Jump to content

Fail2ban - A tool against brute force: Difference between revisions

From LinuxMCE
← Previous diffNext diff →
Pw44 (talk | contribs)
70 edits
No edit summary
Pw44 (talk | contribs)
70 edits
No edit summary
Line 5: Line 5:
After configuring my sip trunk, i did not take 2 days and someone was trying to register to take advantage of it.
After configuring my sip trunk, i did not take 2 days and someone was trying to register to take advantage of it.


Fail2ban prevented it, blocking the attacker.
Fail2ban prevented it, blocking the attacker with iptables rules.


Installing fail2ban is not complicated.
Installing fail2ban is not complicated and i will describe the steps to have it properly installed and configured, so you can protect your asterisk and other services from brute force attack.
 
I will describe the steps to have it properly installed and configured, so you can protect your asterisk and other services from brute force attack.


Install with:  
Install with:  

Revision as of 00:16, 20 September 2010


Having asterik installed is almost an invitation for others wishing to place calls at your expense.

After configuring my sip trunk, i did not take 2 days and someone was trying to register to take advantage of it.

Fail2ban prevented it, blocking the attacker with iptables rules.

Installing fail2ban is not complicated and i will describe the steps to have it properly installed and configured, so you can protect your asterisk and other services from brute force attack.

Install with: 

sudo apt-get install fail2ban

After is installed, you need to change /etc/asterisk/logger.conf and add the following line under [general] section (You may have to create this before the [logfiles] section). 

[general]
dateformat=%F %T

In /etc/asterisk/logger.conf add the following line under the [logfiles] section for Asterisk to log NOTICE level events to the syslog (/var/log/messages) as well as its normal log file. These entries in syslog will have a Date/Time stamp that is usable by Fail2Ban. 

syslog.local0 => notice

Reload asterisk with: 

asterisk -rx "logger reload"

Configuring fail2ban: 

cd /etc/fail2ban/filter.d

touch asterisk.conf 

vi asterisk.conf

insert the following (copy & paste) 

# Fail2Ban configuration file
#
#
# $Revision: 250 $
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf
[Definition]
#_daemon = asterisk
# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL
            NOTICE.* .*: Registration from '.*" .* failed for '<HOST>' - Peer is not supposed to register
            NOTICE.* <HOST> failed to authenticate as '.*'$
            NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
            NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

Next edit /etc/fail2ban/jail.conf to include the following section so that it uses the new filter. 

[asterisk-iptables]
enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
           sendmail-whois[name=ASTERISK, dest=root, sender=fail2ban@example.org]
logpath  = /var/log/asterisk/full
maxretry = 5
bantime = 259200

Locate the line ignoreip in /etc/fail2ban/jail.conf (beginning of the file) and insert the ip's and / or blocks you want fail2ban to ignore, so you don't risk banning yourserf or any host in your network.

Mine is defined as follows: 

[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be   
# defined using space separator.                                               
ignoreip = 127.0.0.1 192.168.80.1 192.168.80.0 192.168.0.0

To start Fail2Ban type the following as root:

/etc/init.d/fail2ban start

Check It

If started properly issue the following command to view your iptables rules: 

iptables -L -v

You should see something like the following for the INPUT chain 

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
2104K  414M fail2ban-ASTERISK  all  —  any    any     anywhere             anywhere

If you do not seem something similar to that then you have some troubleshooting to, check out /var/log/fail2ban.log.

I hope this helps.

source: http://www.voip-info.org/wiki/view/Fail2Ban+(with+iptables)+And+Asterisk

Retrieved from "http://wiki.linuxmce.org/index.php?title=Fail2ban_-_A_tool_against_brute_force&oldid=25079"