[asterisk-users] Fail2ban integration issues with Asterisk 1.4.21 under Debian Lenny

Nikhil Nair nnair at pobox.com
Mon Aug 30 06:16:24 CDT 2010


I've recently had a fairly prolonged SIP registration attack, 18 hours in 
this case and often with 200 attempts per second, and suspect I've had a 
number of these in the past.  The main symptom I noticed previously was, 
because Asterisk was responding to each registration request it received, 
it was very quickly using up my 448 kbps upload limit for my home ADSL 
connection: any further traffic (i.e. anything I did) was then 
experiencing significant packet loss.

Anyway, I've now implemented the "7 steps to better Asterisk security" 
that I found on the Digium website (deny/permit, alwaysauthreject etc.), 
and have been looking at fail2ban.  However, when I attempted to install 
it (following the instructions I found on a page about fail2ban with 
Asterisk), I ran into a couple of issues.

FWIW, I'm using Asterisk on Debian.

First, I tried uncommenting the line in /etc/asterisk/logger.conf, i.e.
dateformat=%F %T
and verified that the date format in /var/log/asterisk/full had, indeed, 
changed (after I did an asterisk -rx 'logger reload', of course).  It had 
changed: it now started with the year, instead of Aug; however, the 
parentheses were still there, whereas the instructions seemed to indicate 
that they'd disappear when this line was used in logger.conf.

At that point, I presumed I'd have to use syslog, after all, as that was 
given as the only alternative if the date format couldn't be fixed 
properly.  That wasn't my preference, but it was still workable.

The second snag I found was that, after I fixed sip.conf to include 
appropriate deny= and permit= lines and alwaysauthreject=yes, the failed 
registration attempts were no longer being logged in 
/var/log/asterisk/full at all, despite my having the line
full => notice,warning,error,debug,verbose
in the logfiles section of logger.conf.

It seems that the attack was coming from a region that was denied in 
sip.conf.  This is obviously no problem from the security point of view, 
as the attempt would inevitably fail; however, my issue isn't that the 
attack might succeed, but rather, that by responding to the attack at all, 
Asterisk is grinding my internet connection to a halt.  And Asterisk is, 
indeed, still responding, rather than just ignoring the attempts.

Is there a way to get Asterisk to log failed SIP registration attempts 
that come from a denied IP address?  Or a way to get it to simply ignore 
such attempts?

I have a feeling that a major Debian release has come out recently, and 
passed me by.  I'm wondering if that contains Asterisk 1.6, and, if so, 
whether all these issues (date format as well as logging sip registration 
attempts from denied IP addresses) might be present in that release.  That 
would certainly present a neat solution - just upgrade my machine!

Any input very welcome.

Oh, if it's of any interest: I worked out what was going on by using 
tshark (terminal version of wireshark).  In 20 seconds, it captured well 
over 7000 packets, rather than the 30 or so I was expecting - and these 
included about 4000 packets arriving from one host with SIP registration 
attempts, fully 200 per second...



More information about the asterisk-users mailing list