Fail2ban with Asterisk 13

This post has been edited.

Even having fresh AWS EC2 instance with either fixed or not IP, I start seeing constant attempts to get access to my SIP server. Brute force attacks are very famous and now I'm going to change this in my server by setting Fail2Ban in place.

Prepare Asterisk (logger.conf)

Uncomment the following in your /etc/asterisk/logger.conf


[general]
dateformat = %F %T
...
[logfiles]
security = security

Installing and configuring fail2ban using apt-get manager


sudo apt-get update
apt-get install fail2ban

Once finished, let's add the following to the end of /etc/fail2ban/jail.conf. Feel free to change numbers (they are self-explained).


[asterisk-iptables]
enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
                  sendmail-whois[name=ASTERISK, dest=to@domain.example, sender=from@domain.example]
logpath  = /var/log/asterisk/security
maxretry = 2
bantime = 259200

Let's now create regex for our ban. Let's do touch /etc/fail2ban/filter.d/asterisk.conf and add the following into this file:


# Fail2Ban configuration file
#
#
# $Revision: 250 $
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf
[Definition]
#_daemon = asterisk
# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P\S+)
# Values:  TEXT
#
failregex = SECURITY.* SecurityEvent="FailedACL".*RemoteAddress=".+?/.+?//.+?".*
            SECURITY.* SecurityEvent="InvalidAccountID".*RemoteAddress=".+?/.+?//.+?".*
            SECURITY.* SecurityEvent="ChallengeResponseFailed".*RemoteAddress=".+?/.+?//.+?".*
            SECURITY.* SecurityEvent="InvalidPassword".*RemoteAddress=".+?/.+?//.+?".*
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

Testing fail2ban

Restart your fail2ban by /etc/init.d/fail2ban restart. Reload logger configuration (or even restart) your Asterisk.

Let's see what management commands we may use for our configuration:

  • List jailed (banned) IPs using iptables

iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-ASTERISK  all  --  anywhere             anywhere
fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-ASTERISK (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-ssh (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
  • List fail2ban rules (enabled settings)

fail2ban-client status
Status
|- Number of jail:  4
`- Jail list:       asterisk-tcp, asterisk-iptables, ssh, asterisk-udp
  • Stop jail

fail2ban-client stop entity

That's all! Any questions - welcome to comments below.


In short, this is about:
#fail2ban
#asterisk

Start discussion:
Related articles:
35 how to install asterisk ip pbx on debian 8 x jessie preview
How to install, configure and run Asterisk 13 on Debian 8.x. From nothing to PBX in 5 minutes! ... more
almost 2 years#pbx #asterisk #debian
86 call recording asterisk preview
Asterisk IP PBX comes with embedded MixMonitor, that allows us to to record and place those recordings somewhere. ... more
37 compile g 729 for asterisk from binaries preview
In this article you will know how to compile G.729 from binaries for your Asterisk IP/PBX. ... more
almost 2 years#g729 #asterisk