Scribd
Upload
134 views4 pages

Asterisk - Fail2ban

This document discusses using Fail2ban to block brute force attacks on Asterisk VOIP PBX systems exposed to the internet. It provides configuration details for Fail2ban jail rules and filters to log and block attempts to register without authentication that were previously not blocked. The Asterisk team introduced a new security log in version 10.x that Fail2ban can use to block these attacks. Older versions may require enabling syslog logging in Asterisk and pointing Fail2ban to the syslog file. Regular expressions for Fail2ban filters to detect failed registrations and authentication attempts in Asterisk logs are also provided.

Uploaded by

Sammy Manuel Dominguez
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
134 views4 pages

Asterisk - Fail2ban

This document discusses using Fail2ban to block brute force attacks on Asterisk VOIP PBX systems exposed to the internet. It provides configuration details for Fail2ban jail rules and filters to log and block attempts to register without authentication that were previously not blocked. The Asterisk team introduced a new security log in version 10.x that Fail2ban can use to block these attacks. Older versions may require enabling syslog logging in Asterisk and pointing Fail2ban to the syslog file. Regular expressions for Fail2ban filters to detect failed registrations and authentication attempts in Asterisk logs are also provided.

Uploaded by

Sammy Manuel Dominguez
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

Asterisk

FromFail2ban
AsteriskisanopensourceVOIPPBX.IfyouhaveyourasteriskexposedtotheInternet,youmayseepeople
bruteforcingforusernamesandpasswordsapartfromtheobvioussecurityrisks,thisoftenoccursatahighrate,
causinghighCPUandbandwidthusage.

WARNING:Therearecertaintypesofasteriskattacksfail2banis
ineffectiveagainst.Formoredetailsseethediscussionpage.(thismainly
appliestoAsteriskversionsbefore10.xforlaterversionsseeinfo
below)
Asterisk10.xandnewer
TheAsteriskteamhaveintroducedanewlogthesecuritylog.Thistakescareofloggingextrainformationfor
securityeventswhichcanbeusedbyfail2bantostopattacksspeciallyattemptstomakecallswithout
registrationwhichcouldn'tbeblockedbeforeusingfail2ban.
Firstthesecuritylogneedstobeenabledin/etc/asterisk/logger.conf:
messages=>security,notice,warning,error
Also,modifythedateformatsofail2banunderstandsthelogfile:
[general]dateformat=%F%T
ThenrestartAsteriskloggermodule:
asteriskrx"loggerreload"
Forfilterexamples,usetheonescomingwithfail2ban.Don'tforgettopointfail2ban(injail.conf)to
/var/log/asterisk/messagesor/var/log/asterisk/messagesand/var/log/asterisk/securityifyouhaveconfiguredthe
securitylogseparatefromthemainlog.Theaboveconfigwilloutputsecuritymessagesinthemainasterisklog.
OlderAsteriskversionswithoutthe/var/log/asterisk/securitylog
Asterisk1.4(Debian:1:1.4.21.2~dfsg3+lenny1)
Thefirstlineisfrom/var/log/asterisk/messages,whichiswrittenbyasterisk.Itisnotusableforfail2ban(0.8.3)
becauseofthetimestampthatisenclosedinbrackets.
Thesecondlineiswhatyougetifyouinstructasterisktologtosyslogbyaddingsyslog.local0=>
notice,warning,errorto/etc/asterisk/logger.conf(andobviouslyconfiguringyoursyslogdtologlocal0to
somefile).

Fail2ban0.8.3+recognizestheAsterisk1.8.xlogformatandthere'snoneedtoenablesyslog.local0asit'lljustfill
upyourmessages/syslogfile.Usefail2banregextotestyourconffilesandyou'llseethey'reworking.

[Aug814:31:33]NOTICE[1687]chan_sip.c:Registrationfrom'"150"<sip:150@hostname>'failedfor
'192.0.2.1'Nomatchingpeerfound
Aug814:31:33hostnameasterisk[1617]:NOTICE[1687]:chan_sip.c:15642in
handle_request_register:Registrationfrom'"154"<sip:154@hostname>'failedfor'192.0.2.1'No
matchingpeerfound

Template:Logger.conf

05/14/2011Don'tforgettoaddthisto/etc/asterisk/logger.conf.
[general]
dateformat=%F%T
Thatsimportant,otherwisefail2banwillwillnotbeabletoproperlyparsethelogfile.
FSD

Failregex
Theregularexpressionsbelowareproposedfailregexforthissoftware.Multipleregularexpressionsforfailregex
willonlyworkwithaversionofFail2bangreaterthanorequalto0.7.6.
Thetag<HOST>intheregularexpressionsbelowisjustanaliasfor(?:::f{4,6}:)?(?P<host>\S+).The
replacementisdoneautomaticallybyFail2banwhenaddingtheregularexpression.Atthemoment,exactlyone
namedgrouphostor<HOST>tagmustbepresentineachregularexpression.
Please,beforeeditingthissection,proposeyourchangesinthediscussionpagefirst.
failregex=asterisk.*chan_sip.c.*Registrationfrom.*failedfor'<HOST>'Nomatchingpeerfound

SettingAsteriskConf&JailRules
jail.conf:
[DEFAULT]
bantime=3600
findtime=21600
maxretry=3
backend=auto

[asteriskiptables]
#ifmorethan4attemptsaremadewithin6hours,banfor24hours
enabled=true
filter=asterisk
action=iptablesallports[name=ASTERISK,protocol=all]
sendmail[name=ASTERISK,[email protected],[email protected]]
logpath=/var/log/asterisk/messages
maxretry=4
findtime=21600
bantime=86400

filter.d/asterisk.conffileforAsterisk1.4/1.6:
#Fail2Banconfigurationfile
#
#
#$Revision:251$
#
[INCLUDES]
#Readcommonprefixes.Ifanycustomizationsavailablereadthemfrom
#common.local
before=common.conf
[Definition]
#_daemon=asterisk
#Option:failregex
#Notes.:regextomatchthepasswordfailuresmessagesinthelogfile.The
#hostmustbematchedbyagroupnamed"host".Thetag"<HOST>"can
#beusedforstandardIP/hostnamematchingandisonlyanaliasfor
#(?:::f{4,6}:)?(?P<host>\S+)
#Values:TEXT
#
failregex=NOTICE.*.*:Registrationfrom'.*'failedfor'<HOST>'Wrongpassword
NOTICE.*.*:Registrationfrom'.*'failedfor'<HOST>'Nomatchingpeerfound
NOTICE.*.*:Registrationfrom'.*'failedfor'<HOST>'Username/authnamemismatch
NOTICE.*<HOST>failedtoauthenticateas'.*'$
NOTICE.*.*:Noregistrationforpeer'.*'(from)
NOTICE.*.*:HostfailedMD5authenticationfor'.*'(.*)
NOTICE.*.*:Registrationfrom'.*'failedfor'<HOST>'DevicedoesnotmatchACL
NOTICE.*.*:Registrationfrom'.*".*failedfor'<HOST>'Peerisnotsupposedtoregister
VERBOSE.*SIP/<HOST>.*ReceivedincomingSIPconnectionfromunknownpeer

#Option:ignoreregex
#Notes.:regextoignore.Ifthisregexmatches,thelineisignored.
#Values:TEXT
#
ignoreregex=

filter.d/asterisk.conffileforAsterisk1.8:
#Fail2Banconfigurationfile
#
#
#$Revision:251$
#
[INCLUDES]
#Readcommonprefixes.Ifanycustomizationsavailablereadthemfrom
#common.local
before=common.conf

[Definition]
#_daemon=asterisk
#Option:failregex
#Notes.:regextomatchthepasswordfailuresmessagesinthelogfile.The
#hostmustbematchedbyagroupnamed"host".Thetag"<HOST>"can
#beusedforstandardIP/hostnamematchingandisonlyanaliasfor
#(?:::f{4,6}:)?(?P<host>\S+)
#Values:TEXT
#
#Asterisk1.8usesHost:Portformatwhichisreflectedhere
failregex=NOTICE.*.*:Registrationfrom'.*'failedfor'<HOST>:.*'Wrongpassword
NOTICE.*.*:Registrationfrom'.*'failedfor'<HOST>:.*'Nomatchingpeerfound
NOTICE.*.*:Registrationfrom'.*'failedfor'<HOST>:.*'Nomatchingpeerfound
NOTICE.*.*:Registrationfrom'.*'failedfor'<HOST>:.*'Username/authnamemismatch
NOTICE.*.*:Registrationfrom'.*'failedfor'<HOST>:.*'DevicedoesnotmatchACL
NOTICE.*.*:Registrationfrom'.*'failedfor'<HOST>:.*'Peerisnotsupposedtoregister
NOTICE.*.*:Registrationfrom'.*'failedfor'<HOST>:.*'ACLerror(permit/deny)
NOTICE.*.*:Registrationfrom'.*'failedfor'<HOST>:.*'DevicedoesnotmatchACL
NOTICE.*.*:Registrationfrom'\".*\".*'failedfor'<HOST>:.*'Nomatchingpeerfound
NOTICE.*.*:Registrationfrom'\".*\".*'failedfor'<HOST>:.*'Wrongpassword
NOTICE.*<HOST>failedtoauthenticateas'.*'$
NOTICE.*.*:Noregistrationforpeer'.*'\(from<HOST>\)
NOTICE.*.*:Host<HOST>failedMD5authenticationfor'.*'(.*)
NOTICE.*.*:Failedtoauthenticateuser.*@<HOST>.*
NOTICE.*.*:<HOST>failedtoauthenticateas'.*'
NOTICE.*.*:<HOST>triedtoauthenticatewithnonexistentuser'.*'
VERBOSE.*SIP/<HOST>.*ReceivedincomingSIPconnectionfromunknownpeer

#Option:ignoreregex
#Notes.:regextoignore.Ifthisregexmatches,thelineisignored.
#Values:TEXT
#
ignoreregex=

Retrievedfrom"http://www.fail2ban.org/wiki/index.php?title=Asterisk&oldid=4911"
Category: VOIP
Thispagewaslastmodifiedon5July2013,at11:33.
ContentisavailableunderGNUFreeDocumentationLicense.

You might also like