Difference between revisions of "Fail2ban - A tool against brute force"
(15 intermediate revisions by 4 users not shown) | |||
Line 1: | Line 1: | ||
− | + | [[Category: Networking|Firewall, fail2ban]] | |
− | [[Category: Networking]] | + | {{versioninfo|810Status=Works|810UpdatedDate=5 October 2010|810UpdatedBy=pw44|1004Status=Works|1004UpdatedDate=23 January 2013|1004UpdatedBy=pw44}} |
− | {{versioninfo|810Status= | + | |
Having asterik installed is almost an invitation for others wishing to place calls at your expense. | Having asterik installed is almost an invitation for others wishing to place calls at your expense. | ||
Line 11: | Line 11: | ||
Installing fail2ban is not complicated and i will describe the steps to have it properly installed and configured, so you can protect your asterisk and other services from brute force attack. | Installing fail2ban is not complicated and i will describe the steps to have it properly installed and configured, so you can protect your asterisk and other services from brute force attack. | ||
− | Install with: | + | Files under /etc/asterisk/ are owned by the asterisk user, so preceed any edit commands with |
+ | sudo -u asterisk <command> | ||
+ | |||
+ | on Linuxmce 1004 no need to edit sip.conf this is implemented on asterisk realtime database. | ||
+ | |||
+ | The first thing to do is edit /etc/asterisk/sip.conf and add the following line: | ||
+ | alwaysauthreject=yes | ||
+ | My sip.conf file looks like: | ||
+ | ............ | ||
+ | [general] | ||
+ | #include sip_general_additional.conf | ||
+ | |||
+ | bindport = 5060 ; Port to bind to (SIP is 5060) | ||
+ | bindaddr = 0.0.0.0 ; Address to bind to (all addresses on machine) | ||
+ | '''alwaysauthreject=yes''' | ||
+ | disallow=all | ||
+ | allow=ulaw | ||
+ | allow=alaw | ||
+ | ............. | ||
+ | Install fail2ban with: | ||
sudo apt-get install fail2ban | sudo apt-get install fail2ban | ||
Line 23: | Line 42: | ||
syslog.local0 => notice | syslog.local0 => notice | ||
− | Reload asterisk with: | + | Reload asterisk, as root, with: |
− | asterisk -rx "logger reload" | + | sudo asterisk -rx "logger reload" |
Configuring fail2ban: | Configuring fail2ban: | ||
Line 35: | Line 54: | ||
vi asterisk.conf | vi asterisk.conf | ||
− | insert the following (copy & paste) | + | '''FOR ASTERISK 1.'''4, insert the following (copy & paste) |
− | # Fail2Ban configuration file | + | # Fail2Ban configuration file (for asterisk 1.4) |
# | # | ||
# | # | ||
Line 69: | Line 88: | ||
# | # | ||
ignoreregex = | ignoreregex = | ||
+ | |||
+ | '''FOR ASTERISK 1.8''', insert the following (copy & paste) | ||
+ | |||
+ | # Fail2Ban configuration file | ||
+ | # | ||
+ | # | ||
+ | # $Revision: 250 $ | ||
+ | # | ||
+ | [INCLUDES] | ||
+ | # Read common prefixes. If any customizations available -- read them from | ||
+ | # common.local | ||
+ | #before = common.conf | ||
+ | [Definition] | ||
+ | #_daemon = asterisk | ||
+ | # Option: failregex | ||
+ | # Notes.: regex to match the password failures messages in the logfile. The | ||
+ | # host must be matched by a group named "host". The tag "<HOST>" can | ||
+ | # be used for standard IP/hostname matching and is only an alias for | ||
+ | # (?:::f{4,6}:)?(?P<host>\S+) | ||
+ | # Values: TEXT | ||
+ | # | ||
+ | failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Wrong password | ||
+ | NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found | ||
+ | NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found | ||
+ | NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Username/auth name mismatch | ||
+ | NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL | ||
+ | NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Peer is not supposed to register | ||
+ | NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - ACL error (permit/deny) | ||
+ | NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL | ||
+ | NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>:.*' - No matching peer found | ||
+ | NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>:.*' - Wrong password | ||
+ | NOTICE.* <HOST> failed to authenticate as '.*'$ | ||
+ | NOTICE.* .*: No registration for peer '.*' \(from <HOST>\) | ||
+ | NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*) | ||
+ | NOTICE.* .*: Failed to authenticate user .*@<HOST>.* | ||
+ | NOTICE.* .*: <HOST> failed to authenticate as '.*' | ||
+ | NOTICE.* .*: <HOST> tried to authenticate with nonexistent user '.*' | ||
+ | VERBOSE.*SIP/<HOST>-.*Received incoming SIP connection from unknown peer | ||
+ | |||
+ | # Option: ignoreregex | ||
+ | # Notes.: regex to ignore. If this regex matches, the line is ignored. | ||
+ | # Values: TEXT | ||
+ | # | ||
+ | ignoreregex = | ||
+ | |||
Next edit /etc/fail2ban/jail.conf to include the following section so that it uses the new filter. | Next edit /etc/fail2ban/jail.conf to include the following section so that it uses the new filter. | ||
Line 138: | Line 202: | ||
pkts bytes target prot opt in out source destination | pkts bytes target prot opt in out source destination | ||
0 0 ACCEPT gre -- any any anywhere anywhere | 0 0 ACCEPT gre -- any any anywhere anywhere | ||
− | Chain fail2ban-ASTERISK (1 references) | + | Chain '''fail2ban-ASTERISK''' (1 references) |
pkts bytes target prot opt in out source destination | pkts bytes target prot opt in out source destination | ||
5091 2125K DROP all -- any any 173.193.194.106-static.reverse.softlayer.com anywhere | 5091 2125K DROP all -- any any 173.193.194.106-static.reverse.softlayer.com anywhere | ||
1307K 989M RETURN all -- any any anywhere anywhere | 1307K 989M RETURN all -- any any anywhere anywhere | ||
− | Chain fail2ban-SSH (1 references) | + | Chain '''fail2ban-SSH''' (1 references) |
pkts bytes target prot opt in out source destination | pkts bytes target prot opt in out source destination | ||
Line 229: | Line 293: | ||
− | I hope this helps. | + | I hope this wiki helps. |
source: | source: |
Latest revision as of 06:58, 23 February 2013
Version | Status | Date Updated | Updated By |
---|---|---|---|
710 | Unknown | N/A | N/A |
810 | Works | 5 October 2010 | pw44 |
1004 | Works | 23 January 2013 | pw44 |
1204 | Unknown | N/A | N/A |
1404 | Unknown | N/A | N/A |
Usage Information |
Having asterik installed is almost an invitation for others wishing to place calls at your expense.
After configuring my sip trunk, it did not take 2 days and some "smart guy" was trying to register to take advantage of it, and causing me losses.
Fail2ban prevented it, blocking the attacker with iptables rules.
Installing fail2ban is not complicated and i will describe the steps to have it properly installed and configured, so you can protect your asterisk and other services from brute force attack.
Files under /etc/asterisk/ are owned by the asterisk user, so preceed any edit commands with
sudo -u asterisk <command>
on Linuxmce 1004 no need to edit sip.conf this is implemented on asterisk realtime database.
The first thing to do is edit /etc/asterisk/sip.conf and add the following line:
alwaysauthreject=yes
My sip.conf file looks like:
............ [general] #include sip_general_additional.conf bindport = 5060 ; Port to bind to (SIP is 5060) bindaddr = 0.0.0.0 ; Address to bind to (all addresses on machine) alwaysauthreject=yes disallow=all allow=ulaw allow=alaw .............
Install fail2ban with:
sudo apt-get install fail2ban
After is installed, you need to change /etc/asterisk/logger.conf and add the following line under [general] section (You may have to create this before the [logfiles] section).
[general] dateformat=%F %T
In /etc/asterisk/logger.conf add the following line under the [logfiles] section for asterisk to log NOTICE level events to the syslog (/var/log/messages) as well as its normal log file. These entries in syslog will have a Date/Time stamp that is usable by fail2ban.
syslog.local0 => notice
Reload asterisk, as root, with:
sudo asterisk -rx "logger reload"
Configuring fail2ban:
cd /etc/fail2ban/filter.d
touch asterisk.conf
vi asterisk.conf
FOR ASTERISK 1.4, insert the following (copy & paste)
# Fail2Ban configuration file (for asterisk 1.4) # # # $Revision: 250 $ # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local #before = common.conf [Definition] #_daemon = asterisk # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>\S+) # Values: TEXT # failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL NOTICE.* .*: Registration from '.*" .* failed for '<HOST>' - Peer is not supposed to register NOTICE.* <HOST> failed to authenticate as '.*'$ NOTICE.* .*: No registration for peer '.*' \(from <HOST>\) NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*) NOTICE.* .*: Failed to authenticate user .*@<HOST>.* # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =
FOR ASTERISK 1.8, insert the following (copy & paste)
# Fail2Ban configuration file # # # $Revision: 250 $ # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local #before = common.conf [Definition] #_daemon = asterisk # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>\S+) # Values: TEXT # failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Wrong password NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Username/auth name mismatch NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Peer is not supposed to register NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - ACL error (permit/deny) NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>:.*' - No matching peer found NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>:.*' - Wrong password NOTICE.* <HOST> failed to authenticate as '.*'$ NOTICE.* .*: No registration for peer '.*' \(from <HOST>\) NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*) NOTICE.* .*: Failed to authenticate user .*@<HOST>.* NOTICE.* .*: <HOST> failed to authenticate as '.*' NOTICE.* .*: <HOST> tried to authenticate with nonexistent user '.*' VERBOSE.*SIP/<HOST>-.*Received incoming SIP connection from unknown peer # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =
Next edit /etc/fail2ban/jail.conf to include the following section so that it uses the new filter.
[asterisk-iptables] enabled = true filter = asterisk action = iptables-allports[name=ASTERISK, protocol=all] sendmail-whois[name=ASTERISK, dest=root, sender=fail2ban@example.org] logpath = /var/log/asterisk/full maxretry = 2 bantime = 259200
Locate the line ignoreip in /etc/fail2ban/jail.conf (beginning of the file) and insert the ip's and / or blocks you want fail2ban to ignore, so you don't risk banning yourserf or any host in your network.
Mine is defined as follows:
[DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1 192.168.80.1 192.168.80.0/24
To start fail2ban type the following as root:
/etc/init.d/fail2ban start
Check It
For LinuxMCE, there is needed "patch", while fail2ban is not part of the distribution.
When LinuxMCE starts, it runs /usr/pluto/bin/Network_Firewall.sh, and this is done AFTER /etc/init.d/fail2ban is started.
So, edit /usr/pluto/bin/Network_Firewall.sh and add the following at the END of this file:
/etc/init.d/fail2ban restart
This will make sure that fail2bain is started AFTER the iptables rules from LinuxMCE.
If started properly issue the following command to view your iptables rules:
iptables -L -v
You should see something like the following for the INPUT chain (this is the ouput of mine)
Chain INPUT (policy DROP 2241 packets, 160K bytes) pkts bytes target prot opt in out source destination 372 27264 fail2ban-SSH tcp -- any any anywhere anywhere tcp dpt:ssh 1312K 991M fail2ban-ASTERISK all -- any any anywhere anywhere 553K 81M ACCEPT all -- lo any anywhere anywhere 1288K 1162M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 9 540 ACCEPT all -- any any anywhere anywhere MARK match 0x1 2 1152 ACCEPT udp -- any any anywhere anywhere udp dpt:bootps 19276 5790K ACCEPT all -- any any 192.168.80.0/24 anywhere 0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:iax 4 1795 ACCEPT udp -- any any anywhere anywhere udp dpt:sip 0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:2000 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:sieve 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:1723 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:www 1 60 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https 1 50 ACCEPT udp -- any any anywhere anywhere udp dpts:10001:20000 0 0 ACCEPT gre -- any any anywhere anywhere Chain FORWARD (policy ACCEPT 719K packets, 245M bytes) pkts bytes target prot opt in out source destination 0 0 TCPMSS tcp -- any ppp+ anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU Chain OUTPUT (policy ACCEPT 2099K packets, 590M bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT gre -- any any anywhere anywhere Chain fail2ban-ASTERISK (1 references) pkts bytes target prot opt in out source destination 5091 2125K DROP all -- any any 173.193.194.106-static.reverse.softlayer.com anywhere 1307K 989M RETURN all -- any any anywhere anywhere Chain fail2ban-SSH (1 references) pkts bytes target prot opt in out source destination
If you do not see something similar to that then you have some troubleshooting to, check out /var/log/fail2ban.log.
Example of my /var/log/fai2ban.log (173.193.194.106 is the real address from the attacker fail2ban banned):
.... 2010-09-19 11:12:56,131 fail2ban.filter : INFO Set maxRetry = 6 2010-09-19 11:12:56,133 fail2ban.filter : INFO Set findtime = 600 2010-09-19 11:12:56,133 fail2ban.actions: INFO Set banTime = 600 2010-09-19 11:12:56,138 fail2ban.jail : INFO Jail 'ssh-iptables' started 2010-09-19 11:12:56,139 fail2ban.jail : INFO Jail 'asterisk-iptables' started 2010-09-19 11:12:56,141 fail2ban.jail : INFO Jail 'apache-tcpwrapper' started 2010-09-19 15:33:50,392 fail2ban.actions: WARNING [asterisk-iptables] Ban 173.193.194.106 2010-09-19 15:34:50,982 fail2ban.actions: WARNING [asterisk-iptables] 173.193.194.106 already banned
And this is the log (/var/log/asterisk/messages) showing the attack:
[2010-09-19 15:33:48] NOTICE[26690] chan_sip.c: Registration from '"3235410554"<sip:3235410554@201.29.213.245>' failed for '173.193.194.106' - No matching peer found [2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"thomas"<sip:thomas@201.29.213.245>' failed for '173.193.194.106' - No matching peer found [2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"arsenal"<sip:arsenal@201.29.213.245>' failed for '173.193.194.106' - No matching peer found [2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"letmein"<sip:letmein@201.29.213.245>' failed for '173.193.194.106' - No matching peer found [2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"liverpool"<sip:liverpool@201.29.213.245>' failed for '173.193.194.106' - No matching peer found [2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"nevermind"<sip:nevermind@201.29.213.245>' failed for '173.193.194.106' - No matching peer found [2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"getmein"<sip:getmein@201.29.213.245>' failed for '173.193.194.106' - No matching peer found [2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"echo"<sip:echo@201.29.213.245>' failed for '173.193.194.106' - No matching peer found [2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"bmw325"<sip:bmw325@201.29.213.245>' failed for '173.193.194.106' - No matching peer found [2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"bmw335"<sip:bmw335@201.29.213.245>' failed for '173.193.194.106' - No matching peer found [2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"1q2w3e"<sip:1q2w3e@201.29.213.245>' failed for '173.193.194.106' - No matching peer found [2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"1q2w3e4r5t6y"<sip:1q2w3e4r5t6y@201.29.213.245>' failed for '173.193.194.106' - No matching peer found [2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"1q1q2w2w"<sip:1q1q2w2w@201.29.213.245>' failed for '173.193.194.106' - No matching peer found [2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"1q2w1q2w"<sip:1q2w1q2w@201.29.213.245>' failed for '173.193.194.106' - No matching peer found [2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"1q2w"<sip:1q2w@201.29.213.245>' failed for '173.193.194.106' - No matching peer found [2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"11q22w"<sip:11q22w@201.29.213.245>' failed for '173.193.194.106' - No matching peer found [2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"q1w2"<sip:q1w2@201.29.213.245>' failed for '173.193.194.106' - No matching peer found [2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"q1w2e3"<sip:q1w2e3@201.29.213.245>' failed for '173.193.194.106' - No matching peer found [2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"tvv03tvv03"<sip:tvv03tvv03@201.29.213.245>' failed for '173.193.194.106' - No matching peer found [2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"abcd1"<sip:abcd1@201.29.213.245>' failed for '173.193.194.106' - No matching peer found [2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"abcd12"<sip:abcd12@201.29.213.245>' failed for '173.193.194.106' - No matching peer found [2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"abcd123"<sip:abcd123@201.29.213.245>' failed for '173.193.194.106' - No matching peer found [2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"qq11ww22ee33rr44"<sip:qq11ww22ee33rr44@201.29.213.245>' failed for '173.193.194.106' - No matching peer found [2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip1"<sip:sip1@201.29.213.245>' failed for '173.193.194.106' - No matching peer found [2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip2"<sip:sip2@201.29.213.245>' failed for '173.193.194.106' - No matching peer found [2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip12"<sip:sip12@201.29.213.245>' failed for '173.193.194.106' - No matching peer found [2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip123"<sip:sip123@201.29.213.245>' failed for '173.193.194.106' - No matching peer found [2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip1234"<sip:sip1234@201.29.213.245>' failed for '173.193.194.106' - No matching peer found [2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip12345"<sip:sip12345@201.29.213.245>' failed for '173.193.194.106' - No matching peer found [2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip1111"<sip:sip1111@201.29.213.245>' failed for '173.193.194.106' - No matching peer found [2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip222"<sip:sip222@201.29.213.245>' failed for '173.193.194.106' - No matching peer found [2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"1qa2ws3ed"<sip:1qa2ws3ed@201.29.213.245>' failed for '173.193.194.106' - No matching peer found [2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"1234asdf"<sip:1234asdf@201.29.213.245>' failed for '173.193.194.106' - No matching peer found [2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"1a2s3d"<sip:1a2s3d@201.29.213.245>' failed for '173.193.194.106' - No matching peer found [2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"1a2s3d4f"<sip:1a2s3d4f@201.29.213.245>' failed for '173.193.194.106' - No matching peer found [2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"asdzxc"<sip:asdzxc@201.29.213.245>' failed for '173.193.194.106' - No matching peer found [2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"123zxc"<sip:123zxc@201.29.213.245>' failed for '173.193.194.106' - No matching peer found [2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"1234zxcv"<sip:1234zxcv@201.29.213.245>' failed for '173.193.194.106' - No matching peer found [2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"aazzssxx"<sip:aazzssxx@201.29.213.245>' failed for '173.193.194.106' - No matching peer found [2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"p@ssword"<sip:p@ssword@201.29.213.245>' failed for '173.193.194.106' - No matching peer found [2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"p@ssw0rd"<sip:p@ssw0rd@201.29.213.245>' failed for '173.193.194.106' - No matching peer found [2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"pass1"<sip:pass1@201.29.213.245>' failed for '173.193.194.106' - No matching peer found [2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"password3"<sip:password3@201.29.213.245>' failed for '173.193.194.106' - No matching peer found [2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"pass12"<sip:pass12@201.29.213.245>' failed for '173.193.194.106' - No matching peer found [2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"account"<sip:account@201.29.213.245>' failed for '173.193.194.106' - No matching peer found [2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"passlogin"<sip:passlogin@201.29.213.245>' failed for '173.193.194.106' - No matching peer found [2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"account1"<sip:account1@201.29.213.245>' failed for '173.193.194.106' - No matching peer found [2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"account5"<sip:account5@201.29.213.245>' failed for '173.193.194.106' - No matching peer found [2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"account6"<sip:account6@201.29.213.245>' failed for '173.193.194.106' - No matching peer found [2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"account123"<sip:account123@201.29.213.245>' failed for '173.193.194.106' - No matching peer found [2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"account12"<sip:account12@201.29.213.245>' failed for '173.193.194.106' - No matching peer found [2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"acc1"<sip:acc1@201.29.213.245>' failed for '173.193.194.106' - No matching peer found [2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"acc2"<sip:acc2@201.29.213.245>' failed for '173.193.194.106' - No matching peer found [2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"acc12"<sip:acc12@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
One last tip: you need a MTA, like sendmail or postfix, in order to receive the notifications from fail2ban.
If you have a MTA installed and properly configured, nothing else is needed, but if not, install sendmail
sudo apt-get install sendmail
Then edit the /etc/hosts file and change the line 192.168.80.1 dcerouter to read 192.168.80.1 dcerouter.localdomain dcerouter
Doing it, sendmail will start as expected (fast) and mail will properly delivered. If this change is not done, sendmail will take a long time to start, because it does not find the qualified host name, as the log shows:
Sep 27 13:12:11 dcerouter sendmail[10585]: My unqualified host name (dcerouter) unknown; sleeping for retry
I hope this wiki helps.
source:
http://www.fail2ban.org http://www.voip-info.org/wiki/view/Fail2Ban+(with+iptables)+And+Asterisk http://www.fail2ban.org/wiki/index.php/Asterisk
More protection with iptables:
http://sysadminman.net/blog/2010/limiting-sipiax-connections-to-asterisk-with-iptables-1082