Difference between revisions of "Fail2ban - A tool against brute force"

From LinuxMCE
Jump to: navigation, search
(New page: Category: Tutorials Having asterik installed is almost an invitation for others wishing to place calls at your expense. After configuring my sip trunk, i did not take 2 days and some...)
 
 
(30 intermediate revisions by 4 users not shown)
Line 1: Line 1:
[[Category: Tutorials]]
+
[[Category: Networking|Firewall, fail2ban]]
 +
{{versioninfo|810Status=Works|810UpdatedDate=5 October 2010|810UpdatedBy=pw44|1004Status=Works|1004UpdatedDate=23 January 2013|1004UpdatedBy=pw44}}
 +
 
  
 
Having asterik installed is almost an invitation for others wishing to place calls at your expense.
 
Having asterik installed is almost an invitation for others wishing to place calls at your expense.
  
After configuring my sip trunk, i did not take 2 days and someone was trying to register to take advantage of it.
+
After configuring my sip trunk, it did not take 2 days and some "smart guy"  was trying to register to take advantage of it, and causing me losses.
  
Fail2ban prevented it, blocking the attacker.
+
Fail2ban prevented it, blocking the attacker with iptables rules.
  
Installing fail2ban is not complicated.
+
Installing fail2ban is not complicated and i will describe the steps to have it properly installed and configured, so you can protect your asterisk and other services from brute force attack.
  
I will describe the steps to have it properly installed and configured, so you can protect your asterisk and other services from brute force attack.
+
Files under /etc/asterisk/ are owned by the asterisk user, so preceed any edit commands with
 +
sudo -u asterisk <command>
  
Install with:  
+
on Linuxmce 1004 no need to edit sip.conf  this is implemented on asterisk realtime database.
 +
 
 +
The first thing to do is edit /etc/asterisk/sip.conf and add the following line:
 +
alwaysauthreject=yes                                               
 +
My sip.conf file looks like:
 +
............
 +
[general]
 +
#include sip_general_additional.conf
 +
 +
bindport = 5060      ; Port to bind to (SIP is 5060)
 +
bindaddr = 0.0.0.0    ; Address to bind to (all addresses on machine)
 +
'''alwaysauthreject=yes'''                                               
 +
disallow=all                                                       
 +
allow=ulaw                                                         
 +
allow=alaw 
 +
.............                   
 +
Install fail2ban with:  
 
  sudo apt-get install fail2ban
 
  sudo apt-get install fail2ban
  
Line 19: Line 38:
 
  dateformat=%F %T
 
  dateformat=%F %T
  
In /etc/asterisk/logger.conf add the following line under the [logfiles] section for Asterisk to log NOTICE level events to the syslog (/var/log/messages) as well as its normal log file. These entries in syslog will have a Date/Time stamp that is usable by Fail2Ban.
+
In /etc/asterisk/logger.conf add the following line under the [logfiles] section for asterisk to log NOTICE level events to the syslog (/var/log/messages) as well as its normal log file. These entries in syslog will have a Date/Time stamp that is usable by fail2ban.
  
 
  syslog.local0 => notice  
 
  syslog.local0 => notice  
  
Reload asterisk with:
+
Reload asterisk, as root, with:
  
  asterisk -rx "logger reload"  
+
  sudo asterisk -rx "logger reload"  
  
 
Configuring fail2ban:
 
Configuring fail2ban:
Line 35: Line 54:
 
  vi asterisk.conf
 
  vi asterisk.conf
  
insert the following (copy & paste)
+
'''FOR ASTERISK 1.'''4, insert the following (copy & paste)
  
  # Fail2Ban configuration file
+
  # Fail2Ban configuration file (for asterisk 1.4)
 
  #
 
  #
 
  #
 
  #
Line 69: Line 88:
 
  #
 
  #
 
  ignoreregex =
 
  ignoreregex =
 +
 +
'''FOR ASTERISK 1.8''', insert the following (copy & paste)
 +
 +
# Fail2Ban configuration file
 +
#
 +
#
 +
# $Revision: 250 $
 +
#
 +
[INCLUDES]
 +
# Read common prefixes. If any customizations available -- read them from
 +
# common.local
 +
#before = common.conf
 +
[Definition]
 +
#_daemon = asterisk
 +
# Option:  failregex
 +
# Notes.:  regex to match the password failures messages in the logfile. The
 +
#          host must be matched by a group named "host". The tag "<HOST>" can
 +
#          be used for standard IP/hostname matching and is only an alias for
 +
#          (?:::f{4,6}:)?(?P<host>\S+)
 +
# Values:  TEXT
 +
#
 +
failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Wrong password
 +
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
 +
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
 +
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Username/auth name mismatch
 +
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
 +
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Peer is not supposed to register
 +
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - ACL error (permit/deny)
 +
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
 +
            NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>:.*' - No matching peer found
 +
            NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>:.*' - Wrong password
 +
            NOTICE.* <HOST> failed to authenticate as '.*'$
 +
            NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
 +
            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
 +
            NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
 +
            NOTICE.* .*: <HOST> failed to authenticate as '.*'
 +
            NOTICE.* .*: <HOST> tried  to authenticate with nonexistent user '.*'
 +
            VERBOSE.*SIP/<HOST>-.*Received incoming SIP connection from unknown peer
 +
   
 +
# Option:  ignoreregex
 +
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
 +
# Values:  TEXT
 +
#
 +
ignoreregex =
 +
  
 
Next edit /etc/fail2ban/jail.conf to include the following section so that it uses the new filter.  
 
Next edit /etc/fail2ban/jail.conf to include the following section so that it uses the new filter.  
Line 78: Line 142:
 
             sendmail-whois[name=ASTERISK, dest=root, sender=fail2ban@example.org]
 
             sendmail-whois[name=ASTERISK, dest=root, sender=fail2ban@example.org]
 
  logpath  = /var/log/asterisk/full
 
  logpath  = /var/log/asterisk/full
  maxretry = 5
+
  maxretry = 2
 
  bantime = 259200
 
  bantime = 259200
  
Line 89: Line 153:
 
  # ban a host which matches an address in this list. Several addresses can be   
 
  # ban a host which matches an address in this list. Several addresses can be   
 
  # defined using space separator.                                               
 
  # defined using space separator.                                               
  ignoreip = 127.0.0.1 192.168.80.1 192.168.80.0 192.168.0.0
+
  ignoreip = 127.0.0.1 192.168.80.1 192.168.80.0/24
  
To start Fail2Ban type the following as root:
+
To start fail2ban type the following as root:
  
/etc/init.d/fail2ban start
+
/etc/init.d/fail2ban start
  
 
Check It
 
Check It
 +
 +
For LinuxMCE, there is needed "patch", while fail2ban is not part of the distribution.
 +
 +
When LinuxMCE starts, it runs /usr/pluto/bin/Network_Firewall.sh, and this is done AFTER /etc/init.d/fail2ban is started.
 +
 +
So, edit /usr/pluto/bin/Network_Firewall.sh and add the following at the END of this file:
 +
 +
/etc/init.d/fail2ban restart
 +
 +
This will make sure that fail2bain is started AFTER the iptables rules from LinuxMCE.
  
 
If started properly issue the following command to view your iptables rules:
 
If started properly issue the following command to view your iptables rules:
Line 101: Line 175:
 
  iptables -L -v
 
  iptables -L -v
  
You should see something like the following for the INPUT chain  
+
You should see something like the following for the INPUT chain (this is the ouput of mine)
 +
 
 +
Chain INPUT (policy DROP 2241 packets, 160K bytes)             
 +
  pkts bytes target    prot opt in    out    source              destination       
 +
  372 27264 '''fail2ban-SSH'''  tcp  --  any    any    anywhere            anywhere            tcp dpt:ssh                                                                                         
 +
1312K  991M '''fail2ban-ASTERISK'''  all  --  any    any    anywhere            anywhere           
 +
  553K  81M ACCEPT    all  --  lo    any    anywhere            anywhere                   
 +
1288K 1162M ACCEPT    all  --  any    any    anywhere            anywhere            state RELATED,ESTABLISHED                                                                             
 +
    9  540 ACCEPT    all  --  any    any    anywhere            anywhere            MARK match 0x1                                                                                         
 +
    2  1152 ACCEPT    udp  --  any    any    anywhere            anywhere            udp  dpt:bootps                                                                                         
 +
19276 5790K ACCEPT    all  --  any    any    192.168.80.0/24      anywhere                   
 +
    0    0 ACCEPT    udp  --  any    any    anywhere            anywhere            udp dpt:iax                                                                                           
 +
    4  1795 ACCEPT    udp  --  any    any    anywhere            anywhere            udp dpt:sip                                                                                           
 +
    0    0 ACCEPT    udp  --  any    any    anywhere            anywhere            udp dpt:2000                                                                                           
 +
    0    0 ACCEPT    tcp  --  any    any    anywhere            anywhere            tcp dpt:sieve                                                                                         
 +
    0    0 ACCEPT    tcp  --  any    any    anywhere            anywhere            tcp dpt:1723                                                                                           
 +
    0    0 ACCEPT    tcp  --  any    any    anywhere            anywhere            tcp dpt:www                                                                                           
 +
    1    60 ACCEPT    tcp  --  any    any    anywhere            anywhere            tcp dpt:ssh                                                                                           
 +
    0    0 ACCEPT    tcp  --  any    any    anywhere            anywhere            tcp dpt:https                                                                                         
 +
    1    50 ACCEPT    udp  --  any    any    anywhere            anywhere            udp dpts:10001:20000
 +
    0    0 ACCEPT    gre  --  any    any    anywhere            anywhere
 +
Chain FORWARD (policy ACCEPT 719K packets, 245M bytes)
 +
  pkts bytes target    prot opt in    out    source              destination
 +
    0    0 TCPMSS    tcp  --  any    ppp+    anywhere            anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
 +
Chain OUTPUT (policy ACCEPT 2099K packets, 590M bytes)
 +
  pkts bytes target    prot opt in    out    source              destination
 +
    0    0 ACCEPT    gre  --  any    any    anywhere            anywhere
 +
Chain '''fail2ban-ASTERISK''' (1 references)
 +
  pkts bytes target    prot opt in    out    source              destination
 +
  5091 2125K DROP      all  --  any    any    173.193.194.106-static.reverse.softlayer.com  anywhere
 +
1307K  989M RETURN    all  --  any    any    anywhere            anywhere
 +
Chain '''fail2ban-SSH''' (1 references)
 +
  pkts bytes target    prot opt in    out    source              destination
 +
 
 +
If you do not see something similar to that then you have some troubleshooting to, check out /var/log/fail2ban.log.
 +
 
 +
Example of my /var/log/fai2ban.log (173.193.194.106 is the real address from the attacker fail2ban banned):
 +
 
 +
....
 +
2010-09-19 11:12:56,131 fail2ban.filter : INFO  Set maxRetry = 6
 +
2010-09-19 11:12:56,133 fail2ban.filter : INFO  Set findtime = 600
 +
2010-09-19 11:12:56,133 fail2ban.actions: INFO  Set banTime = 600
 +
2010-09-19 11:12:56,138 fail2ban.jail  : INFO  Jail 'ssh-iptables' started
 +
2010-09-19 11:12:56,139 fail2ban.jail  : INFO  Jail 'asterisk-iptables' started
 +
2010-09-19 11:12:56,141 fail2ban.jail  : INFO  Jail 'apache-tcpwrapper' started
 +
2010-09-19 15:33:50,392 fail2ban.actions: WARNING [asterisk-iptables] Ban 173.193.194.106
 +
2010-09-19 15:34:50,982 fail2ban.actions: WARNING [asterisk-iptables] 173.193.194.106 already banned
 +
 
 +
And this is the log (/var/log/asterisk/messages) showing the attack:
 +
 
 +
[2010-09-19 15:33:48] NOTICE[26690] chan_sip.c: Registration from '"3235410554"<sip:3235410554@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                         
 +
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"thomas"<sip:thomas@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                 
 +
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"arsenal"<sip:arsenal@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                               
 +
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"letmein"<sip:letmein@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                               
 +
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"liverpool"<sip:liverpool@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                           
 +
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"nevermind"<sip:nevermind@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                           
 +
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"getmein"<sip:getmein@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                               
 +
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"echo"<sip:echo@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                     
 +
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"bmw325"<sip:bmw325@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                 
 +
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"bmw335"<sip:bmw335@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                 
 +
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"1q2w3e"<sip:1q2w3e@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                 
 +
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"1q2w3e4r5t6y"<sip:1q2w3e4r5t6y@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                     
 +
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"1q1q2w2w"<sip:1q1q2w2w@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                             
 +
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"1q2w1q2w"<sip:1q2w1q2w@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                             
 +
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"1q2w"<sip:1q2w@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                     
 +
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"11q22w"<sip:11q22w@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                 
 +
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"q1w2"<sip:q1w2@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                     
 +
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"q1w2e3"<sip:q1w2e3@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                 
 +
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"tvv03tvv03"<sip:tvv03tvv03@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                         
 +
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"abcd1"<sip:abcd1@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                   
 +
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"abcd12"<sip:abcd12@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                 
 +
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"abcd123"<sip:abcd123@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                               
 +
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"qq11ww22ee33rr44"<sip:qq11ww22ee33rr44@201.29.213.245>' failed for '173.193.194.106' - No matching peer found             
 +
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip1"<sip:sip1@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                     
 +
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip2"<sip:sip2@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                     
 +
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip12"<sip:sip12@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                   
 +
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip123"<sip:sip123@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                 
 +
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip1234"<sip:sip1234@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                               
 +
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip12345"<sip:sip12345@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                             
 +
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip1111"<sip:sip1111@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                               
 +
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip222"<sip:sip222@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                 
 +
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"1qa2ws3ed"<sip:1qa2ws3ed@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                           
 +
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"1234asdf"<sip:1234asdf@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                             
 +
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"1a2s3d"<sip:1a2s3d@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                 
 +
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"1a2s3d4f"<sip:1a2s3d4f@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                             
 +
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"asdzxc"<sip:asdzxc@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                 
 +
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"123zxc"<sip:123zxc@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                 
 +
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"1234zxcv"<sip:1234zxcv@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                             
 +
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"aazzssxx"<sip:aazzssxx@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                             
 +
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"p@ssword"<sip:p@ssword@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                             
 +
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"p@ssw0rd"<sip:p@ssw0rd@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                             
 +
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"pass1"<sip:pass1@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                   
 +
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"password3"<sip:password3@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                           
 +
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"pass12"<sip:pass12@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
 +
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"account"<sip:account@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
 +
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"passlogin"<sip:passlogin@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
 +
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"account1"<sip:account1@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
 +
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"account5"<sip:account5@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
 +
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"account6"<sip:account6@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
 +
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"account123"<sip:account123@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
 +
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"account12"<sip:account12@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
 +
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"acc1"<sip:acc1@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
 +
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"acc2"<sip:acc2@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
 +
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"acc12"<sip:acc12@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
 +
 
 +
One last tip: you need a MTA, like sendmail or postfix, in order to receive the notifications from fail2ban.
 +
 
 +
If you have a MTA installed and properly configured, nothing else is needed, but if not, install sendmail
 +
 
 +
sudo apt-get install sendmail
 +
 
 +
Then edit the /etc/hosts file and change the line '''192.168.80.1 dcerouter''' to read '''192.168.80.1 dcerouter.localdomain dcerouter'''
 +
 
 +
Doing it, sendmail will start as expected (fast) and mail will properly delivered. If this change is not done, sendmail will take a long time to start, because it does not find the qualified host name, as the log shows:
 +
 
 +
Sep 27 13:12:11 dcerouter sendmail[10585]: My unqualified host name (dcerouter) unknown; sleeping for retry
 +
 
  
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
+
I hope this wiki helps.
pkts bytes target    prot opt in    out    source              destination       
+
2104K  414M fail2ban-ASTERISK  all  —  any    any    anywhere            anywhere
+
  
If you do not seem something similar to that then you have some troubleshooting to, check out /var/log/fail2ban.log.
+
source:
 +
http://www.fail2ban.org
 +
http://www.voip-info.org/wiki/view/Fail2Ban+(with+iptables)+And+Asterisk
 +
http://www.fail2ban.org/wiki/index.php/Asterisk
  
I hope this helps.
+
More protection with iptables:
 +
http://sysadminman.net/blog/2010/limiting-sipiax-connections-to-asterisk-with-iptables-1082

Latest revision as of 06:58, 23 February 2013

Version Status Date Updated Updated By
710 Unknown N/A N/A
810 Works 5 October 2010 pw44
1004 Works 23 January 2013 pw44
1204 Unknown N/A N/A
1404 Unknown N/A N/A
Usage Information


Having asterik installed is almost an invitation for others wishing to place calls at your expense.

After configuring my sip trunk, it did not take 2 days and some "smart guy" was trying to register to take advantage of it, and causing me losses.

Fail2ban prevented it, blocking the attacker with iptables rules.

Installing fail2ban is not complicated and i will describe the steps to have it properly installed and configured, so you can protect your asterisk and other services from brute force attack.

Files under /etc/asterisk/ are owned by the asterisk user, so preceed any edit commands with

sudo -u asterisk <command>

on Linuxmce 1004 no need to edit sip.conf this is implemented on asterisk realtime database.

The first thing to do is edit /etc/asterisk/sip.conf and add the following line:

alwaysauthreject=yes                                                 

My sip.conf file looks like:

............
[general]
#include sip_general_additional.conf

bindport = 5060       ; Port to bind to (SIP is 5060)
bindaddr = 0.0.0.0    ; Address to bind to (all addresses on machine)
alwaysauthreject=yes                                                 
disallow=all                                                         
allow=ulaw                                                           
allow=alaw  
.............                    

Install fail2ban with:

sudo apt-get install fail2ban

After is installed, you need to change /etc/asterisk/logger.conf and add the following line under [general] section (You may have to create this before the [logfiles] section).

[general]
dateformat=%F %T

In /etc/asterisk/logger.conf add the following line under the [logfiles] section for asterisk to log NOTICE level events to the syslog (/var/log/messages) as well as its normal log file. These entries in syslog will have a Date/Time stamp that is usable by fail2ban.

syslog.local0 => notice 

Reload asterisk, as root, with:

sudo asterisk -rx "logger reload" 

Configuring fail2ban:

cd /etc/fail2ban/filter.d
touch asterisk.conf 
vi asterisk.conf

FOR ASTERISK 1.4, insert the following (copy & paste)

# Fail2Ban configuration file (for asterisk 1.4)
#
#
# $Revision: 250 $
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf
[Definition]
#_daemon = asterisk
# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL
            NOTICE.* .*: Registration from '.*" .* failed for '<HOST>' - Peer is not supposed to register
            NOTICE.* <HOST> failed to authenticate as '.*'$
            NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
            NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

FOR ASTERISK 1.8, insert the following (copy & paste)

# Fail2Ban configuration file
#
#
# $Revision: 250 $
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf
[Definition]
#_daemon = asterisk
# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Wrong password
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Username/auth name mismatch
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Peer is not supposed to register
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - ACL error (permit/deny)
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
            NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>:.*' - No matching peer found
            NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>:.*' - Wrong password
            NOTICE.* <HOST> failed to authenticate as '.*'$
            NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
            NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
            NOTICE.* .*: <HOST> failed to authenticate as '.*'
            NOTICE.* .*: <HOST> tried  to authenticate with nonexistent user '.*'
            VERBOSE.*SIP/<HOST>-.*Received incoming SIP connection from unknown peer
   
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =


Next edit /etc/fail2ban/jail.conf to include the following section so that it uses the new filter.

[asterisk-iptables]
enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
           sendmail-whois[name=ASTERISK, dest=root, sender=fail2ban@example.org]
logpath  = /var/log/asterisk/full
maxretry = 2
bantime = 259200

Locate the line ignoreip in /etc/fail2ban/jail.conf (beginning of the file) and insert the ip's and / or blocks you want fail2ban to ignore, so you don't risk banning yourserf or any host in your network.

Mine is defined as follows:

[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be   
# defined using space separator.                                               
ignoreip = 127.0.0.1 192.168.80.1 192.168.80.0/24 

To start fail2ban type the following as root:

/etc/init.d/fail2ban start

Check It

For LinuxMCE, there is needed "patch", while fail2ban is not part of the distribution.

When LinuxMCE starts, it runs /usr/pluto/bin/Network_Firewall.sh, and this is done AFTER /etc/init.d/fail2ban is started.

So, edit /usr/pluto/bin/Network_Firewall.sh and add the following at the END of this file:

/etc/init.d/fail2ban restart

This will make sure that fail2bain is started AFTER the iptables rules from LinuxMCE.

If started properly issue the following command to view your iptables rules:

iptables -L -v

You should see something like the following for the INPUT chain (this is the ouput of mine)

Chain INPUT (policy DROP 2241 packets, 160K bytes)              
 pkts bytes target     prot opt in     out     source               destination         
  372 27264 fail2ban-SSH  tcp  --  any    any     anywhere             anywhere            tcp dpt:ssh                                                                                          
1312K  991M fail2ban-ASTERISK  all  --  any    any     anywhere             anywhere            
 553K   81M ACCEPT     all  --  lo     any     anywhere             anywhere                    
1288K 1162M ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED                                                                               
    9   540 ACCEPT     all  --  any    any     anywhere             anywhere            MARK match 0x1                                                                                          
    2  1152 ACCEPT     udp  --  any    any     anywhere             anywhere            udp   dpt:bootps                                                                                          
19276 5790K ACCEPT     all  --  any    any     192.168.80.0/24      anywhere                    
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:iax                                                                                             
    4  1795 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:sip                                                                                             
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:2000                                                                                            
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:sieve                                                                                           
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:1723                                                                                            
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:www                                                                                             
    1    60 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:ssh                                                                                             
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:https                                                                                           
    1    50 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpts:10001:20000
    0     0 ACCEPT     gre  --  any    any     anywhere             anywhere
Chain FORWARD (policy ACCEPT 719K packets, 245M bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 TCPMSS     tcp  --  any    ppp+    anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
Chain OUTPUT (policy ACCEPT 2099K packets, 590M bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     gre  --  any    any     anywhere             anywhere
Chain fail2ban-ASTERISK (1 references)
 pkts bytes target     prot opt in     out     source               destination
 5091 2125K DROP       all  --  any    any     173.193.194.106-static.reverse.softlayer.com  anywhere
1307K  989M RETURN     all  --  any    any     anywhere             anywhere
Chain fail2ban-SSH (1 references)
 pkts bytes target     prot opt in     out     source               destination

If you do not see something similar to that then you have some troubleshooting to, check out /var/log/fail2ban.log.

Example of my /var/log/fai2ban.log (173.193.194.106 is the real address from the attacker fail2ban banned):

....
2010-09-19 11:12:56,131 fail2ban.filter : INFO   Set maxRetry = 6
2010-09-19 11:12:56,133 fail2ban.filter : INFO   Set findtime = 600
2010-09-19 11:12:56,133 fail2ban.actions: INFO   Set banTime = 600
2010-09-19 11:12:56,138 fail2ban.jail   : INFO   Jail 'ssh-iptables' started
2010-09-19 11:12:56,139 fail2ban.jail   : INFO   Jail 'asterisk-iptables' started
2010-09-19 11:12:56,141 fail2ban.jail   : INFO   Jail 'apache-tcpwrapper' started
2010-09-19 15:33:50,392 fail2ban.actions: WARNING [asterisk-iptables] Ban 173.193.194.106
2010-09-19 15:34:50,982 fail2ban.actions: WARNING [asterisk-iptables] 173.193.194.106 already banned

And this is the log (/var/log/asterisk/messages) showing the attack:

[2010-09-19 15:33:48] NOTICE[26690] chan_sip.c: Registration from '"3235410554"<sip:3235410554@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                           
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"thomas"<sip:thomas@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                   
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"arsenal"<sip:arsenal@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                 
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"letmein"<sip:letmein@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                 
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"liverpool"<sip:liverpool@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                             
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"nevermind"<sip:nevermind@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                             
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"getmein"<sip:getmein@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                 
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"echo"<sip:echo@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                       
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"bmw325"<sip:bmw325@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                   
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"bmw335"<sip:bmw335@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                   
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"1q2w3e"<sip:1q2w3e@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                   
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"1q2w3e4r5t6y"<sip:1q2w3e4r5t6y@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                       
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"1q1q2w2w"<sip:1q1q2w2w@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                               
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"1q2w1q2w"<sip:1q2w1q2w@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                               
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"1q2w"<sip:1q2w@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                       
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"11q22w"<sip:11q22w@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                   
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"q1w2"<sip:q1w2@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                       
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"q1w2e3"<sip:q1w2e3@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                   
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"tvv03tvv03"<sip:tvv03tvv03@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                           
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"abcd1"<sip:abcd1@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                     
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"abcd12"<sip:abcd12@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                   
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"abcd123"<sip:abcd123@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                 
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"qq11ww22ee33rr44"<sip:qq11ww22ee33rr44@201.29.213.245>' failed for '173.193.194.106' - No matching peer found               
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip1"<sip:sip1@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                       
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip2"<sip:sip2@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                       
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip12"<sip:sip12@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                     
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip123"<sip:sip123@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                   
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip1234"<sip:sip1234@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                 
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip12345"<sip:sip12345@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                               
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip1111"<sip:sip1111@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                 
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip222"<sip:sip222@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                   
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"1qa2ws3ed"<sip:1qa2ws3ed@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                             
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"1234asdf"<sip:1234asdf@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                               
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"1a2s3d"<sip:1a2s3d@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                   
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"1a2s3d4f"<sip:1a2s3d4f@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                               
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"asdzxc"<sip:asdzxc@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                   
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"123zxc"<sip:123zxc@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                   
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"1234zxcv"<sip:1234zxcv@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                               
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"aazzssxx"<sip:aazzssxx@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                               
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"p@ssword"<sip:p@ssword@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                               
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"p@ssw0rd"<sip:p@ssw0rd@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                               
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"pass1"<sip:pass1@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                     
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"password3"<sip:password3@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                             
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"pass12"<sip:pass12@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"account"<sip:account@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"passlogin"<sip:passlogin@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"account1"<sip:account1@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"account5"<sip:account5@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"account6"<sip:account6@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"account123"<sip:account123@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"account12"<sip:account12@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"acc1"<sip:acc1@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"acc2"<sip:acc2@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"acc12"<sip:acc12@201.29.213.245>' failed for '173.193.194.106' - No matching peer found

One last tip: you need a MTA, like sendmail or postfix, in order to receive the notifications from fail2ban.

If you have a MTA installed and properly configured, nothing else is needed, but if not, install sendmail

sudo apt-get install sendmail

Then edit the /etc/hosts file and change the line 192.168.80.1 dcerouter to read 192.168.80.1 dcerouter.localdomain dcerouter

Doing it, sendmail will start as expected (fast) and mail will properly delivered. If this change is not done, sendmail will take a long time to start, because it does not find the qualified host name, as the log shows:

Sep 27 13:12:11 dcerouter sendmail[10585]: My unqualified host name (dcerouter) unknown; sleeping for retry


I hope this wiki helps.

source:

http://www.fail2ban.org
http://www.voip-info.org/wiki/view/Fail2Ban+(with+iptables)+And+Asterisk
http://www.fail2ban.org/wiki/index.php/Asterisk

More protection with iptables:

http://sysadminman.net/blog/2010/limiting-sipiax-connections-to-asterisk-with-iptables-1082