Fail2ban with Asterisk 13

Even having fresh AWS EC2 instance with either fixed or not IP, I start seeing constant attempts to get access to my SIP server. Brute force attacks are very famous and now I’m going to change this in my server by setting Fail2Ban in place.

Prepare Asterisk (logger.conf)

Uncomment the following in your /etc/asterisk/logger.conf

dateformat = %F %T
security = security

Installing and configuring fail2ban using apt-get manager

sudo apt-get update
apt-get install fail2ban

Once finished, let’s add the following to the end of /etc/fail2ban/jail.conf. Feel free to change numbers (they are self-explained).

enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
                  sendmail-whois[name=ASTERISK, dest=to@domain.example, sender=from@domain.example]
logpath  = /var/log/asterisk/security
maxretry = 2
bantime = 259200

Let’s now create regex for our ban. Let’s do touch /etc/fail2ban/filter.d/asterisk.conf and add the following into this file:

# Fail2Ban configuration file
# $Revision: 250 $
# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf
#_daemon = asterisk
# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<host>" can</host>
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)</host>
# Values:  TEXT
failregex = SECURITY.* SecurityEvent="FailedACL".*RemoteAddress=".+?/.+?/<host>/.+?".*</host>
            SECURITY.* SecurityEvent="InvalidAccountID".*RemoteAddress=".+?/.+?/<host>/.+?".*</host>
            SECURITY.* SecurityEvent="ChallengeResponseFailed".*RemoteAddress=".+?/.+?/<host>/.+?".*</host>
            SECURITY.* SecurityEvent="InvalidPassword".*RemoteAddress=".+?/.+?/<host>/.+?".*</host>
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
ignoreregex =

Testing fail2ban

Restart your fail2ban by /etc/init.d/fail2ban restart. Reload logger configuration (or even restart) your Asterisk.

Let’s see what management commands we may use for our configuration:

  • List jailed (banned) IPs using iptables
iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-ASTERISK  all  --  anywhere             anywhere
fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-ASTERISK (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-ssh (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
  • List fail2ban rules (enabled settings)
fail2ban-client status
|- Number of jail:	4
- Jail list:		asterisk-tcp, asterisk-iptables, ssh, asterisk-udp
  • Stop jail
fail2ban-client stop entity

That’s all! Any questions - welcome to comments below.

comments powered by Disqus
Built with Hugo
Theme Stack designed by Jimmy