Fail2ban + logger.conf configurable #178
Comments
|
Currently logger.conf get's overwritten by the config. But I think we didn't add fail2ban because it required extra permissions for the add-on. @felipecrs probably knows more about this. |
|
I don't recall. Sorry. :( |
|
Wow quick. Yeah it was a while ago. if I remember correctly Fabio asked for fail2ban then. Anyways, not sure if it is possible in a add-on because it needs to access firewall settings right? And we would also need to stop setting the logger.conf. |
|
Honestly I don't understand what's the purpose of fail2ban in this context. |
|
Probably to ban bots right? @Bethaaca for now I suggest changing your ports to a non-default port, use some secure passwords and youre probably fine. |
|
Well... is there anyone doing or planning to expose Asterisk running as Home Assistant add-on on external network/internet? Is that because of the WSS port? If so, we should focus on this instead: |
|
Ah, so the integration would also proxy wss trough the HA frontend? That fixes wss, but the SIP port would still be exposed to bots. |
Yeah, like the Frigate Integration does for the Frigate APIs.
Only if you forwarded the port in the router. Then my question remains, is there someone doing this or planning on doing it? If there's none, then I would say "why should we bother". |
|
True. For the SIP port it's probably fine as it is for now. The WSS proxy would be nice though. |
|
Yes, that would also solve the case for people using Home Assistant Cloud. |
|
@TECH7Fox I thought of using the Add-on standalone fail2ban. fail2ban needs to read the log generated by Asterisk, but it only reads it in a certain format. Therefore, we would not mess with the security of the Add-on. Home Assistant itself produces log in the format required by fail2ban:
Asterisk:
if it is possible to do this with the Add-on, we could have one more layer of security when we use fail2ban. |
|
Yes, but that was to add fail2ban itself into the add-on. This is just changing the format to support it. And might be nice to get the same format the rest of HA uses anyways. |
|
Oh, now I understand. Yes, I totally agree! |
|
@Bethaaca just so you know, PRs are accepted to change the log format. :) |
|
@Bethaaca, you can now configure |
Nice. I´ll update (version 2.x.x yet) and try to change the dateformat. Thanks. |
|
Trust me, this is enough to use fail2ban. When I suffered the brute force attacks, my console showed every attempt (even without the additional "messages => security, notice, warning, error"), but I couldn't configure fail2ban to read the file. In this format it is already possible. I ended up configuring Asterisk with Linhome (@pergolafabio helped me with this configuration) and closing all ports due to insecurity. Now I have to re-open the ports and reconfigure Asterisk to test fail2ban. Nice job, nice job, guys!!! Edit: I'm new to Asterisk, but I think leaving the editing power in the hands of the user helps to customize Asterisk, just as it originally is. It was a big improvement (3.0.0). Congrats. |
|
I don't quite understand... does it mean we don't need #201? If so, please close this issue and also the PR. |
|
Thank you @Bethaaca. Let me just make sure I understand. You are saying that even with the default configuration you can already setup fail2ban? Or, if you changed something in logger.conf, can you please paste your customizations here, so that other people who try to make the same configuration can have it as a reference? |
|
Yes, off course. Logger.conf:
With this small change fail2ban can read the log. At the time I mainly used this site to use the Voip Black List and set up fail2ban. |
|
Got it. Thank you! |
I'm trying to make fail2ban works with Asterisk, but it's needed to add security log and to change the dateformat to "%F %T" in the logger.conf.
https://www.fail2ban.org/wiki/index.php/Asterisk
The text was updated successfully, but these errors were encountered: