Mac address banning in fail2ban

[glennbtn]

Hi All.

Noticed that the fail2ban was no longer failed provision attempts using the mac address. Looking in the config file it say it's looking in /var/log/syslog for the event. Having tailed this log I never see any failed attempts to provision with an invalid mac. Does anyone know if anything has changed in fusionpbx to where it now logs the events or if they need turning on somewhere now.

 

[DigitalDaz]

They probably need enabling in /etc/fail2ban/jail.local

 

[glennbtn]

Thanks but all the other jails work. I just don't see any mac's fail or sucess in the /var/log/syslog which I guess is why it's not working

 

[DigitalDaz]

I'm pretty sure the jail is disabled by default, Also, it should be the freeswitch log, not syslog. That said, I do not recall seeing anything in my log either about mac address but maybe its my version. What version are you on?

 

[Adrian Fretwell]

Maybe I'm misunderstanding this thread, but wouldn't failed provision attempts be captured in the Nginx logs?

 

[glennbtn]

Running version 4.5.14

Been running the same box for years and used to work, only every updated fusionpbx so just trying to work out what's changed.

Looked in git and still pointing to /var/log/syslog in there as well as on mine

 

[DigitalDaz]

Maybe I'm misunderstanding this thread, but wouldn't failed provision attempts be captured in the Nginx logs?

Of course they would

 

[DigitalDaz]

Of course they would

Unless he is manually writing it out, I'll have a dig in the code.

 

[DigitalDaz]

There is an nginx-404:

[nginx-404]
enabled  = true
port     = 80,443
protocol = tcp
filter   = nginx-404
logpath  = /var/log/nginx/access*.log
action   = iptables-allports[name=nginx-404, protocol=all]
bantime  = 3600
findtime = 60
maxretry = 300

That matches on:

<HOST> - - \[.*\] "(GET|POST).*HTTP[^ ]* 404

The reason I would never have seen this is that I always disable the nginx access logs, I'd like it much better in the error log.