[asterisk-users] Asterisk 11 security log, fail2ban, drive-by SIP attacks

Giles Coochey giles at coochey.net
Mon Jul 8 10:19:47 CDT 2013


On 08/07/2013 16:11, Patrick Lists wrote:
> On 07/08/2013 01:46 PM, Giles Coochey wrote:
>> Just a note that I did a little work to extend FreePBX distro with some
>> extra Fail2Ban which deals with some drive-by SIP registration attempts.
>>
>> My regex is poor to middling, but the steps detailed here:
>> http://www.coochey.net/?p=61 manage to stop IPs which try to
>> authenticate against Asterisk which FreePBX were not able to stop 
>> before.
>>
>> I would welcome any improvements anyone would care to submit and I'll
>> extend the article a little.
>>
>> The changes need the Asterisk security log feature, which I think was
>> only introduced in later versions of Asterisk (e.g. v11).
>
> It seems your rule is not yet present in fail2ban 0.8.10.0. The only 
> one close to it is:
>
> SECURITY%(__pid_re)s [^:]+: 
> SecurityEvent="InvalidAccountID",EventTV="[0-9-]+",Severity="[a-zA-Z]+",Service="[a-zA-Z]+",EventVersion="[0-9]+",AccountID="[0-9]+",SessionID="0x[0-9a-f]+",LocalAddress="IPV[46]/(UD|TC)P/[0-9a-fA-F:.]+/[0-9]+",RemoteAddress="IPV[46]/(UD|TC)P/<HOST>/[0-9]+"$
>
> See 
> https://github.com/fail2ban/fail2ban/blob/0.8.10/config/filter.d/asterisk.conf
>
> Might be an idea to submit it for future inclusion.
I think that Regex above is far better than my:

failregex = SECURITY.* 
SecurityEvent=\"InvalidPassword\".*RemoteAddress=\"IPV4/UDP/<HOST>/

I think I will try and get it slightly better than my lowly attempt, 
before I try to submit it!! The example you give is probably a good 
boilerplate for it!! I can probably just juxtaposition InvalidAccountID 
for InvalidPassword


Thanks

Giles

-- 
Regards,

Giles Coochey, CCNP, CCNA, CCNAS
NetSecSpec Ltd
+44 (0) 7983 877438
http://www.coochey.net
http://www.netsecspec.co.uk
giles at coochey.net


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4968 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20130708/69de9d76/attachment.bin>


More information about the asterisk-users mailing list