Fail2Ban on Vicibox v9.0.3 Working!!

Support forum for the ViciBox ISO Server Install and ISO LiveCD Demo

Moderators: enjay, williamconley, Staydog, mflorell, MJCoate, mcargile, Kumba

Fail2Ban on Vicibox v9.0.3 Working!!

Postby carpenox » Wed Jul 15, 2020 12:22 am

I have gotten fail2ban working on vicibox 9 if anyone is interested.
Alma Linux 9.3 | Version: 2.14-911a | SVN Version: 3815 | DB Schema Version: 1710 | Asterisk 18.18.1
www.dialer.one -:- 1-833-DIALER-1 -:- https://linktr.ee/CyburDial -:- WhatsApp: +19549477572 -:- Skype: live:carpenox_3
carpenox
 
Posts: 2223
Joined: Wed Apr 08, 2020 2:02 am
Location: Coral Springs, FL

Re: Fail2Ban on Vicibox v9.0.3 Working!!

Postby Kumba » Wed Jul 15, 2020 9:02 pm

If you can post a walk-through here that's 90% complete I can look at how I can integrate that with ViciBox.
Kumba
 
Posts: 939
Joined: Tue Oct 16, 2007 11:44 pm
Location: Florida

Re: Fail2Ban on Vicibox v9.0.3 Working!!

Postby carpenox » Thu Jul 16, 2020 11:09 am

OK no problem. I will setup one of my other servers with it today and write down the steps i used to get it working.
Alma Linux 9.3 | Version: 2.14-911a | SVN Version: 3815 | DB Schema Version: 1710 | Asterisk 18.18.1
www.dialer.one -:- 1-833-DIALER-1 -:- https://linktr.ee/CyburDial -:- WhatsApp: +19549477572 -:- Skype: live:carpenox_3
carpenox
 
Posts: 2223
Joined: Wed Apr 08, 2020 2:02 am
Location: Coral Springs, FL

Re: Fail2Ban on Vicibox v9.0.3 Working!!

Postby Kumba » Thu Jul 16, 2020 4:21 pm

Mostly I'd be using it to catch SIP scanners and try to feed that back into voipbl.org so that all of vicibox becomes one large crowd-sourced SIP blacklist generator.

That's my true ulterior motive. :)
Kumba
 
Posts: 939
Joined: Tue Oct 16, 2007 11:44 pm
Location: Florida

Re: Fail2Ban on Vicibox v9.0.3 Working!!

Postby carpenox » Thu Jul 16, 2020 9:22 pm

OK here it goes, its pretty much the same as the 8 install with a few minor changes.

zypper in fail2ban


nano /etc/fail2ban/jail.local


Code: Select all
[DEFAULT]
ignoreip = 127.0.0.1
bantime  = 6048000
findtime  = 600
maxretry = 5
backend = systemd

[asterisk-iptables]
enabled  = true
filter   = asterisk
action   = iptables-allports[name=SIP, protocol=all]
           sendmail[name=VICIBOX-ASTERISK-DETECTOR, dest=yourmail, sender=yourmail]
logpath  = /var/log/asterisk/messages
maxretry = 3
bantime = 6048000

[ssh-iptables]
enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail[name=VICIBOX-SSH-DETECTOR, dest=yourmail, sender=yourmail]
logpath  = /var/log/messages
maxretry = 3
bantime = 6048000

[apache-tcpwrapper]
enabled  = true
filter   = apache-auth
action   = iptables-allports[name=apache-auth, port=http, protocol=tcp]
           sendmail[name=VICIBOX-APACHE-DETECTOR, dest=yourmail, sender=yourmail]
logpath  = /var/log/apache2/error_log
maxretry = 3

[apache-badbots]
enabled  = true
filter   = apache-badbots
action   = iptables-multiport[name=BadBots, port="http,https"]
           sendmail[name=VICIBOX-BadBots-DETECTOR, dest=yourmail, sender=yourmail]
logpath  = /var/log/apache2/error_log
bantime  = 6048000
maxretry = 1

[pam-generic]
mode = normal
filter = pam-generic
action   = iptables-allports[name=pam-generic]
           sendmail[name=VICIBOX-PAM-DETECTOR, dest=yourmail, sender=yourmail]
bantime  = 6048000
maxretry = 5
enabled = true

[phpmyadmin-syslog]
mode = normal
filter = phpmyadmin-syslog
action   = iptables-allports[name=phpmyadmin-syslog, port=https, protocol=tcp]
           sendmail[name=VICIBOX-PHPMYADMIN-DETECTOR, dest=yourmail, sender=yourmail]
logpath  = /var/log/apache2/error_log
bantime  = 6048000
maxretry = 2
enabled = true


# Jail for more extended banning of persistent abusers
# !!! WARNING !!!
#   Make sure that your loglevel specified in fail2ban.conf/.local
#   is not at DEBUG level -- which might then cause fail2ban to fall into
#   an infinite loop constantly feeding itself with non-informative lines
[recidive]
enabled  = true
filter   = recidive
logpath  = /var/log/fail2ban.log*
action   = iptables-allports[name=recidive, protocol=all]
           sendmail[name=VICIBOX-BADBOY-DETECTOR, dest=yourmail, sender=yourmail]
bantime  = 6048000  ; 10 weeks
#findtime = 60480000   ; 5 hours
findtime = 43200   ; 12 hours
maxretry = 5


systemctl enable fail2ban


systemctl start fail2ban


fail2ban-client status


Advice: add your own ip as ignoreip to avoid risk getting banned from your own server
ignoreip = 127.0.0.1
ignoreip = yourserverip
ignoreip = yourofficeip




Let me know if it works.
Last edited by carpenox on Sat Jul 18, 2020 4:14 pm, edited 4 times in total.
Alma Linux 9.3 | Version: 2.14-911a | SVN Version: 3815 | DB Schema Version: 1710 | Asterisk 18.18.1
www.dialer.one -:- 1-833-DIALER-1 -:- https://linktr.ee/CyburDial -:- WhatsApp: +19549477572 -:- Skype: live:carpenox_3
carpenox
 
Posts: 2223
Joined: Wed Apr 08, 2020 2:02 am
Location: Coral Springs, FL

Re: Fail2Ban on Vicibox v9.0.3 Working!!

Postby carpenox » Sat Jul 18, 2020 6:52 am

I have a HUGE list of ip's if you want them, over 1700

Image
Alma Linux 9.3 | Version: 2.14-911a | SVN Version: 3815 | DB Schema Version: 1710 | Asterisk 18.18.1
www.dialer.one -:- 1-833-DIALER-1 -:- https://linktr.ee/CyburDial -:- WhatsApp: +19549477572 -:- Skype: live:carpenox_3
carpenox
 
Posts: 2223
Joined: Wed Apr 08, 2020 2:02 am
Location: Coral Springs, FL

Re: Fail2Ban on Vicibox v9.0.3 Working!!

Postby carpenox » Sat Jul 18, 2020 9:12 pm

Kumba wrote:Mostly I'd be using it to catch SIP scanners and try to feed that back into voipbl.org so that all of vicibox becomes one large crowd-sourced SIP blacklist generator.

That's my true ulterior motive. :)



you would have to turn whitelist off for that right? not a bad idea though. Maybe setup a honeypot just for that....

here is a failed list of ssh and pam failed tries.... https://www.cyburity.tk/d0wnl0ads/ssh-iptables.txt - theres like 1900 here in just a couple days
Alma Linux 9.3 | Version: 2.14-911a | SVN Version: 3815 | DB Schema Version: 1710 | Asterisk 18.18.1
www.dialer.one -:- 1-833-DIALER-1 -:- https://linktr.ee/CyburDial -:- WhatsApp: +19549477572 -:- Skype: live:carpenox_3
carpenox
 
Posts: 2223
Joined: Wed Apr 08, 2020 2:02 am
Location: Coral Springs, FL

Re: Fail2Ban on Vicibox v9.0.3 Working!!

Postby dv8inpp » Mon May 17, 2021 9:32 am

Any chance you could share your asterisk.conf and logger.conf. I find working with regex frustrating to say the least.

Thanks either way
dv8inpp
 
Posts: 3
Joined: Thu Apr 20, 2017 11:23 pm

Re: Fail2Ban on Vicibox v9.0.3 Working!!

Postby carpenox » Mon May 17, 2021 12:00 pm

yea when i get into the office ill check it out for you and share it
Alma Linux 9.3 | Version: 2.14-911a | SVN Version: 3815 | DB Schema Version: 1710 | Asterisk 18.18.1
www.dialer.one -:- 1-833-DIALER-1 -:- https://linktr.ee/CyburDial -:- WhatsApp: +19549477572 -:- Skype: live:carpenox_3
carpenox
 
Posts: 2223
Joined: Wed Apr 08, 2020 2:02 am
Location: Coral Springs, FL

Re: Fail2Ban on Vicibox v9.0.3 Working!!

Postby jayboo876 » Thu Jul 28, 2022 12:36 pm

do you need to turn on asterisk cli sip debugging (sip set debug on) ?
jayboo876
 
Posts: 38
Joined: Sat Apr 02, 2022 12:51 pm

Re: Fail2Ban on Vicibox v9.0.3 Working!!

Postby carpenox » Tue Aug 02, 2022 6:23 pm

actually i wouldnt use fail2ban with vicidial, it ends up bogging down the system after a few months and eventually puts it to a crawl, go with the dynamic portal method, you can follow either of my articles from my blog to do it. If you are using centos, alma or rocky linux, you can follow this article:

Https://dialer.one/how-to-scratch-insta ... ky-centos/

If you are using leap 15.* or Vicibox then you can follow this article:

https://dialer.one/how-to-use-the-built ... r-vicibox/

Or you can also check out this one overall:

https://dialer.one/how-to-secure-vicidi ... ly-part-1/

Goodluck and I hope this helps

Chris aka carpenox
Last edited by carpenox on Fri Jul 28, 2023 1:50 am, edited 1 time in total.
Alma Linux 9.3 | Version: 2.14-911a | SVN Version: 3815 | DB Schema Version: 1710 | Asterisk 18.18.1
www.dialer.one -:- 1-833-DIALER-1 -:- https://linktr.ee/CyburDial -:- WhatsApp: +19549477572 -:- Skype: live:carpenox_3
carpenox
 
Posts: 2223
Joined: Wed Apr 08, 2020 2:02 am
Location: Coral Springs, FL

Re: Fail2Ban on Vicibox v9.0.3 Working!!

Postby jayboo876 » Fri Aug 12, 2022 2:54 pm

Know where I can find documentation around the dynamic portal app? I have checked both the agent and manager manuals and nothing.
jayboo876
 
Posts: 38
Joined: Sat Apr 02, 2022 12:51 pm

Re: Fail2Ban on Vicibox v9.0.3 Working!!

Postby carpenox » Fri Aug 12, 2022 11:58 pm

there isnt really any "documentation" but what are you looking for? perhaps i can help.
Alma Linux 9.3 | Version: 2.14-911a | SVN Version: 3815 | DB Schema Version: 1710 | Asterisk 18.18.1
www.dialer.one -:- 1-833-DIALER-1 -:- https://linktr.ee/CyburDial -:- WhatsApp: +19549477572 -:- Skype: live:carpenox_3
carpenox
 
Posts: 2223
Joined: Wed Apr 08, 2020 2:02 am
Location: Coral Springs, FL

Re: Fail2Ban on Vicibox v9.0.3 Working!!

Postby jayboo876 » Mon Aug 15, 2022 8:34 am

carpenox wrote:there isnt really any "documentation" but what are you looking for? perhaps i can help.


So is dyna portal only whitelisting for agents using vici embedded webtrc phone? So agent logs into dyna portal, then login to agent console? How does it apply to a sip soft/hard phone behind dynamic IP addresses? It seems the agent will find period where they are unable to connect (internet ip changes), so they will need to relogin to dyna portal to update/whitelist new IP? How does it apply to carriers or maybe that'll be a manual entry in IP tables? I like the idea of dyna portal, since the bad traffic doesn't make it to the sip stack and protects system resource, unlike fail2ban, but just wondering if it will be a one size fill all solution.
jayboo876
 
Posts: 38
Joined: Sat Apr 02, 2022 12:51 pm

Re: Fail2Ban on Vicibox v9.0.3 Working!!

Postby carpenox » Tue Aug 16, 2022 1:33 am

yea itll work for sip phones as well, although anytime someone's IP changes, they would need to re-login to the dynamic portal to have there new IP added to the firewall. That goes for sip/hard and web phones. You can add carrier IP's to the ViciWhite list as well as any static IP's for managers or agents because the dynamic portal is set to clear allowed IP's every 14 days by default although this can be changed as needed. Check out these article's below to help you get started with the dynportal:

https://dialer.one/how-to-secure-vicidi ... ly-part-1/

https://dialer.one/how-to-use-the-built ... r-vicibox/

https://dialer.one/how-to-turn-on-ip-wh ... -vicidial/


Https://dialer.one/how-to-scratch-insta ... ky-centos/

Hopefully this helps

Chris aka carpenox
Last edited by carpenox on Fri Jul 28, 2023 1:51 am, edited 3 times in total.
Alma Linux 9.3 | Version: 2.14-911a | SVN Version: 3815 | DB Schema Version: 1710 | Asterisk 18.18.1
www.dialer.one -:- 1-833-DIALER-1 -:- https://linktr.ee/CyburDial -:- WhatsApp: +19549477572 -:- Skype: live:carpenox_3
carpenox
 
Posts: 2223
Joined: Wed Apr 08, 2020 2:02 am
Location: Coral Springs, FL

Re: Fail2Ban on Vicibox v9.0.3 Working!!

Postby jayboo876 » Wed Aug 17, 2022 10:42 am

Thanks for the feedback. I'll give it a try in lab and see how it works.
jayboo876
 
Posts: 38
Joined: Sat Apr 02, 2022 12:51 pm

Re: Fail2Ban on Vicibox v9.0.3 Working!!

Postby newbie » Sun Jul 09, 2023 2:03 am

would be great if your site is up again @carpenox. Ive been following your guides but now i can't access your site anymore. would be great if its gonna up again :)
Asterisk version:13.38.2-vici | ViciBox v.10.0.1 220503 | ViciDial Admin VERSION: 2.14-896a BUILD: 230926-0849 |SVN Version:3762|DB Schema Version: 1695| Cluster: 6x Asterisk, 2x MariaDB (replication)
newbie
 
Posts: 50
Joined: Mon Jul 06, 2009 8:34 pm
Location: Manila, Philippines


Return to ViciBox Server Install and Demo

Who is online

Users browsing this forum: No registered users and 27 guests