[asterisk-users] Asterisk fail2ban filters - show us yours

Bruce B bruceb444 at gmail.com
Thu Dec 29 13:55:31 CST 2011 

>
> Hi,
>
> I Have added this line for asterisk 1.8 (i have allowguest=yes and
> context=default in sip.conf):
> NOTICE.* .*: Call from '.*' (<HOST>) to extension '.*' rejected because
> extension not found in context 'default'.
>
> Em 29-12-2011 13:03, Patrick Lists escreveu:
> > Hi,
> >
> > In the thread "Interesting attack tonight & fail2ban them" Bruce B
> mentioned it would be nice to have input from the Community to come up with
> the best set of fail2ban filters. That's a great idea. So let's start with
> Bruce's filters (thanks!) and take it from there. Anyone have any
> improvements and/or additions? Apologies for the line wrap. No idea how to
> prevent that in Thunderbird. The filters are also at
> http://pastebin.com/6T9M1W3F
> >
> > Not sure but it may be possible that logging has changed between
> Asterisk 1.4, 1.6, 1.8 and 10 so please mention the asterisk version with
> your filters.
> >
> > For Asterisk 1.8:
> >
> > failregex = Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' -
> Wrong password
> >             Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' -
> No matching peer found
> >             Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' -
> Device does not match ACL
> >             Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' -
> Username/auth name mismatch
> >             Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' -
> Peer is not supposed to register
> >             NOTICE.* <HOST> failed to authenticate as '.*'$
> >             NOTICE.* .*: No registration for peer '.*' (from <HOST>)
> >             NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*'
> (.*)
> >             VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing 'ss-noservice'
> (language '.*')
> >
> >
> > There are 2 lines that I have which are not in this list:
> >
> > NOTICE.* .*: Registration from '.*' failed for '<HOST>' - ACL error
> (permit/deny)
> > NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
> >
> > How about those (no idea for which Asterisk version they are)?
> >
> > Regards,
> > Patrick
>

Thanks Patrick. This is a great initiative. Let's all build the strongest
and most detailed filter possible. I actually looked at mine and now see
that it has weaknesses due Asterisk 1.8.8x giving different type of logs or
maybe FreePBX. Let's test, fix and append to the end of the filter.
Everyone is welcome to contribute.

So far we have:

*For Asterisk 1.8:*
failregex = Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' -
Wrong password
           Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - No
matching peer found
           Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' -
Device does not match ACL
           Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' -
Username/auth name mismatch
           Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Peer
is not supposed to register
           NOTICE.* <HOST> failed to authenticate as '.*'$
           NOTICE.* .*: No registration for peer '.*' (from <HOST>)
           NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
           VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing 'ss-noservice'
(language '.*') *#Outdated?*
          #*Situation:* allowguest=yes and context=default in sip.con - *Tested
by **Diego Aguirre?*
           NOTICE.* .*: Call from '.*' (<HOST>) to extension '.*' rejected
because extension not found in context 'default'

The following are what I found to be insecure but need escaping and fine
tuning to work with filter:

*Asterisk 1.8 + FreePBX:*
*Situation:* When target is coming in from unknown DID -
Needs character escaping
Executing [unknown at from-sip-external:1] NoOp("SIP/10.0.0.6-00000001",
"Received incoming SIP connection from unknown peer to unknown") in new
stack

*Situation:* Same as above except for an extension is called. Above was
just IP call. Extension 011x doesn't exist.
Executing [0115666666 at from-sip-external:1] NoOp("SIP/10.0.0.6-00000003",
"Received incoming SIP connection from unknown peer to 0115666666") in new
stack

*Situation: *Same as above except for extension 101 does exist but system
still rejects calls due to no guest allowed?!
Executing [101 at from-sip-external:1] NoOp("SIP/10.0.0.6-00000005", "Received
incoming SIP connection from unknown peer to 101") in new stack

*All of above have this following which can be used as a universal
filter: *Executing
[s at from-sip-external:8] Playback("SIP/10.0.0.6-00000005", "ss-noservice")
in new stack *
*
*
***Notice how this ss-noservice is difference from current the outdated
filter one:
*VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing 'ss-noservice' (language
'.*')*

-Bruce
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20111229/acce437e/attachment.htm>

More information about the asterisk-users mailing list