[Freeswitch-users] fail2ban does not apply ban, fail2ban-regex works

Sergey Safarov s.safarov at gmail.com
Wed May 11 14:35:28 MSD 2016 

Please send request to fail2ban community.
As I know fail2ban is too difficult troubleshoot . On my servers fail2ban
time to time is stop updating iptables rules. If it take place I restart
fail2ban daemon.

Sergey.

ср, 11 мая 2016 г. в 10:30, Mimiko <vbvbrj at gmail.com>:

> Hello.
>
> I have this config for freeswitch:
>
> jail.local:
>
> [ssh]
> enabled  = true
> port     = ssh
> filter   = sshd
> logpath  = /var/log/auth.log
> maxretry = 5
> [freeswitch]
> enabled  = true
> port     = 5060,5061,5080,5081
> ignoreip = 127.0.0.1/8 10.10.0.0/16
> filter   = freeswitch
> logpath  = /var/log/freeswitch/freeswitch.log
> maxretry = 1
> findtime = 600
> bantime  = 60
> action   = iptables-ban
>
>
> freeswitch.conf:
>
> [Definition]
>
> failregex = ^[-: \.\d]+ \[WARNING\] sofia_reg\.c:\d+ Can't find user
> \[\d+@[^\]]+\] from <HOST>$
>
> ignoreregex =
>
>
>
> When running
>
> fail2ban-regex /var/log/freeswitch/freeswitch.log
> /etc/fail2ban/filter.d/freeswitch.conf
>
> There are matches with failed users:
>
> /usr/share/fail2ban/server/filter.py:442: DeprecationWarning: the md5
> module is deprecated; use hashlib instead
>    import md5
>
> Running tests
> =============
>
> Use regex file : /etc/fail2ban/filter.d/freeswitch.conf
> Use log file   : /var/log/freeswitch/freeswitch.log
>
>
> Results
> =======
>
> Failregex
> |- Regular expressions:
> |  [1] ^[-: \.\d]+ \[WARNING\] sofia_reg\.c:\d+ Can't find user
> \[\d+@[^\]]+\] from <HOST>$
> |
> `- Number of matches:
>     [1] 18 match(es)
>
> Ignoreregex
> |- Regular expressions:
> |
> `- Number of matches:
>
> Summary
> =======
>
> Addresses found:
> [1]
>      163.172.194.73 (Wed May 11 10:16:54 2016)
>      163.172.194.73 (Wed May 11 10:18:02 2016)
>      163.172.194.73 (Wed May 11 10:18:30 2016)
>      163.172.194.73 (Wed May 11 10:18:40 2016)
>      163.172.194.73 (Wed May 11 10:19:10 2016)
>      163.172.194.73 (Wed May 11 10:19:29 2016)
>      163.172.194.73 (Wed May 11 10:20:10 2016)
>      163.172.194.73 (Wed May 11 10:20:30 2016)
>      163.172.194.73 (Wed May 11 10:20:37 2016)
>      163.172.194.73 (Wed May 11 10:21:42 2016)
>      163.172.194.73 (Wed May 11 10:21:53 2016)
>      163.172.194.73 (Wed May 11 10:22:00 2016)
>      163.172.194.73 (Wed May 11 10:22:50 2016)
>      163.172.194.73 (Wed May 11 10:23:13 2016)
>      163.172.194.73 (Wed May 11 10:23:28 2016)
>      163.172.194.73 (Wed May 11 10:23:30 2016)
>      163.172.194.73 (Wed May 11 10:25:07 2016)
>      163.172.194.73 (Wed May 11 10:25:29 2016)
>
> Date template hits:
> 0 hit(s): MONTH Day Hour:Minute:Second
> 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
> 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
> 0 hit(s): Year/Month/Day Hour:Minute:Second
> 0 hit(s): Day/Month/Year Hour:Minute:Second
> 0 hit(s): Day/Month/Year Hour:Minute:Second
> 0 hit(s): Day/MONTH/Year:Hour:Minute:Second
> 0 hit(s): Month/Day/Year:Hour:Minute:Second
> 5196 hit(s): Year-Month-Day Hour:Minute:Second
> 0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
> 0 hit(s): Day-Month-Year Hour:Minute:Second
> 0 hit(s): TAI64N
> 0 hit(s): Epoch
> 0 hit(s): ISO 8601
> 0 hit(s): Hour:Minute:Second
> 0 hit(s): <Month/Day/Year at Hour:Minute:Second>
>
> Success, the total number of match is 18
>
> However, look at the above section 'Running tests' which could contain
> important
> information.
>
>
> However, fail2ban does not ban that ip. Although when ssh login attempt
> is detected, fail2ban does ban the ip.
>
> I've checked the time and time zone and all ok. On server Local time is
> +3 from UTC. sshd log, freeswitch log and fail2ban log are in same time
> zone.
>
> What could be the culprit?
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20160511/fc04a711/attachment-0001.html

Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list