Asterisk 11 에서 TLS 와 SRTP 를 정상적으로 돌린 예

오류를 만났을 때를 대비해 올려 둔다

Client A ( 1000 ) <--> Asterisk ( TLS, SRTP ) <--> Client B ( 1001 )

Client A IP : 192.168.1.151

Client B IP : 192.168.1.131

Asterisk IP : 192.168.1.106

<--- SIP read from TLS:192.168.1.151:58418 --->
INVITE sip:1001@192.168.1.106:5061;transport=tls SIP/2.0
Via: SIP/2.0/TLS 192.168.1.151:58418;branch=z9hG4bK802a1e955685e211b295a5e36e5e2deb;rport;alias
From: "1000" <sip:1000@192.168.1.106>;tag=3690110982
To: <sip:1001@192.168.1.106:5061;transport=tls>
Call-ID: 802A1E95-5685-E211-B294-A5E36E5E2DEB@192.168.1.151
CSeq: 5 INVITE
Contact: <sip:1000@192.168.1.151:5062;transport=tls>
Content-Type: application/sdp
Allow: INVITE, OPTIONS, ACK, BYE, CANCEL, INFO, NOTIFY, MESSAGE, UPDATE
Max-Forwards: 70
Supported: 100rel, replaces, from-change
User-Agent: SIPPER for PhonerLite
P-Preferred-Identity: <sip:1000@192.168.1.106>
Content-Length: 365

v=0
o=- 3664105484 1 IN IP4 192.168.1.151
s=SIPPER for PhonerLite
c=IN IP4 192.168.1.151
t=0 0
m=audio 5062 RTP/SAVP 8 0 101
a=rtpmap:8 PCMA/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:ZHXu5KBoj8MK32CKMJgQv6IyCaDCJGsxjaP3heIV
a=encryption:optional
a=ssrc:2834382215
a=sendrecv
<------------->
--- (14 headers 14 lines) ---
Sending to 192.168.1.151:58418 (no NAT)
Using INVITE request as basis request - 802A1E95-5685-E211-B294-A5E36E5E2DEB@192.168.1.151
Found peer '1000' for '1000' from 192.168.1.151:58418

<--- Reliably Transmitting (NAT) to 192.168.1.151:58418 --->
SIP/2.0 401 Unauthorized
Via: SIP/2.0/TLS 192.168.1.151:58418;branch=z9hG4bK802a1e955685e211b295a5e36e5e2deb;alias;received=192.168.1.151;rport=58418
From: "1000" <sip:1000@192.168.1.106>;tag=3690110982
To: <sip:1001@192.168.1.106:5061;transport=tls>;tag=as0c95498a
Call-ID: 802A1E95-5685-E211-B294-A5E36E5E2DEB@192.168.1.151
CSeq: 5 INVITE
Server: Asterisk PBX 11.2.1
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH
Supported: replaces, timer
WWW-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="54692493"
Content-Length: 0


<------------>
Scheduling destruction of SIP dialog '802A1E95-5685-E211-B294-A5E36E5E2DEB@192.168.1.151' in 32000 ms (Method: INVITE)

<--- SIP read from TLS:192.168.1.151:58418 --->
ACK sip:1001@192.168.1.106:5061;transport=tls SIP/2.0
Via: SIP/2.0/TLS 192.168.1.151:58418;branch=z9hG4bK802a1e955685e211b295a5e36e5e2deb;rport;alias
From: "1000" <sip:1000@192.168.1.106>;tag=3690110982
To: <sip:1001@192.168.1.106:5061;transport=tls>;tag=as0c95498a
Call-ID: 802A1E95-5685-E211-B294-A5E36E5E2DEB@192.168.1.151
CSeq: 5 ACK
Content-Length: 0

<------------->
--- (7 headers 0 lines) ---

<--- SIP read from TLS:192.168.1.151:58418 --->
INVITE sip:1001@192.168.1.106:5061;transport=tls SIP/2.0
Via: SIP/2.0/TLS 192.168.1.151:58418;branch=z9hG4bK802a1e955685e211b296a5e36e5e2deb;rport;alias
From: "1000" <sip:1000@192.168.1.106>;tag=3690110982
To: <sip:1001@192.168.1.106:5061;transport=tls>
Call-ID: 802A1E95-5685-E211-B294-A5E36E5E2DEB@192.168.1.151
CSeq: 6 INVITE
Contact: <sip:1000@192.168.1.151:5062;transport=tls>
Authorization: Digest username="1000", realm="asterisk", nonce="54692493", uri="sip:1001@192.168.1.106:5061;transport=tls", response="0af5468b1ce97a76e4ad687f79ddd48c", algorithm=MD5
Content-Type: application/sdp
Allow: INVITE, OPTIONS, ACK, BYE, CANCEL, INFO, NOTIFY, MESSAGE, UPDATE
Max-Forwards: 70
Supported: 100rel, replaces, from-change
User-Agent: SIPPER for PhonerLite
P-Preferred-Identity: <sip:1000@192.168.1.106>
Content-Length: 365

v=0
o=- 3664105484 1 IN IP4 192.168.1.151
s=SIPPER for PhonerLite
c=IN IP4 192.168.1.151
t=0 0
m=audio 5062 RTP/SAVP 8 0 101
a=rtpmap:8 PCMA/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:ZHXu5KBoj8MK32CKMJgQv6IyCaDCJGsxjaP3heIV
a=encryption:optional
a=ssrc:2834382215
a=sendrecv
<------------->
--- (15 headers 14 lines) ---
Sending to 192.168.1.151:58418 (NAT)
Using INVITE request as basis request - 802A1E95-5685-E211-B294-A5E36E5E2DEB@192.168.1.151
Found peer '1000' for '1000' from 192.168.1.151:58418
  == Using SIP RTP CoS mark 5
Found RTP audio format 8
Found RTP audio format 0
Found RTP audio format 101
Found audio description format PCMA for ID 8
Found audio description format PCMU for ID 0
Found audio description format telephone-event for ID 101
Capabilities: us - (ulaw|alaw), peer - audio=(ulaw|alaw)/video=(nothing)/text=(nothing), combined - (ulaw|alaw)
Non-codec capabilities (dtmf): us - 0x1 (telephone-event|), peer - 0x1 (telephone-event|), combined - 0x1 (telephone-event|)
Peer audio RTP is at port 192.168.1.151:5062
Looking for 1001 in default (domain 192.168.1.106)
list_route: hop: <sip:1000@192.168.1.151:5062;transport=tls>

<--- Transmitting (NAT) to 192.168.1.151:58418 --->
SIP/2.0 100 Trying
Via: SIP/2.0/TLS 192.168.1.151:58418;branch=z9hG4bK802a1e955685e211b296a5e36e5e2deb;alias;received=192.168.1.151;rport=58418
From: "1000" <sip:1000@192.168.1.106>;tag=3690110982
To: <sip:1001@192.168.1.106:5061;transport=tls>
Call-ID: 802A1E95-5685-E211-B294-A5E36E5E2DEB@192.168.1.151
CSeq: 6 INVITE
Server: Asterisk PBX 11.2.1
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH
Supported: replaces, timer
Contact: <sip:1001@192.168.1.106:5061;transport=TLS>
Content-Length: 0


<------------>
    -- Executing [1001@default:1] NoOp("SIP/1000-00000010", "STRP TEST CALL") in new stack
    -- Executing [1001@default:2] Set("SIP/1000-00000010", "_SIP_SRTP_SDES=1") in new stack
    -- Executing [1001@default:3] Set("SIP/1000-00000010", "_SIPSRTP=enable") in new stack
    -- Executing [1001@default:4] Dial("SIP/1000-00000010", "SIP/1001") in new stack
  == Using SIP RTP CoS mark 5
Audio is at 10452
Adding codec 100003 (ulaw) to SDP
Adding codec 100004 (alaw) to SDP
Adding non-codec 0x1 (telephone-event) to SDP
Reliably Transmitting (NAT) to 192.168.1.131:1162:
INVITE sip:1001@192.168.1.131:5064;transport=tls SIP/2.0
Via: SIP/2.0/TLS 192.168.1.106:5061;branch=z9hG4bK62a1d8b9;rport
Max-Forwards: 70
From: "1000" <sip:1000@192.168.1.106>;tag=as2d08fdeb
To: <sip:1001@192.168.1.131:5064;transport=tls>
Contact: <sip:1000@192.168.1.106:5061;transport=TLS>
Call-ID: 0890653214d997963645c7254cd05250@192.168.1.106:5061
CSeq: 102 INVITE
User-Agent: Asterisk PBX 11.2.1
Date: Thu, 07 Mar 2013 05:35:12 GMT
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH
Supported: replaces, timer
Content-Type: application/sdp
Content-Length: 346

v=0
o=root 1013182859 1013182859 IN IP4 192.168.1.106
s=Asterisk PBX 11.2.1
c=IN IP4 192.168.1.106
t=0 0
m=audio 10452 RTP/SAVP 0 8 101
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=sendrecv
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:mMRKpI/m8Km1Of9+Yg+ZXvRhJDbHkpsWkG39TxPd

---
    -- Called SIP/1001

<--- SIP read from TLS:192.168.1.131:1162 --->
SIP/2.0 100 Trying
Via: SIP/2.0/TLS 192.168.1.106:5061;branch=z9hG4bK62a1d8b9;rport=5061
From: "1000" <sip:1000@192.168.1.106>;tag=as2d08fdeb
To: <sip:1001@192.168.1.131:5064;transport=tls>
Call-ID: 0890653214d997963645c7254cd05250@192.168.1.106:5061
CSeq: 102 INVITE
Allow: INVITE, OPTIONS, ACK, BYE, CANCEL, INFO, NOTIFY, MESSAGE, UPDATE
Server: SIPPER for PhonerLite
Content-Length: 0

<------------->
--- (9 headers 0 lines) ---

<--- SIP read from TLS:192.168.1.131:1162 --->
SIP/2.0 180 Ringing
Via: SIP/2.0/TLS 192.168.1.106:5061;branch=z9hG4bK62a1d8b9;rport=5061
From: "1000" <sip:1000@192.168.1.106>;tag=as2d08fdeb
To: <sip:1001@192.168.1.131:5064;transport=tls>;tag=802a1e955685e211bb01f39673b1fead
Call-ID: 0890653214d997963645c7254cd05250@192.168.1.106:5061
CSeq: 102 INVITE
Contact: <sip:1001@192.168.1.131:5064;transport=tls>
Allow: INVITE, OPTIONS, ACK, BYE, CANCEL, INFO, NOTIFY, MESSAGE, UPDATE
Server: SIPPER for PhonerLite
Content-Length: 0

<------------->
--- (10 headers 0 lines) ---
list_route: hop: <sip:1001@192.168.1.131:5064;transport=tls>
    -- SIP/1001-00000011 is ringing

<--- Transmitting (NAT) to 192.168.1.151:58418 --->
SIP/2.0 180 Ringing
Via: SIP/2.0/TLS 192.168.1.151:58418;branch=z9hG4bK802a1e955685e211b296a5e36e5e2deb;alias;received=192.168.1.151;rport=58418
From: "1000" <sip:1000@192.168.1.106>;tag=3690110982
To: <sip:1001@192.168.1.106:5061;transport=tls>;tag=as4a1ba60a
Call-ID: 802A1E95-5685-E211-B294-A5E36E5E2DEB@192.168.1.151
CSeq: 6 INVITE
Server: Asterisk PBX 11.2.1
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH
Supported: replaces, timer
Contact: <sip:1001@192.168.1.106:5061;transport=TLS>
Content-Length: 0


<------------>

<--- SIP read from TLS:192.168.1.131:1162 --->
SIP/2.0 200 OK
Via: SIP/2.0/TLS 192.168.1.106:5061;branch=z9hG4bK62a1d8b9;rport=5061
From: "1000" <sip:1000@192.168.1.106>;tag=as2d08fdeb
To: <sip:1001@192.168.1.131:5064;transport=tls>;tag=802a1e955685e211bb01f39673b1fead
Call-ID: 0890653214d997963645c7254cd05250@192.168.1.106:5061
CSeq: 102 INVITE
Contact: <sip:1001@192.168.1.131:5064;transport=tls>
Content-Type: application/sdp
Allow: INVITE, OPTIONS, ACK, BYE, CANCEL, INFO, NOTIFY, MESSAGE, UPDATE
Supported: replaces, from-change
Server: SIPPER for PhonerLite
Content-Length: 341

v=0
o=- 3541565629 1 IN IP4 192.168.1.131
s=SIPPER for PhonerLite
c=IN IP4 192.168.1.131
t=0 0
m=audio 5064 RTP/SAVP 8 0 101
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:X8/0CNQMoXIwAHnR83FGV90zS/v2e5CfvEBVIc+f
a=ssrc:519851118
a=sendrecv
<------------->
--- (12 headers 13 lines) ---
Found RTP audio format 8
Found RTP audio format 0
Found RTP audio format 101
Found audio description format PCMU for ID 0
Found audio description format PCMA for ID 8
Found audio description format telephone-event for ID 101
Capabilities: us - (ulaw|alaw), peer - audio=(ulaw|alaw)/video=(nothing)/text=(nothing), combined - (ulaw|alaw)
Non-codec capabilities (dtmf): us - 0x1 (telephone-event|), peer - 0x1 (telephone-event|), combined - 0x1 (telephone-event|)
Peer audio RTP is at port 192.168.1.131:5064
list_route: hop: <sip:1001@192.168.1.131:5064;transport=tls>
set_destination: Parsing <sip:1001@192.168.1.131:5064;transport=tls> for address/port to send to
set_destination: set destination to 192.168.1.131:5064
Transmitting (NAT) to 192.168.1.131:1162:
ACK sip:1001@192.168.1.131:5064;transport=tls SIP/2.0
Via: SIP/2.0/TLS 192.168.1.106:5061;branch=z9hG4bK15518c0a;rport
Max-Forwards: 70
From: "1000" <sip:1000@192.168.1.106>;tag=as2d08fdeb
To: <sip:1001@192.168.1.131:5064;transport=tls>;tag=802a1e955685e211bb01f39673b1fead
Contact: <sip:1000@192.168.1.106:5061;transport=TLS>
Call-ID: 0890653214d997963645c7254cd05250@192.168.1.106:5061
CSeq: 102 ACK
User-Agent: Asterisk PBX 11.2.1
Content-Length: 0


---
    -- SIP/1001-00000011 answered SIP/1000-00000010
Audio is at 18472
Adding codec 100003 (ulaw) to SDP
Adding codec 100004 (alaw) to SDP
Adding non-codec 0x1 (telephone-event) to SDP

<--- Reliably Transmitting (NAT) to 192.168.1.151:58418 --->
SIP/2.0 200 OK
Via: SIP/2.0/TLS 192.168.1.151:58418;branch=z9hG4bK802a1e955685e211b296a5e36e5e2deb;alias;received=192.168.1.151;rport=58418
From: "1000" <sip:1000@192.168.1.106>;tag=3690110982
To: <sip:1001@192.168.1.106:5061;transport=tls>;tag=as4a1ba60a
Call-ID: 802A1E95-5685-E211-B294-A5E36E5E2DEB@192.168.1.151
CSeq: 6 INVITE
Server: Asterisk PBX 11.2.1
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH
Supported: replaces, timer
Contact: <sip:1001@192.168.1.106:5061;transport=TLS>
Content-Type: application/sdp
Content-Length: 344

v=0
o=root 167695273 167695273 IN IP4 192.168.1.106
s=Asterisk PBX 11.2.1
c=IN IP4 192.168.1.106
t=0 0
m=audio 18472 RTP/SAVP 0 8 101
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=sendrecv
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:aZZxOF0pTT+ZX6yqPO+2OFYQSn6NACHVUya5wQQt

<------------>

<--- SIP read from TLS:192.168.1.151:58418 --->
ACK sip:1001@192.168.1.106:5061;transport=TLS SIP/2.0
Via: SIP/2.0/TLS 192.168.1.151:58418;branch=z9hG4bK808480975685e211b296a5e36e5e2deb;rport;alias
From: "1000" <sip:1000@192.168.1.106>;tag=3690110982
To: <sip:1001@192.168.1.106:5061;transport=tls>;tag=as4a1ba60a
Call-ID: 802A1E95-5685-E211-B294-A5E36E5E2DEB@192.168.1.151
CSeq: 6 ACK
Contact: <sip:1000@192.168.1.151:5062;transport=tls>
Authorization: Digest username="1000", realm="asterisk", nonce="54692493", uri="sip:1001@192.168.1.106:5061;transport=TLS", response="0798b41a3be5d62178429ba127c43925", algorithm=MD5
Max-Forwards: 70
Content-Length: 0

<------------->
--- (10 headers 0 lines) ---

<--- SIP read from TLS:192.168.1.151:58418 --->
BYE sip:1001@192.168.1.106:5061;transport=TLS SIP/2.0
Via: SIP/2.0/TLS 192.168.1.151:58418;branch=z9hG4bK00fc0e9e5685e211b296a5e36e5e2deb;rport;alias
From: "1000" <sip:1000@192.168.1.106>;tag=3690110982
To: <sip:1001@192.168.1.106:5061;transport=tls>;tag=as4a1ba60a
Call-ID: 802A1E95-5685-E211-B294-A5E36E5E2DEB@192.168.1.151
CSeq: 7 BYE
Contact: <sip:1000@192.168.1.151:5062;transport=tls>
Authorization: Digest username="1000", realm="asterisk", nonce="54692493", uri="sip:1001@192.168.1.106:5061;transport=TLS", response="dd5cbc609545f27c554309306dc71135", algorithm=MD5
Max-Forwards: 70
User-Agent: SIPPER for PhonerLite
Content-Length: 0

<------------->
--- (11 headers 0 lines) ---
Sending to 192.168.1.151:58418 (NAT)
Scheduling destruction of SIP dialog '802A1E95-5685-E211-B294-A5E36E5E2DEB@192.168.1.151' in 32000 ms (Method: BYE)

<--- Transmitting (NAT) to 192.168.1.151:58418 --->
SIP/2.0 200 OK
Via: SIP/2.0/TLS 192.168.1.151:58418;branch=z9hG4bK00fc0e9e5685e211b296a5e36e5e2deb;alias;received=192.168.1.151;rport=58418
From: "1000" <sip:1000@192.168.1.106>;tag=3690110982
To: <sip:1001@192.168.1.106:5061;transport=tls>;tag=as4a1ba60a
Call-ID: 802A1E95-5685-E211-B294-A5E36E5E2DEB@192.168.1.151
CSeq: 7 BYE
Server: Asterisk PBX 11.2.1
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH
Supported: replaces, timer
Content-Length: 0


<------------>
    -- Executing [h@default:1] Hangup("SIP/1000-00000010", "") in new stack
  == Spawn extension (default, h, 1) exited non-zero on 'SIP/1000-00000010'
Scheduling destruction of SIP dialog '0890653214d997963645c7254cd05250@192.168.1.106:5061' in 32000 ms (Method: INVITE)
set_destination: Parsing <sip:1001@192.168.1.131:5064;transport=tls> for address/port to send to
set_destination: set destination to 192.168.1.131:5064
Reliably Transmitting (NAT) to 192.168.1.131:1162:
BYE sip:1001@192.168.1.131:5064;transport=tls SIP/2.0
Via: SIP/2.0/TLS 192.168.1.106:5061;branch=z9hG4bK5217b6fa;rport
Max-Forwards: 70
From: "1000" <sip:1000@192.168.1.106>;tag=as2d08fdeb
To: <sip:1001@192.168.1.131:5064;transport=tls>;tag=802a1e955685e211bb01f39673b1fead
Call-ID: 0890653214d997963645c7254cd05250@192.168.1.106:5061
CSeq: 103 BYE
User-Agent: Asterisk PBX 11.2.1
X-Asterisk-HangupCause: Normal Clearing
X-Asterisk-HangupCauseCode: 16
Content-Length: 0


---
  == Spawn extension (default, 1001, 4) exited non-zero on 'SIP/1000-00000010'

<--- SIP read from TLS:192.168.1.131:1162 --->
SIP/2.0 200 OK
Via: SIP/2.0/TLS 192.168.1.106:5061;branch=z9hG4bK5217b6fa;rport=5061
From: "1000" <sip:1000@192.168.1.106>;tag=as2d08fdeb
To: <sip:1001@192.168.1.131:5064;transport=tls>;tag=802a1e955685e211bb01f39673b1fead
Call-ID: 0890653214d997963645c7254cd05250@192.168.1.106:5061
CSeq: 103 BYE
Contact: <sip:1001@192.168.1.131:5064;transport=tls>
Server: SIPPER for PhonerLite
Content-Length: 0

RTP/SAVP

SRTP 를 적용할 때는 SAVP 를 사용해야 한다

Abbreviation for Real-time Transport Protocol / Secure Audio Video Profile

The RTP (Real-time Transport Protocol) specification establishes a registry of profile names for use by higher-level control protocols, such as the SDP (Session Description Protocol), to refer to transport methods. This profile registers the name Real-time Transport Protocol / Secure Audio Video Profile .

RFC 3711

CentOS X Window 시작 여부 설정

CentOS 6.3 에서

# vi /etc/inittab


id:3:initdefault: <-- 수정

• Run level 3 : full multiuser environment with networking.
• run level 3 + X window.

linux OS 의 Bit Mode 확인

# getconf LONG_BIT

fail2ban 사용 시 unblock 방법

console 에서 ssh 로그인시, 여러번의 비밀번호 오류로,  fail2ban 에 의해 ip 가 막혔을 때 해제 하는 방법

시도하던 console 은 닫고( 중요 ), 다른 pc 에서 접속하여
아님 iptables -L -n > /home/iptableblocklist 로 파일 만들어서 찾아보든

일단, block list 조회

iptables -L -n

block 정보가 많을 경우 console 에서 보기 어려우므로, /etc/sysconfig/iptables 에서도 확인 할 수 있다

아래와 같이 Chain 명을 잘 보고 적어야 한다

iptables -D fail2ban-asterisk -s 123.123.123.123 -j DROP
iptables -D fail2ban-SSH -s 123.123.123.123 -j REJECT

마지막 인자가 target 인데, 이 부분도 정확히 표시 해야 한다
않그러면 체인명은 맞아도, iptables: Bad rule (does a matching rule exist in that chain?). 메시지 나온다

sample >

/etc/init.d/fail2ban stop
iptables -D fail2ban-SSH -s 123.123.123.123 -j REJECT
/etc/init.d/iptables save ( 삭제한 아이피 이외에 기존에 block list save )
/etc/init.d/iptables restart
/etc/init.d/fail2ban start

[ 참고 ]
- block 당하니 ping 도 안되네...
- REJECT list 에 없는데, 접속이 안되는 경우, iptables -A INPUT -s 10.10.10.10 -j ACCEPT

jsp 에 대한 cache option

<%

response.setHeader("Cache-Control", "no-store");

response.setHeader("Pragma", "no-cache");

response.setHeader("Expires", 0);

if(request.getProtocol.equals("HTTP/1.1")) {

    response.setHeader("Cache-Control", "no-cache");

}

%>

fail2ban install with CentOS

[ manual install ]

cd /use/local/src/

tar xvfj fail2ban-0.8.14.tar.bz2
cd fail2ban-0.8.14
sudo python setup.py install

cp files/redhat-initd /etc/init.d/fail2ban
chmod 755 /etc/init.d/fail2ban
chkconfig --add fail2ban && chkconfig fail2ban on

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

vi /etc/fail2ban/jail.local

[DEFAULT]
ignoreip = 127.0.0.1/8 192.168.0.0/24 8.8.8.8 # NAT allow

bantime = 360000
findtime = 6000

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"]
logpath  = /var/log/secure
maxretry = 5

service fail2ban restart

sudo ls /var/run


[ yum install ]
/etc/yum.repos.d/CentOS-Base.repo 에 아래의 내용을 추가 후

[dag]
name=Dag RPM Repostory for Red Hat Enterprise Linux
baseurl=http://apt.sw.be/redhat/el$releasever/en/$basearch/dag
gpgcheck=1
enabled=1
gpgkey=http://dag.wieers.com/packages/RPM-GPG-KEY.dag.txt

[kbs-CentOS-Misc]
name=CentOS.Karan.Org-EL$releasever - Stable
gpgkey=http://centos.karan.org/RPM-GPG-KEY-karan.org.txt
gpgcheck=1
enabled=1
baseurl=http://centos.karan.org/el$releasever/misc/stable/$basearch/RPMS/

yum install fail2ban

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
vi /etc/fail2ban/jail.local

service fail2ban restart

sudo ls /var/run

[ restart sequence ]
/etc/init.d/fail2ban stop
/etc/init.d/iptables save
/etc/init.d/iptables restart
/etc/init.d/fail2ban start