fail2ban questions

[sokalsondha]

Hello everyone
can someone guide me how this fail2ban works?

i mean when fail2ban ban an IP will this IP send to IPtables list for ban? and how do i see that iptables ban list? i mean any command for it?
i can see there are two file called jail.conf and jail.local in both files there is jail names like sip-auth-challenge etc etc etc. which file is the main jail configuration file? jail.conf or jail.local

and can someone tell which jail works how? i mean like one jail called fusionpbx whats that jail for and how its works?
i mean for a particular jail how people will banned? i understand the SSH one as if someone try wrong ssh details for certain time they will be banned for x amount of minutes
but all others very confused.. i think i need to understand all the jails. may be someone can help me please..

1. [freeswitch]

2. [freeswitch-acl]

3. [freeswitch-ip]

4. [auth-challenge-ip]

5. [sip-auth-challenge]

6. [sip-auth-failure]

7. [fusionpbx-404]

8. [fusionpbx]

9. [fusionpbx-mac]

10. [nginx-404]

11. [nginx-dos]


Hope someone spend little bit time for me to help me

Thanks

 

[ad5ou]

For more information on how each of the jails are triggered, check the conf files in /etc/fail2ban/filter.d/
Example of freeswitch.conf:

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(REGISTER\) on sofia $
            \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(INVITE\) on sofia pr$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

 

[sokalsondha]

thanks dear. i have checked those file already.. but its almost same description for everything. i wanted to know more like the real reason
thanks

 

[whut]

Fail2ban reads log files and then determines based upon your configuration to block attempts. Each jail is defined in /etc/fail2ban/filter.d/ as @ad5ou had displayed. At this point in learning I would just know they exists and then look elsewhere to better understand f2b. jail.conf is the default configuration for f2b and it is recommended to not edit this file. It is recommended to make any edits within the jail.local file instead, including adding the 'ignoreip' line, which is your list of whitelisted ip addresses and ip address ranges.

Look at https://docs.fusionpbx.com/en/latest/firewall/fail2ban.html?highlight=fail2ban#fail2ban for commands to view iptables and if an ip address or domain has been banned/blocked.

Also see https://www.fail2ban.org/wiki/index.php/Main_Page , though I sometimes find better understanding from web searching for f2b specific knowledge.

Look at and edit your jail.local.
```
[ssh]
enabled = true
port = 22
protocol = ssh
filter = sshd
logpath = /var/log/auth.log
action = iptables-allports[name=sshd, protocol=all]
maxretry = 6
findtime = 60
bantime = 86400
...
```
the ssh jail is enabled
it watches /var/log/auth.log
looking for sshd keyword
ban the ip address (add to iptables on all ports)
when 6 attempts have been made within 60 seconds
ban the ip address for 86,400 seconds

 

[whut]

See https://github.com/fusionpbx/fusionpbx-install.sh/blob/master/debian/resources/fail2ban/jail.local for the current default debian jail settings.

 

[ad5ou]

thanks dear. i have checked those file already.. but its almost same description for everything. i wanted to know more like the real reason
thanks

Each of the configs have a different "Regex" to test in the various log files fail2ban is set to check. In the example above for Freeswitch log, it checks for "...SIP auth failure" and after the configured failed attempts, it will ban the offending IP.

Another example is from freewistch-ip.conf where it checks for "...Can't find user.." when an offending host attempts random users at the server's IP address. Since Fusionpbx typically uses extension@domainname for real extensions, attempts to register 100@1.1.1.1 is going to trigger that particular jail.

The other posts above should provide useful information.