Fail2ban with Asterisk 13


Table of contents:

Even having fresh AWS EC2 instance with either fixed or not IP, I start seeing constant attempts to get access to my SIP server. Brute force attacks are very famous and now I’m going to change this in my server by setting Fail2Ban in place.

Prepare Asterisk (logger.conf) #

Uncomment the following in your /etc/asterisk/logger.conf

2dateformat = %F %T
5security = security

Installing and configuring fail2ban using apt-get manager #

1sudo apt-get update
2apt-get install fail2ban

Once finished, let’s add the following to the end of /etc/fail2ban/jail.conf. Feel free to change numbers (they are self-explained).

2enabled  = true
3filter   = asterisk
4action   = iptables-allports[name=ASTERISK, protocol=all]
5                  sendmail-whois[name=ASTERISK, dest=to@domain.example, sender=from@domain.example]
6logpath  = /var/log/asterisk/security
7maxretry = 2
8bantime = 259200

Let’s now create regex for our ban. Let’s do touch /etc/fail2ban/filter.d/asterisk.conf and add the following into this file:

 1# Fail2Ban configuration file
 4# $Revision: 250 $
 7# Read common prefixes. If any customizations available -- read them from
 8# common.local
 9#before = common.conf
11#_daemon = asterisk
12# Option:  failregex
13# Notes.:  regex to match the password failures messages in the logfile. The
14#          host must be matched by a group named "host". The tag "<host>" can</host>
15#          be used for standard IP/hostname matching and is only an alias for
16#          (?:::f{4,6}:)?(?P<host>\S+)</host>
17# Values:  TEXT
19failregex = SECURITY.* SecurityEvent="FailedACL".*RemoteAddress=".+?/.+?/<host>/.+?".*</host>
20            SECURITY.* SecurityEvent="InvalidAccountID".*RemoteAddress=".+?/.+?/<host>/.+?".*</host>
21            SECURITY.* SecurityEvent="ChallengeResponseFailed".*RemoteAddress=".+?/.+?/<host>/.+?".*</host>
22            SECURITY.* SecurityEvent="InvalidPassword".*RemoteAddress=".+?/.+?/<host>/.+?".*</host>
23# Option:  ignoreregex
24# Notes.:  regex to ignore. If this regex matches, the line is ignored.
25# Values:  TEXT
27ignoreregex =

Testing fail2ban #

Restart your fail2ban by /etc/init.d/fail2ban restart. Reload logger configuration (or even restart) your Asterisk.

Let’s see what management commands we may use for our configuration:

 1iptables -L
 2Chain INPUT (policy ACCEPT)
 3target     prot opt source               destination
 4fail2ban-ASTERISK  all  --  anywhere             anywhere
 5fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh
 7Chain FORWARD (policy ACCEPT)
 8target     prot opt source               destination
10Chain OUTPUT (policy ACCEPT)
11target     prot opt source               destination
13Chain fail2ban-ASTERISK (1 references)
14target     prot opt source               destination
15RETURN     all  --  anywhere             anywhere
17Chain fail2ban-ssh (1 references)
18target     prot opt source               destination
19RETURN     all  --  anywhere             anywhere
1fail2ban-client status
3|- Number of jail:	4
4- Jail list:		asterisk-tcp, asterisk-iptables, ssh, asterisk-udp
1fail2ban-client stop entity

That’s all! Any questions - welcome to comments below.

comments powered by Disqus