Fail2ban - A tool against brute force

From LinuxMCE
Revision as of 01:15, 20 September 2010 by Pw44 (Talk | contribs)

Jump to: navigation, search


Having asterik installed is almost an invitation for others wishing to place calls at your expense.

After configuring my sip trunk, i did not take 2 days and someone was trying to register to take advantage of it.

Fail2ban prevented it, blocking the attacker.

Installing fail2ban is not complicated.

I will describe the steps to have it properly installed and configured, so you can protect your asterisk and other services from brute force attack.

Install with:

sudo apt-get install fail2ban

After is installed, you need to change /etc/asterisk/logger.conf and add the following line under [general] section (You may have to create this before the [logfiles] section).

[general]
dateformat=%F %T

In /etc/asterisk/logger.conf add the following line under the [logfiles] section for Asterisk to log NOTICE level events to the syslog (/var/log/messages) as well as its normal log file. These entries in syslog will have a Date/Time stamp that is usable by Fail2Ban.

syslog.local0 => notice 

Reload asterisk with:

asterisk -rx "logger reload" 

Configuring fail2ban:

cd /etc/fail2ban/filter.d
touch asterisk.conf 
vi asterisk.conf

insert the following (copy & paste)

# Fail2Ban configuration file
#
#
# $Revision: 250 $
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf
[Definition]
#_daemon = asterisk
# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL
            NOTICE.* .*: Registration from '.*" .* failed for '<HOST>' - Peer is not supposed to register
            NOTICE.* <HOST> failed to authenticate as '.*'$
            NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
            NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

Next edit /etc/fail2ban/jail.conf to include the following section so that it uses the new filter.

[asterisk-iptables]
enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
           sendmail-whois[name=ASTERISK, dest=root, sender=fail2ban@example.org]
logpath  = /var/log/asterisk/full
maxretry = 5
bantime = 259200

Locate the line ignoreip in /etc/fail2ban/jail.conf (beginning of the file) and insert the ip's and / or blocks you want fail2ban to ignore, so you don't risk banning yourserf or any host in your network.

Mine is defined as follows:

[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be   
# defined using space separator.                                               
ignoreip = 127.0.0.1 192.168.80.1 192.168.80.0 192.168.0.0

To start Fail2Ban type the following as root:

/etc/init.d/fail2ban start

Check It

If started properly issue the following command to view your iptables rules:

iptables -L -v

You should see something like the following for the INPUT chain

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
2104K  414M fail2ban-ASTERISK  all  —  any    any     anywhere             anywhere

If you do not seem something similar to that then you have some troubleshooting to, check out /var/log/fail2ban.log.

I hope this helps.

source: http://www.voip-info.org/wiki/view/Fail2Ban+(with+iptables)+And+Asterisk