wiki:AdminGuides/Fail2banIntegration

Fail2ban Integration

Fail2ban server log format is supported starting from aswitch version 2.2.5. Note that this version requires wobble library 2.1.1 or newer and bsdradius version 0.7.3 or newer.

Fail Messages

YYYY-MM-DD HH:MM:SS.ssssss WARNING: Cannot register unknown user from <ip_address>
YYYY-MM-DD HH:MM:SS.ssssss WARNING: RADIUS authorization unsuccessful for host <ip_address> result code: <code_number>

Filter Regex

file: /etc/fail2ban/filter.d/dtl.conf

[Definition]

failregex = WARNING: Cannot register unknown user from <HOST>
            WARNING: RADIUS authorization unsuccessful for host <HOST> result code: 1
            WARNING: RADIUS authorization unsuccessful for host <HOST> result code: 2
            WARNING: RADIUS authorization unsuccessful for host <HOST> result code: 4
            WARNING: RADIUS authorization unsuccessful for host <HOST> result code: 5
            WARNING: RADIUS authorization unsuccessful for host <HOST> result code: 6
            WARNING: RADIUS authorization unsuccessful for host <HOST> result code: 7
            WARNING: RADIUS authorization unsuccessful for host <HOST> result code: 10
            WARNING: RADIUS authorization unsuccessful for host <HOST> result code: 14

It is now possible to specify exact reject codes which would trigger the ban. Above example lists most common scenario. Full list of reject codes is given below:

  • INVALID_ACCOUNT = 1
  • INVALID_PASSWORD = 2
  • ACCT_IN_USE = 3
  • ZERO_BALANCE = 4
  • EXPIRED = 5
  • CREDIT_LIMIT_EXCEEDED = 6
  • USER_DENY = 7
  • SERVICE_NOT_AVAILABLE = 8
  • DEST_NUMBER_BLOCKED = 9
  • RETRIES_EXCEEDED = 10
  • INVALID_RADIUS_ARGUMENT = 11
  • INSUFFICIENT_BALANCE = 12
  • TOLL_FREE_CALL = 13
  • INVALID_CARD_NUMBER = 14
  • INVALID_DEST_NUMBER = 21
  • UNKNOWN = 51

Jail

file: /etc/fail2ban/jail.conf:

[dtl]
enabled  = true
filter   = dtl
port     = 5060
protocol = udp
action   = iptables-allports[name=DTL, protocol=all]
          sendmail-whois[name=DTL, dest=you@yourdomain.com]
logpath  = /usr/local/var/log/aswitch.log
# logpath  = /usr/local/var/log/aswitch*.log - for multiple instance system
maxretry = 120
findtime = 120
bantime = 3600

Last modified 6 years ago Last modified on Dec 30, 2011, 3:08:43 PM