Como fica o log dos ataques? Em 4 de janeiro de 2011 17:18, João Marcelo Queiroz <j...@bol.com.br>escreveu:
> Estou com problemas para fazer o fail2ban bloquear alguns ataques que estou > recebendo em um servidor. Já li e re-li alguns artigos sobre a sua > configuração, sem sucesso. Minhas fontes foram: > http://www.voip-info.org/wiki/view/Fail2Ban+(with+iptables)+And+Asterisk<http://www.voip-info.org/wiki/view/Fail2Ban+%28with+iptables%29+And+Asterisk> > http://iceburn.info/linux/instalar-fail2ban-em-centos.html > > Estou rodando o Trixbox 2.6.2.3 > > > Agradeceria muito qualquer ajuda, segue abaixo algumas informações que > podem ajudar: > > ----------------------------- > > [trixbox1.localdomain ~]# iptables -L > Chain INPUT (policy ACCEPT) > target prot opt source destination > fail2ban-ASTERISK all -- anywhere anywhere > ACCEPT all -- anywhere anywhere > ACCEPT all -- 192.168.0.0/24 anywhere > DROP all -- ns1.oiss10.net anywhere -> alguns IPs > que bloqueie na mão > DROP all -- 93.114.196.109 anywhere > DROP all -- 109.203.99.88 anywhere > DROP all -- reverse.completel.net anywhere > DROP all -- server77-68-52-218.live-servers.net anywhere > > DROP all -- server1.boundlessflight.com anywhere > DROP all -- ns1.oiss10.net anywhere > DROP all -- 184-106-165-224.static.cloud-ips.com anywhere > > DROP all -- midphase.com anywhere > DROP all -- 188.161.224.232 anywhere > DROP all -- 14-64-245-83.packetexchange.net anywhere > DROP all -- 174-143-246-25.static.slicehost.net anywhere > > DROP all -- 168.188.130.184 anywhere > DROP all -- static.206.17.4.46.clients.your-server.de anywhere > > DROP all -- 91.220.62.36 anywhere > DROP all -- 59.39.66.30 anywhere > ACCEPT all -- XXX.XXX.XXX.XX.static.gvt.net.br anywhere > ACCEPT udp -- anywhere anywhere udp > dpts:sip:5070 > ACCEPT udp -- anywhere anywhere udp > dpts:ndmp:dnp > ACCEPT udp -- anywhere anywhere udp > dpt:domain > ACCEPT udp -- anywhere anywhere udp dpt:iax > DROP icmp -- anywhere anywhere icmp > echo-request > ACCEPT all -- anywhere anywhere state > RELATED,ESTABLISHED > DROP tcp -- anywhere anywhere tcp > flags:FIN,SYN,RST,ACK/SYN > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > Chain fail2ban-ASTERISK (1 references) > target prot opt source destination > RETURN all -- anywhere anywhere > > Chain fail2ban-SSH (0 references) > target prot opt source destination > RETURN all -- anywhere anywhere > [trixbox1.localdomain ~]# > > ----------------------------- > FAIL2BAN.CONF > ----------------------------- > > # Fail2Ban configuration file > # > # Author: Cyril Jaquier > # > # $Revision: 629 $ > # > > [Definition] > > # Option: loglevel > # Notes.: Set the log level output. > # 1 = ERROR > # 2 = WARN > # 3 = INFO > # 4 = DEBUG > # Values: NUM Default: 3 > # > loglevel = 3 > > # Option: logtarget > # Notes.: Set the log target. This could be a file, SYSLOG, STDERR or > STDOUT. > # Only one log target can be specified. > # Values: STDOUT STDERR SYSLOG file Default: /var/log/fail2ban.log > # > logtarget = /var/log/fail2ban.log > > # Option: socket > # Notes.: Set the socket file. This is used to communicate with the daemon. > Do > # not remove this file when Fail2ban runs. It will not be possible > to > # communicate with the server afterwards. > # Values: FILE Default: /var/run/fail2ban/fail2ban.sock > # > socket = /var/run/fail2ban/fail2ban.sock > > > > ----------------------------- > JAIL.CONF (apenas o final). > ----------------------------- > > [asterisk-iptables] > > enabled = true > filter = asterisk > > action = iptables-allports[name=ASTERISK, protocol=all] > sendmail-whois[name=ASTERISK, dest=x...@xxx.com.br, sender= > fail2...@example.org] > logpath = /var/log/messages > maxretry = 3 > bantime = 259200 > > > ----------------------------- > ASTERISK.CONF (filter.d) > ----------------------------- > > # Fail2Ban configuration file > # > # > # $Revision: 250 $ > # > > [INCLUDES] > > # Read common prefixes. If any customizations available -- read them from > # common.local > #before = common.conf > > > [Definition] > > #_daemon = asterisk > > # Option: failregex > # Notes.: regex to match the password failures messages in the logfile. > The > # host must be matched by a group named "host". The tag "<HOST>" > can > # be used for standard IP/hostname matching and is only an alias > for > # (?:::f{4,6}:)?(?P<host>\S+) > # Values: TEXT > # > > failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong > password > NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No > matching peer found > NOTICE.* .*: Registration from '.*' failed for '<HOST>' - > Username/auth name mismatch > NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device > does not match ACL > NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Peer > is not supposed to register > NOTICE.* <HOST> failed to authenticate as '.*'$ > NOTICE.* .*: No registration for peer '.*' \(from <HOST>\) > NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*) > NOTICE.* .*: Failed to authenticate user .*@<HOST>.* > ignoreregex = > > > ----------------------------- > LOGGER.CONF > ----------------------------- > > [general] > ; dateformat=%F %T > > ; > ; Logging Configuration > ; > ; In this file, you configure logging to files or to > ; the syslog system. > ; > ; For each file, specify what to log. > ; > ; For console logging, you set options at start of > ; Asterisk with -v for verbose and -d for debug > ; See 'asterisk -h' for more information. > ; > ; Directory for log files is configures in asterisk.conf > ; option astlogdir > ; > [logfiles] > syslog.local0 => notice > ; > ; Format is "filename" and then "levels" of debugging to be included: > ; debug > ; notice > ; warning > ; error > ; verbose > ; > ; Special filename "console" represents the system console > ; > ;debug => debug > ;console => notice,warning,error > console => notice,warning,error,debug,verbose > ;messages => notice,warning,error > full => notice,warning,error,debug,verbose > > ;syslog keyword : This special keyword logs to syslog facility > ; > ;syslog.local0 => notice,warning,error > ; > > ----------------------------- > > > Aqui tentei descomentar o "; dateformat=%F %T" e apontar o > "[asterisk-iptables]" para /var/log/asterisk/full mas também não obtive > sucesso. > > Qualquer ajuda será de grande valia. > > Atenciosamente, > > João Queiroz > > _______________________________________________ > KHOMP: qualidade em placas de E1, GSM, FXS e FXO para Asterisk. > - Hardware com alta disponibilidade de recursos e qualidade KHOMP > - Suporte técnico local qualificado e gratuito > Conheça a linha completa de produtos KHOMP em www.khomp.com.br > _______________________________________________ > Headsets Plantronics com o melhor preço do Brasil. > Acesse agora www.voipmania.com.br > VOIPMANIA STORE > ________ > Lista de discussões AsteriskBrasil.org > AsteriskBrasil@listas.asteriskbrasil.org > http://listas.asteriskbrasil.org/mailman/listinfo/asteriskbrasil > ______________________________________________ > Para remover seu email desta lista, basta enviar um email em branco para > asteriskbrasil-unsubscr...@listas.asteriskbrasil.org >
_______________________________________________ KHOMP: qualidade em placas de E1, GSM, FXS e FXO para Asterisk. - Hardware com alta disponibilidade de recursos e qualidade KHOMP - Suporte técnico local qualificado e gratuito Conheça a linha completa de produtos KHOMP em www.khomp.com.br _______________________________________________ Headsets Plantronics com o melhor preço do Brasil. Acesse agora www.voipmania.com.br VOIPMANIA STORE ________ Lista de discussões AsteriskBrasil.org AsteriskBrasil@listas.asteriskbrasil.org http://listas.asteriskbrasil.org/mailman/listinfo/asteriskbrasil ______________________________________________ Para remover seu email desta lista, basta enviar um email em branco para asteriskbrasil-unsubscr...@listas.asteriskbrasil.org