[asterisk-users] Asterisk fail2ban filters - show us yours
Taylor, Jonn
jonnt at taylortelephone.com
Fri Dec 30 10:36:24 CST 2011
On 12/29/2011 01:55 PM, Bruce B wrote:
>
> Hi,
>
> I Have added this line for asterisk 1.8 (i have allowguest=yes and
> context=default in sip.conf):
> NOTICE.* .*: Call from '.*' (<HOST>) to extension '.*' rejected
> because extension not found in context 'default'.
>
> Em 29-12-2011 13:03, Patrick Lists escreveu:
> > Hi,
> >
> > In the thread "Interesting attack tonight & fail2ban them" Bruce
> B mentioned it would be nice to have input from the Community to
> come up with the best set of fail2ban filters. That's a great
> idea. So let's start with Bruce's filters (thanks!) and take it
> from there. Anyone have any improvements and/or additions?
> Apologies for the line wrap. No idea how to prevent that in
> Thunderbird. The filters are also at http://pastebin.com/6T9M1W3F
> >
> > Not sure but it may be possible that logging has changed between
> Asterisk 1.4, 1.6, 1.8 and 10 so please mention the asterisk
> version with your filters.
> >
> > For Asterisk 1.8:
> >
> > failregex = Registration from '.*' failed for
> '<HOST>(:[0-9]{1,5})?' - Wrong password
> > Registration from '.*' failed for
> '<HOST>(:[0-9]{1,5})?' - No matching peer found
> > Registration from '.*' failed for
> '<HOST>(:[0-9]{1,5})?' - Device does not match ACL
> > Registration from '.*' failed for
> '<HOST>(:[0-9]{1,5})?' - Username/auth name mismatch
> > Registration from '.*' failed for
> '<HOST>(:[0-9]{1,5})?' - Peer is not supposed to register
> > NOTICE.* <HOST> failed to authenticate as '.*'$
> > NOTICE.* .*: No registration for peer '.*' (from <HOST>)
> > NOTICE.* .*: Host <HOST> failed MD5 authentication
> for '.*' (.*)
> > VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing
> 'ss-noservice' (language '.*')
> >
> >
> > There are 2 lines that I have which are not in this list:
> >
> > NOTICE.* .*: Registration from '.*' failed for '<HOST>' - ACL
> error (permit/deny)
> > NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
> >
> > How about those (no idea for which Asterisk version they are)?
> >
> > Regards,
> > Patrick
>
>
> Thanks Patrick. This is a great initiative. Let's all build the
> strongest and most detailed filter possible. I actually looked at mine
> and now see that it has weaknesses due Asterisk 1.8.8x giving
> different type of logs or maybe FreePBX. Let's test, fix and append to
> the end of the filter. Everyone is welcome to contribute.
>
> So far we have:
>
> *For Asterisk 1.8:*
> failregex = Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' -
> Wrong password
> Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' -
> No matching peer found
> Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' -
> Device does not match ACL
> Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' -
> Username/auth name mismatch
> Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' -
> Peer is not supposed to register
> NOTICE.* <HOST> failed to authenticate as '.*'$
> NOTICE.* .*: No registration for peer '.*' (from <HOST>)
> NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*'
> (.*)
> VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing
> 'ss-noservice' (language '.*') *#Outdated?*
> #*Situation:* allowguest=yes and context=default in sip.con
> - *Tested by **Diego Aguirre?*
> NOTICE.* .*: Call from '.*' (<HOST>) to extension '.*' rejected
> because extension not found in context 'default'
>
> The following are what I found to be insecure but need escaping and
> fine tuning to work with filter:
>
> *Asterisk 1.8 + FreePBX:*
> *Situation:* When target is coming in from unknown DID -
> Needs character escaping
> Executing [unknown at from-sip-external:1] NoOp("SIP/10.0.0.6-00000001",
> "Received incoming SIP connection from unknown peer to unknown") in
> new stack
>
> *Situation:* Same as above except for an extension is called. Above
> was just IP call. Extension 011x doesn't exist.
> Executing [0115666666 at from-sip-external:1]
> NoOp("SIP/10.0.0.6-00000003", "Received incoming SIP connection from
> unknown peer to 0115666666") in new stack
>
> *Situation: *Same as above except for extension 101 does exist but
> system still rejects calls due to no guest allowed?!
> Executing [101 at from-sip-external:1] NoOp("SIP/10.0.0.6-00000005",
> "Received incoming SIP connection from unknown peer to 101") in new stack
>
> *All of above have this following which can be used as a universal
> filter: *Executing [s at from-sip-external:8]
> Playback("SIP/10.0.0.6-00000005", "ss-noservice") in new stack *
> *
> *
> ***Notice how this ss-noservice is difference from current the
> outdated filter one:
> *VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing 'ss-noservice'
> (language '.*')*
>
> -Bruce
>
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
> http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-users
Had one of my systems hit this morning too. Asterisk 1.8 branch+FreePBX
2.9 no anonymous. 260 call attemps in 2 minutes. Here is part of the
logs. I am updating my filter to see if it helps, THANKS Bruce!!!
[2011-12-30 06:28:43] VERBOSE[9254] pbx.c: -- Executing
[15895076482935 at from-sip-external:1]
NoOp("SIP/184.107.201.234-000000cc", "Received incoming SIP connection
from unknown peer to 15895076482935") in new stack
[2011-12-30 06:28:43] VERBOSE[9255] pbx.c: -- Executing
[03131419338202 at from-sip-external:1]
NoOp("SIP/184.107.201.234-000000cd", "Received incoming SIP connection
from unknown peer to 03131419338202") in new stack
[2011-12-30 06:28:43] VERBOSE[9254] pbx.c: -- Executing
[15895076482935 at from-sip-external:2] Set("SIP/184.107.201.234-000000cc",
"DID=15895076482935") in new stack
[2011-12-30 06:28:43] VERBOSE[9254] pbx.c: -- Executing
[15895076482935 at from-sip-external:3]
Goto("SIP/184.107.201.234-000000cc", "s,1") in new stack
[2011-12-30 06:28:43] VERBOSE[9254] pbx.c: -- Goto
(from-sip-external,s,1)
[2011-12-30 06:28:43] VERBOSE[9254] pbx.c: -- Executing
[s at from-sip-external:1] GotoIf("SIP/184.107.201.234-000000cc",
"0?checklang:noanonymous") in new stack
[2011-12-30 06:28:43] VERBOSE[9254] pbx.c: -- Goto
(from-sip-external,s,5)
[2011-12-30 06:28:43] VERBOSE[9254] pbx.c: -- Executing
[s at from-sip-external:5] Set("SIP/184.107.201.234-000000cc",
"TIMEOUT(absolute)=15") in new stack
[2011-12-30 06:28:43] VERBOSE[9254] func_timeout.c: Channel will hangup
at 2011-12-30 06:28:58.383 CST.
[2011-12-30 06:28:43] VERBOSE[9254] pbx.c: -- Executing
[s at from-sip-external:6] Answer("SIP/184.107.201.234-000000cc", "") in
new stack
[2011-12-30 06:28:43] VERBOSE[9256] pbx.c: -- Executing
[89851352612168 at from-sip-external:1]
NoOp("SIP/184.107.201.234-000000ce", "Received incoming SIP connection
from unknown peer to 89851352612168") in new stack
[2011-12-30 06:28:43] VERBOSE[9256] pbx.c: -- Executing
[89851352612168 at from-sip-external:2] Set("SIP/184.107.201.234-000000ce",
"DID=89851352612168") in new stack
[2011-12-30 06:28:43] VERBOSE[9256] pbx.c: -- Executing
[89851352612168 at from-sip-external:3]
Goto("SIP/184.107.201.234-000000ce", "s,1") in new stack
[2011-12-30 06:28:43] VERBOSE[9256] pbx.c: -- Goto
(from-sip-external,s,1)
[2011-12-30 06:28:43] VERBOSE[9256] pbx.c: -- Executing
[s at from-sip-external:1] GotoIf("SIP/184.107.201.234-000000ce",
"0?checklang:noanonymous") in new stack
[2011-12-30 06:28:43] VERBOSE[9256] pbx.c: -- Goto
(from-sip-external,s,5)
[2011-12-30 06:28:43] VERBOSE[9256] pbx.c: -- Executing
[s at from-sip-external:5] Set("SIP/184.107.201.234-000000ce",
"TIMEOUT(absolute)=15") in new stack
[2011-12-30 06:28:43] VERBOSE[9255] pbx.c: -- Executing
[03131419338202 at from-sip-external:2] Set("SIP/184.107.201.234-000000cd",
"DID=03131419338202") in new stack
[2011-12-30 06:28:43] VERBOSE[9255] pbx.c: -- Executing
[03131419338202 at from-sip-external:3]
Goto("SIP/184.107.201.234-000000cd", "s,1") in new stack
[2011-12-30 06:28:43] VERBOSE[9255] pbx.c: -- Goto
(from-sip-external,s,1)
[2011-12-30 06:28:43] VERBOSE[9255] pbx.c: -- Executing
[s at from-sip-external:1] GotoIf("SIP/184.107.201.234-000000cd",
"0?checklang:noanonymous") in new stack
[2011-12-30 06:28:43] VERBOSE[9255] pbx.c: -- Goto
(from-sip-external,s,5)
[2011-12-30 06:28:43] VERBOSE[9255] pbx.c: -- Executing
[s at from-sip-external:5] Set("SIP/184.107.201.234-000000cd",
"TIMEOUT(absolute)=15") in new stack
[2011-12-30 06:28:43] VERBOSE[9255] func_timeout.c: Channel will hangup
at 2011-12-30 06:28:58.393 CST.
[2011-12-30 06:28:43] VERBOSE[9255] pbx.c: -- Executing
[s at from-sip-external:6] Answer("SIP/184.107.201.234-000000cd", "") in
new stack
[2011-12-30 06:28:43] VERBOSE[9256] func_timeout.c: Channel will hangup
at 2011-12-30 06:28:58.390 CST.
[2011-12-30 06:28:43] VERBOSE[9256] pbx.c: -- Executing
[s at from-sip-external:6] Answer("SIP/184.107.201.234-000000ce", "") in
new stack
[2011-12-30 06:28:43] VERBOSE[17231] netsock2.c: == Using SIP RTP TOS
bits 184
[2011-12-30 06:28:43] VERBOSE[17231] netsock2.c: == Using SIP RTP CoS
mark 5
[2011-12-30 06:28:43] VERBOSE[9258] pbx.c: -- Executing
[0442032987253 at from-sip-external:1] NoOp("SIP/184.107.201.234-000000cf",
"Received incoming SIP connection from unknown peer to 0442032987253")
in new stack
[2011-12-30 06:28:43] VERBOSE[9258] pbx.c: -- Executing
[0442032987253 at from-sip-external:2] Set("SIP/184.107.201.234-000000cf",
"DID=0442032987253") in new stack
[2011-12-30 06:28:43] VERBOSE[9258] pbx.c: -- Executing
[0442032987253 at from-sip-external:3] Goto("SIP/184.107.201.234-000000cf",
"s,1") in new stack
[2011-12-30 06:28:43] VERBOSE[9258] pbx.c: -- Goto
(from-sip-external,s,1)
[2011-12-30 06:28:43] VERBOSE[9258] pbx.c: -- Executing
[s at from-sip-external:1] GotoIf("SIP/184.107.201.234-000000cf",
"0?checklang:noanonymous") in new stack
[2011-12-30 06:28:43] VERBOSE[9258] pbx.c: -- Goto
(from-sip-external,s,5)
[2011-12-30 06:28:43] VERBOSE[9258] pbx.c: -- Executing
[s at from-sip-external:5] Set("SIP/184.107.201.234-000000cf",
"TIMEOUT(absolute)=15") in new stack
[2011-12-30 06:28:43] VERBOSE[9258] func_timeout.c: Channel will hangup
at 2011-12-30 06:28:58.458 CST.
[2011-12-30 06:28:43] VERBOSE[9258] pbx.c: -- Executing
[s at from-sip-external:6] Answer("SIP/184.107.201.234-000000cf", "") in
new stack
[2011-12-30 06:28:43] VERBOSE[17231] netsock2.c: == Using SIP RTP TOS
bits 184
[2011-12-30 06:28:43] VERBOSE[17231] netsock2.c: == Using SIP RTP CoS
mark 5
[2011-12-30 06:28:43] VERBOSE[17231] netsock2.c: == Using SIP RTP TOS
bits 184
jonn
More information about the asterisk-users
mailing list