[asterisk-users] Fail2ban integration issues with Asterisk 1.4.21 under Debian Lenny
nnair at pobox.com
Mon Aug 30 06:16:24 CDT 2010
I've recently had a fairly prolonged SIP registration attack, 18 hours in
this case and often with 200 attempts per second, and suspect I've had a
number of these in the past. The main symptom I noticed previously was,
because Asterisk was responding to each registration request it received,
it was very quickly using up my 448 kbps upload limit for my home ADSL
connection: any further traffic (i.e. anything I did) was then
experiencing significant packet loss.
Anyway, I've now implemented the "7 steps to better Asterisk security"
that I found on the Digium website (deny/permit, alwaysauthreject etc.),
and have been looking at fail2ban. However, when I attempted to install
it (following the instructions I found on a page about fail2ban with
Asterisk), I ran into a couple of issues.
FWIW, I'm using Asterisk 22.214.171.124~dfsg-3+lenny1 on Debian.
First, I tried uncommenting the line in /etc/asterisk/logger.conf, i.e.
and verified that the date format in /var/log/asterisk/full had, indeed,
changed (after I did an asterisk -rx 'logger reload', of course). It had
changed: it now started with the year, instead of Aug; however, the
parentheses were still there, whereas the instructions seemed to indicate
that they'd disappear when this line was used in logger.conf.
At that point, I presumed I'd have to use syslog, after all, as that was
given as the only alternative if the date format couldn't be fixed
properly. That wasn't my preference, but it was still workable.
The second snag I found was that, after I fixed sip.conf to include
appropriate deny= and permit= lines and alwaysauthreject=yes, the failed
registration attempts were no longer being logged in
/var/log/asterisk/full at all, despite my having the line
full => notice,warning,error,debug,verbose
in the logfiles section of logger.conf.
It seems that the attack was coming from a region that was denied in
sip.conf. This is obviously no problem from the security point of view,
as the attempt would inevitably fail; however, my issue isn't that the
attack might succeed, but rather, that by responding to the attack at all,
Asterisk is grinding my internet connection to a halt. And Asterisk is,
indeed, still responding, rather than just ignoring the attempts.
Is there a way to get Asterisk to log failed SIP registration attempts
that come from a denied IP address? Or a way to get it to simply ignore
I have a feeling that a major Debian release has come out recently, and
passed me by. I'm wondering if that contains Asterisk 1.6, and, if so,
whether all these issues (date format as well as logging sip registration
attempts from denied IP addresses) might be present in that release. That
would certainly present a neat solution - just upgrade my machine!
Any input very welcome.
Oh, if it's of any interest: I worked out what was going on by using
tshark (terminal version of wireshark). In 20 seconds, it captured well
over 7000 packets, rather than the 30 or so I was expecting - and these
included about 4000 packets arriving from one host with SIP registration
attempts, fully 200 per second...
More information about the asterisk-users