Fail2ban stops working after Asterisk log rotation

October 31, 2010

You have just installed fail2ban and watched in awe how the hopeless script kiddies get banned while they try to attack your system, you go back to normal but then something is wrong, your internet connection is saturated and your asterisk process is taking too much resources, a quick glimpse at the logs reveal that fail2ban is not working any more!

Do not worry, the issue lies in the log rotation mechanism Asterisk uses, The log file fail2ban was reading gets cleared and Asterisk begins to write the log to another file, Log Rotation is a very important and useful feature, as it helps you from filling the hard drive to the point where the system is rendered slow or unusable. It is not uncommon for log files for this kind of applications to grow quickly in to the multi-gigabyte scale.

The solution is simple, using your favorite editor, open up: [cc lang=”bash” border=”false”] vi /etc/fail2ban/jail.conf [/cc]

[cc lang=”bash” border=”false”] [asterisk-iptables]

enabled = true filter = asterisk action = iptables-allports[name=ASTERISK, protocol=all] sendmail-whois[name=ASTERISK,,] #logpath = /var/log/asterisk/messages logpath = /var/log/asterisk/messages* maxretry = 5 bantime = 259200 [/cc]

Change the line reading [cc lang=”bash”] logpath = /var/log/asterisk/messages [/cc] into [cc lang=”bash”]logpath = /var/log/asterisk/messages* [/cc]. Notice the * at the ending, this wildcard will help fail2ban to glob all log files so that it will keep working even in the event of a non standard log rotation.

Restart fail2ban and you are good to go [cc lang=”bash” border=”false”] $ /etc/init.d/fail2ban restart [/cc]


comments powered by Disqus