Fail2ban - A tool against brute force
Having asterik installed is almost an invitation for others wishing to place calls at your expense.
After configuring my sip trunk, i did not take 2 days and someone was trying to register to take advantage of it.
Fail2ban prevented it, blocking the attacker.
Installing fail2ban is not complicated.
I will describe the steps to have it properly installed and configured, so you can protect your asterisk and other services from brute force attack.
Install with:
sudo apt-get install fail2ban
After is installed, you need to change /etc/asterisk/logger.conf and add the following line under [general] section (You may have to create this before the [logfiles] section).
[general] dateformat=%F %T
In /etc/asterisk/logger.conf add the following line under the [logfiles] section for Asterisk to log NOTICE level events to the syslog (/var/log/messages) as well as its normal log file. These entries in syslog will have a Date/Time stamp that is usable by Fail2Ban.
syslog.local0 => notice
Reload asterisk with:
asterisk -rx "logger reload"
Configuring fail2ban:
cd /etc/fail2ban/filter.d
touch asterisk.conf
vi asterisk.conf
insert the following (copy & paste)
# Fail2Ban configuration file
#
#
# $Revision: 250 $
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf
[Definition]
#_daemon = asterisk
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL
NOTICE.* .*: Registration from '.*" .* failed for '<HOST>' - Peer is not supposed to register
NOTICE.* <HOST> failed to authenticate as '.*'$
NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
Next edit /etc/fail2ban/jail.conf to include the following section so that it uses the new filter.
[asterisk-iptables]
enabled = true
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
sendmail-whois[name=ASTERISK, dest=root, sender=fail2ban@example.org]
logpath = /var/log/asterisk/full
maxretry = 5
bantime = 259200
Locate the line ignoreip in /etc/fail2ban/jail.conf (beginning of the file) and insert the ip's and / or blocks you want fail2ban to ignore, so you don't risk banning yourserf or any host in your network.
Mine is defined as follows:
[DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1 192.168.80.1 192.168.80.0 192.168.0.0
To start Fail2Ban type the following as root:
/etc/init.d/fail2ban start
Check It
If started properly issue the following command to view your iptables rules:
iptables -L -v
You should see something like the following for the INPUT chain
Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 2104K 414M fail2ban-ASTERISK all — any any anywhere anywhere
If you do not seem something similar to that then you have some troubleshooting to, check out /var/log/fail2ban.log.
I hope this helps.
