end of the file.
security => security

---

Make reboot and test it!
reboot

i forgot to say about configs...
If someone try to bruteforce on SIP, WEB, SSH -after 3 attempts ip will be banned for 10 min or 600 sec.
Thats all!