Fail2ban - A tool against brute force

From LinuxMCE
Jump to: navigation, search
Version Status Date Updated Updated By
710 Unknown N/A N/A
810 Works 5 October 2010 pw44
1004 Works 23 January 2013 pw44
1204 Unknown N/A N/A
Usage Information


Having asterik installed is almost an invitation for others wishing to place calls at your expense.

After configuring my sip trunk, it did not take 2 days and some "smart guy" was trying to register to take advantage of it, and causing me losses.

Fail2ban prevented it, blocking the attacker with iptables rules.

Installing fail2ban is not complicated and i will describe the steps to have it properly installed and configured, so you can protect your asterisk and other services from brute force attack.

Files under /etc/asterisk/ are owned by the asterisk user, so preceed any edit commands with

sudo -u asterisk <command>

on Linuxmce 1004 no need to edit sip.conf this is implemented on asterisk realtime database.

The first thing to do is edit /etc/asterisk/sip.conf and add the following line:

alwaysauthreject=yes                                                 

My sip.conf file looks like:

............
[general]
#include sip_general_additional.conf

bindport = 5060       ; Port to bind to (SIP is 5060)
bindaddr = 0.0.0.0    ; Address to bind to (all addresses on machine)
alwaysauthreject=yes                                                 
disallow=all                                                         
allow=ulaw                                                           
allow=alaw  
.............                    

Install fail2ban with:

sudo apt-get install fail2ban

After is installed, you need to change /etc/asterisk/logger.conf and add the following line under [general] section (You may have to create this before the [logfiles] section).

[general]
dateformat=%F %T

In /etc/asterisk/logger.conf add the following line under the [logfiles] section for asterisk to log NOTICE level events to the syslog (/var/log/messages) as well as its normal log file. These entries in syslog will have a Date/Time stamp that is usable by fail2ban.

syslog.local0 => notice 

Reload asterisk, as root, with:

sudo asterisk -rx "logger reload" 

Configuring fail2ban:

cd /etc/fail2ban/filter.d
touch asterisk.conf 
vi asterisk.conf

FOR ASTERISK 1.4, insert the following (copy & paste)

# Fail2Ban configuration file (for asterisk 1.4)
#
#
# $Revision: 250 $
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf
[Definition]
#_daemon = asterisk
# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL
            NOTICE.* .*: Registration from '.*" .* failed for '<HOST>' - Peer is not supposed to register
            NOTICE.* <HOST> failed to authenticate as '.*'$
            NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
            NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

FOR ASTERISK 1.8, insert the following (copy & paste)

# Fail2Ban configuration file
#
#
# $Revision: 250 $
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf
[Definition]
#_daemon = asterisk
# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Wrong password
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Username/auth name mismatch
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Peer is not supposed to register
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - ACL error (permit/deny)
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
            NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>:.*' - No matching peer found
            NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>:.*' - Wrong password
            NOTICE.* <HOST> failed to authenticate as '.*'$
            NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
            NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
            NOTICE.* .*: <HOST> failed to authenticate as '.*'
            NOTICE.* .*: <HOST> tried  to authenticate with nonexistent user '.*'
            VERBOSE.*SIP/<HOST>-.*Received incoming SIP connection from unknown peer
   
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =


Next edit /etc/fail2ban/jail.conf to include the following section so that it uses the new filter.

[asterisk-iptables]
enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
           sendmail-whois[name=ASTERISK, dest=root, sender=fail2ban@example.org]
logpath  = /var/log/asterisk/full
maxretry = 2
bantime = 259200

Locate the line ignoreip in /etc/fail2ban/jail.conf (beginning of the file) and insert the ip's and / or blocks you want fail2ban to ignore, so you don't risk banning yourserf or any host in your network.

Mine is defined as follows:

[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be   
# defined using space separator.                                               
ignoreip = 127.0.0.1 192.168.80.1 192.168.80.0/24 

To start fail2ban type the following as root:

/etc/init.d/fail2ban start

Check It

For LinuxMCE, there is needed "patch", while fail2ban is not part of the distribution.

When LinuxMCE starts, it runs /usr/pluto/bin/Network_Firewall.sh, and this is done AFTER /etc/init.d/fail2ban is started.

So, edit /usr/pluto/bin/Network_Firewall.sh and add the following at the END of this file:

/etc/init.d/fail2ban restart

This will make sure that fail2bain is started AFTER the iptables rules from LinuxMCE.

If started properly issue the following command to view your iptables rules:

iptables -L -v

You should see something like the following for the INPUT chain (this is the ouput of mine)

Chain INPUT (policy DROP 2241 packets, 160K bytes)              
 pkts bytes target     prot opt in     out     source               destination         
  372 27264 fail2ban-SSH  tcp  --  any    any     anywhere             anywhere            tcp dpt:ssh                                                                                          
1312K  991M fail2ban-ASTERISK  all  --  any    any     anywhere             anywhere            
 553K   81M ACCEPT     all  --  lo     any     anywhere             anywhere                    
1288K 1162M ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED                                                                               
    9   540 ACCEPT     all  --  any    any     anywhere             anywhere            MARK match 0x1                                                                                          
    2  1152 ACCEPT     udp  --  any    any     anywhere             anywhere            udp   dpt:bootps                                                                                          
19276 5790K ACCEPT     all  --  any    any     192.168.80.0/24      anywhere                    
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:iax                                                                                             
    4  1795 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:sip                                                                                             
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:2000                                                                                            
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:sieve                                                                                           
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:1723                                                                                            
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:www                                                                                             
    1    60 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:ssh                                                                                             
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:https                                                                                           
    1    50 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpts:10001:20000
    0     0 ACCEPT     gre  --  any    any     anywhere             anywhere
Chain FORWARD (policy ACCEPT 719K packets, 245M bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 TCPMSS     tcp  --  any    ppp+    anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
Chain OUTPUT (policy ACCEPT 2099K packets, 590M bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     gre  --  any    any     anywhere             anywhere
Chain fail2ban-ASTERISK (1 references)
 pkts bytes target     prot opt in     out     source               destination
 5091 2125K DROP       all  --  any    any     173.193.194.106-static.reverse.softlayer.com  anywhere
1307K  989M RETURN     all  --  any    any     anywhere             anywhere
Chain fail2ban-SSH (1 references)
 pkts bytes target     prot opt in     out     source               destination

If you do not see something similar to that then you have some troubleshooting to, check out /var/log/fail2ban.log.

Example of my /var/log/fai2ban.log (173.193.194.106 is the real address from the attacker fail2ban banned):

....
2010-09-19 11:12:56,131 fail2ban.filter : INFO   Set maxRetry = 6
2010-09-19 11:12:56,133 fail2ban.filter : INFO   Set findtime = 600
2010-09-19 11:12:56,133 fail2ban.actions: INFO   Set banTime = 600
2010-09-19 11:12:56,138 fail2ban.jail   : INFO   Jail 'ssh-iptables' started
2010-09-19 11:12:56,139 fail2ban.jail   : INFO   Jail 'asterisk-iptables' started
2010-09-19 11:12:56,141 fail2ban.jail   : INFO   Jail 'apache-tcpwrapper' started
2010-09-19 15:33:50,392 fail2ban.actions: WARNING [asterisk-iptables] Ban 173.193.194.106
2010-09-19 15:34:50,982 fail2ban.actions: WARNING [asterisk-iptables] 173.193.194.106 already banned

And this is the log (/var/log/asterisk/messages) showing the attack:

[2010-09-19 15:33:48] NOTICE[26690] chan_sip.c: Registration from '"3235410554"<sip:3235410554@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                           
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"thomas"<sip:thomas@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                   
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"arsenal"<sip:arsenal@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                 
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"letmein"<sip:letmein@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                 
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"liverpool"<sip:liverpool@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                             
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"nevermind"<sip:nevermind@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                             
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"getmein"<sip:getmein@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                 
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"echo"<sip:echo@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                       
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"bmw325"<sip:bmw325@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                   
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"bmw335"<sip:bmw335@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                   
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"1q2w3e"<sip:1q2w3e@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                   
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"1q2w3e4r5t6y"<sip:1q2w3e4r5t6y@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                       
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"1q1q2w2w"<sip:1q1q2w2w@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                               
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"1q2w1q2w"<sip:1q2w1q2w@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                               
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"1q2w"<sip:1q2w@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                       
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"11q22w"<sip:11q22w@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                   
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"q1w2"<sip:q1w2@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                       
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"q1w2e3"<sip:q1w2e3@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                   
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"tvv03tvv03"<sip:tvv03tvv03@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                           
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"abcd1"<sip:abcd1@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                     
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"abcd12"<sip:abcd12@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                   
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"abcd123"<sip:abcd123@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                 
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"qq11ww22ee33rr44"<sip:qq11ww22ee33rr44@201.29.213.245>' failed for '173.193.194.106' - No matching peer found               
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip1"<sip:sip1@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                       
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip2"<sip:sip2@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                       
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip12"<sip:sip12@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                     
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip123"<sip:sip123@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                   
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip1234"<sip:sip1234@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                 
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip12345"<sip:sip12345@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                               
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip1111"<sip:sip1111@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                 
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip222"<sip:sip222@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                   
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"1qa2ws3ed"<sip:1qa2ws3ed@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                             
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"1234asdf"<sip:1234asdf@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                               
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"1a2s3d"<sip:1a2s3d@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                   
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"1a2s3d4f"<sip:1a2s3d4f@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                               
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"asdzxc"<sip:asdzxc@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                   
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"123zxc"<sip:123zxc@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                   
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"1234zxcv"<sip:1234zxcv@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                               
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"aazzssxx"<sip:aazzssxx@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                               
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"p@ssword"<sip:p@ssword@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                               
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"p@ssw0rd"<sip:p@ssw0rd@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                               
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"pass1"<sip:pass1@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                     
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"password3"<sip:password3@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                             
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"pass12"<sip:pass12@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"account"<sip:account@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"passlogin"<sip:passlogin@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"account1"<sip:account1@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"account5"<sip:account5@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"account6"<sip:account6@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"account123"<sip:account123@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"account12"<sip:account12@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"acc1"<sip:acc1@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"acc2"<sip:acc2@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"acc12"<sip:acc12@201.29.213.245>' failed for '173.193.194.106' - No matching peer found

One last tip: you need a MTA, like sendmail or postfix, in order to receive the notifications from fail2ban.

If you have a MTA installed and properly configured, nothing else is needed, but if not, install sendmail

sudo apt-get install sendmail

Then edit the /etc/hosts file and change the line 192.168.80.1 dcerouter to read 192.168.80.1 dcerouter.localdomain dcerouter

Doing it, sendmail will start as expected (fast) and mail will properly delivered. If this change is not done, sendmail will take a long time to start, because it does not find the qualified host name, as the log shows:

Sep 27 13:12:11 dcerouter sendmail[10585]: My unqualified host name (dcerouter) unknown; sleeping for retry


I hope this wiki helps.

source:

http://www.fail2ban.org
http://www.voip-info.org/wiki/view/Fail2Ban+(with+iptables)+And+Asterisk
http://www.fail2ban.org/wiki/index.php/Asterisk

More protection with iptables:

http://sysadminman.net/blog/2010/limiting-sipiax-connections-to-asterisk-with-iptables-1082