[asterisk-users] fail2ban Asterisk 13.13.1

Telium Technical Support support at telium.ca
Wed Mar 1 20:53:14 CST 2017


If this is a small site, I recommend you download the free version of SecAst
(www.telium.ca <http://www.telium.ca> ) and replace fail2ban.  SecAst does
NOT use the log file, or regexes, to match etc.instead it talks to Asterisk
through the AMI to extract security information.  Messing with regexes is a
losing battle, and the lag in reading logs can allow an attacker 100+
registration attempts before fail2ban even does anything (assuming the IP is
exposed in the Asterisk log).

 

If this is a large install then post in the commercial list for more
information.

 

-Raj-

 

From: asterisk-users-bounces at lists.digium.com
[mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Tech Support
Sent: Wednesday, March 1, 2017 2:37 PM
To: 'Asterisk Users Mailing List - Non-Commercial Discussion'
<asterisk-users at lists.digium.com>
Subject: Re: [asterisk-users] fail2ban Asterisk 13.13.1

 

    It's possible that you need to increase the value of 'findtime' to
something greater than 300 secs. You also may want to set "timestamp = yes"
in asterisk.conf so each line in the CLI will be time stamped. Time stamping
it will be the definitive determination on whether or not the 'findtime' is
the culprit.

Regards;

John V.  

 

From: asterisk-users-bounces at lists.digium.com
<mailto:asterisk-users-bounces at lists.digium.com>
[mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Motty Cruz
Sent: Wednesday, March 01, 2017 01:29 PM
To: 'Asterisk Users Mailing List - Non-Commercial Discussion'
Subject: [asterisk-users] fail2ban Asterisk 13.13.1

 

Hello, fail2ban does not ban offending IP. 

 

NOTICE[29784] chan_sip.c: Registration from
'"user3"<sip:1005 at asterisk-ip:5060>' failed for 'offending-IP:53417' - Wrong
password

NOTICE[29784] chan_sip.c: Registration from
'"user3"<sip:1005 at asterisk-ip:5060>' failed for 'offending-IP:53911' - Wrong
password

 

 

# A host is banned if it has generated "maxretry" during the last "findtime"

# seconds.

findtime  = 300

 

[asterisk-iptables]

enable = true

port     = 5060,5061

filter   = asterisk

action   = iptables-allports[name=ASTERISK, protocol=all]

              sendmail[name=ASTERISK, dest=motty at email.com
<mailto:dest=motty at email.com> , sender=fail2ban at asterisk-ip.com
<mailto:sender=fail2ban at asterisk-ip.com> ]

#action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s",
protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]

           %(banaction)s[name=%(__name__)s-udp, port="%(port)s",
protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]

           %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]

logpath  = /var/log/asterisk/messages

maxretry = 3

findtime  = 300

bantime  = -1

 

 

in filter.d

asterisk.conf

failregex = ^%(__prefix_line)s%(log_prefix)s Registration from '[^']*'
failed for '<HOST>(:\d+)?' - (Wrong password|Username/auth name mismatch|No
matching peer found|Not a local domain|Device does not match ACL|Peer is not
supposed to register|ACL error \(permit/deny\)|Not a local domain)$

            ^%(__prefix_line)s%(log_prefix)s Call from '[^']*'
\(<HOST>:\d+\) to extension '[^']*' rejected because extension not found in
context

            ^%(__prefix_line)s%(log_prefix)s Host <HOST> failed to
authenticate as '[^']*'$

            ^%(__prefix_line)s%(log_prefix)s No registration for peer
'[^']*' \(from <HOST>\)$

            ^%(__prefix_line)s%(log_prefix)s Host <HOST> failed MD5
authentication for '[^']*' \([^)]+\)$

            ^%(__prefix_line)s%(log_prefix)s Failed to authenticate
(user|device) [^@]+@<HOST>\S*$

            ^%(__prefix_line)s%(log_prefix)s hacking attempt detected
'<HOST>'$

            ^%(__prefix_line)s%(log_prefix)s
SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPa
ssword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",Eve
ntVersion="\d+",AccountID="(\d*|<unknown>)",SessionID=".+",LocalAddress="IPV
[46]/(UDP|TCP|WS)/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UDP|TCP|WS)/<HO
ST>/\d+"(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",Ex
pectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$

            ^%(__prefix_line)s%(log_prefix)s "Rejecting unknown SIP
connection from <HOST>"$

            ^%(__prefix_line)s%(log_prefix)s Request (?:'[^']*' )?from
'[^']*' failed for '<HOST>(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching
endpoint found|Not match Endpoint(?: Contact)? ACL|(?:Failed|Error) to
authenticate)\s*$

 

failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong
password

            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No
matching peer found

            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No
matching peer found

            NOTICE.* .*: Registration from '.*' failed for '<HOST>' -
Username/auth name mismatch

            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device
does not match ACL

            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Peer
is not supposed to register

            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - ACL
error (permit/deny)

            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device
does not match ACL

            NOTICE.* <HOST> failed to authenticate as '.*'$

            NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)

            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)

            NOTICE.* .*: Failed to authenticate user .*@
<mailto:.*@%3cHOST%3e.*> <HOST>.*

            NOTICE.* .*: Sending fake auth rejection for device .*\<sip:.*\@
<sip:.*\@%3cHOST> <HOST>\>;tag=.*

            NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>' -
No matching peer found

            NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>' -
Wrong password

 

ignoreregex =

 

Thanks

Motty

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20170301/5b45dc50/attachment.html>


More information about the asterisk-users mailing list