Difference between revisions of "Fail2ban - A tool against brute force"
Line 5: | Line 5: | ||
After configuring my sip trunk, i did not take 2 days and someone was trying to register to take advantage of it. | After configuring my sip trunk, i did not take 2 days and someone was trying to register to take advantage of it. | ||
− | Fail2ban prevented it, blocking the attacker. | + | Fail2ban prevented it, blocking the attacker with iptables rules. |
− | Installing fail2ban is not complicated | + | Installing fail2ban is not complicated and i will describe the steps to have it properly installed and configured, so you can protect your asterisk and other services from brute force attack. |
− | + | ||
− | + | ||
Install with: | Install with: |
Revision as of 01:16, 20 September 2010
Having asterik installed is almost an invitation for others wishing to place calls at your expense.
After configuring my sip trunk, i did not take 2 days and someone was trying to register to take advantage of it.
Fail2ban prevented it, blocking the attacker with iptables rules.
Installing fail2ban is not complicated and i will describe the steps to have it properly installed and configured, so you can protect your asterisk and other services from brute force attack.
Install with:
sudo apt-get install fail2ban
After is installed, you need to change /etc/asterisk/logger.conf and add the following line under [general] section (You may have to create this before the [logfiles] section).
[general] dateformat=%F %T
In /etc/asterisk/logger.conf add the following line under the [logfiles] section for Asterisk to log NOTICE level events to the syslog (/var/log/messages) as well as its normal log file. These entries in syslog will have a Date/Time stamp that is usable by Fail2Ban.
syslog.local0 => notice
Reload asterisk with:
asterisk -rx "logger reload"
Configuring fail2ban:
cd /etc/fail2ban/filter.d
touch asterisk.conf
vi asterisk.conf
insert the following (copy & paste)
# Fail2Ban configuration file # # # $Revision: 250 $ # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local #before = common.conf [Definition] #_daemon = asterisk # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>\S+) # Values: TEXT # failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL NOTICE.* .*: Registration from '.*" .* failed for '<HOST>' - Peer is not supposed to register NOTICE.* <HOST> failed to authenticate as '.*'$ NOTICE.* .*: No registration for peer '.*' \(from <HOST>\) NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*) NOTICE.* .*: Failed to authenticate user .*@<HOST>.* # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =
Next edit /etc/fail2ban/jail.conf to include the following section so that it uses the new filter.
[asterisk-iptables] enabled = true filter = asterisk action = iptables-allports[name=ASTERISK, protocol=all] sendmail-whois[name=ASTERISK, dest=root, sender=fail2ban@example.org] logpath = /var/log/asterisk/full maxretry = 5 bantime = 259200
Locate the line ignoreip in /etc/fail2ban/jail.conf (beginning of the file) and insert the ip's and / or blocks you want fail2ban to ignore, so you don't risk banning yourserf or any host in your network.
Mine is defined as follows:
[DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1 192.168.80.1 192.168.80.0 192.168.0.0
To start Fail2Ban type the following as root:
/etc/init.d/fail2ban start
Check It
If started properly issue the following command to view your iptables rules:
iptables -L -v
You should see something like the following for the INPUT chain
Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 2104K 414M fail2ban-ASTERISK all — any any anywhere anywhere
If you do not seem something similar to that then you have some troubleshooting to, check out /var/log/fail2ban.log.
I hope this helps.
source: http://www.voip-info.org/wiki/view/Fail2Ban+(with+iptables)+And+Asterisk