Fail2ban with Asterisk 13
Asterisk
Table of contents:
Even having fresh AWS EC2 instance with either fixed or not IP, I start seeing constant attempts to get access to my SIP server. Brute force attacks are very famous and now I’m going to change this in my server by setting Fail2Ban in place.
Prepare Asterisk (logger.conf) #
Uncomment the following in your /etc/asterisk/logger.conf
1[general]
2dateformat = %F %T
3...
4[logfiles]
5security = security
Installing and configuring fail2ban using apt-get manager #
1sudo apt-get update
2apt-get install fail2ban
Once finished, let’s add the following to the end of /etc/fail2ban/jail.conf. Feel free to change numbers (they are self-explained).
1[asterisk-iptables]
2enabled = true
3filter = asterisk
4action = iptables-allports[name=ASTERISK, protocol=all]
5 sendmail-whois[name=ASTERISK, dest=to@domain.example, sender=from@domain.example]
6logpath = /var/log/asterisk/security
7maxretry = 2
8bantime = 259200
Let’s now create regex for our ban. Let’s do touch /etc/fail2ban/filter.d/asterisk.conf and add the following into this file:
1# Fail2Ban configuration file
2#
3#
4# $Revision: 250 $
5#
6[INCLUDES]
7# Read common prefixes. If any customizations available -- read them from
8# common.local
9#before = common.conf
10[Definition]
11#_daemon = asterisk
12# Option: failregex
13# Notes.: regex to match the password failures messages in the logfile. The
14# host must be matched by a group named "host". The tag "<host>" can</host>
15# be used for standard IP/hostname matching and is only an alias for
16# (?:::f{4,6}:)?(?P<host>\S+)</host>
17# Values: TEXT
18#
19failregex = SECURITY.* SecurityEvent="FailedACL".*RemoteAddress=".+?/.+?/<host>/.+?".*</host>
20 SECURITY.* SecurityEvent="InvalidAccountID".*RemoteAddress=".+?/.+?/<host>/.+?".*</host>
21 SECURITY.* SecurityEvent="ChallengeResponseFailed".*RemoteAddress=".+?/.+?/<host>/.+?".*</host>
22 SECURITY.* SecurityEvent="InvalidPassword".*RemoteAddress=".+?/.+?/<host>/.+?".*</host>
23# Option: ignoreregex
24# Notes.: regex to ignore. If this regex matches, the line is ignored.
25# Values: TEXT
26#
27ignoreregex =
Testing fail2ban #
Restart your fail2ban by /etc/init.d/fail2ban restart. Reload logger configuration (or even restart) your Asterisk.
Let’s see what management commands we may use for our configuration:
- List jailed (banned) IPs using
iptables
1iptables -L
2Chain INPUT (policy ACCEPT)
3target prot opt source destination
4fail2ban-ASTERISK all -- anywhere anywhere
5fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
6
7Chain FORWARD (policy ACCEPT)
8target prot opt source destination
9
10Chain OUTPUT (policy ACCEPT)
11target prot opt source destination
12
13Chain fail2ban-ASTERISK (1 references)
14target prot opt source destination
15RETURN all -- anywhere anywhere
16
17Chain fail2ban-ssh (1 references)
18target prot opt source destination
19RETURN all -- anywhere anywhere
- List fail2ban rules (enabled settings)
1fail2ban-client status
2Status
3|- Number of jail: 4
4- Jail list: asterisk-tcp, asterisk-iptables, ssh, asterisk-udp
- Stop jail
1fail2ban-client stop entity
That’s all! Any questions - welcome to comments below.