[asterisk-users] fail2ban Asterisk 13.13.1

Bryant Zimmerman BryantZ at zktech.com
Thu Mar 2 06:52:34 CST 2017 

John V
  
 Are you using pjsip? We are have several test servers and  I just checked my /etc/fail2ban/filter.d/asterisk.conf and it is not updated for pjsip implementations.  Looking at the security log files and the regex I noticed that some items are being banned but others are not due to changes in the messages for pjsip.  
 Anyone got an updated asterisk.conf for fail2ban.
  
 Bryant
  

----------------------------------------
 From: "Telium Technical Support" <support at telium.ca>
Sent: Wednesday, March 1, 2017 9:54 PM
To: "Asterisk Users Mailing List - Non-Commercial Discussion" <asterisk-users at lists.digium.com>
Subject: Re: [asterisk-users] fail2ban Asterisk 13.13.1   

If this is a small site, I recommend you download the free version of SecAst (www.telium.ca) and replace fail2ban.  SecAst does NOT use the log file, or regexes, to match etc.instead it talks to Asterisk through the AMI to extract security information.  Messing with regexes is a losing battle, and the lag in reading logs can allow an attacker 100+ registration attempts before fail2ban even does anything (assuming the IP is exposed in the Asterisk log).  

   

If this is a large install then post in the commercial list for more information.  

   

-Raj-  

     

From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Tech Support
Sent: Wednesday, March 1, 2017 2:37 PM
To: 'Asterisk Users Mailing List - Non-Commercial Discussion' <asterisk-users at lists.digium.com>
Subject: Re: [asterisk-users] fail2ban Asterisk 13.13.1 

   

    It's possible that you need to increase the value of 'findtime' to something greater than 300 secs. You also may want to set "timestamp = yes" in asterisk.conf so each line in the CLI will be time stamped. Time stamping it will be the definitive determination on whether or not the 'findtime' is the culprit.  

Regards;  

John V.    

     

From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Motty Cruz
Sent: Wednesday, March 01, 2017 01:29 PM
To: 'Asterisk Users Mailing List - Non-Commercial Discussion'
Subject: [asterisk-users] fail2ban Asterisk 13.13.1 

   

Hello, fail2ban does not ban offending IP.  

   

NOTICE[29784] chan_sip.c: Registration from '"user3"<sip:1005 at asterisk-ip:5060>' failed for 'offending-IP:53417' - Wrong password  

NOTICE[29784] chan_sip.c: Registration from '"user3"<sip:1005 at asterisk-ip:5060>' failed for 'offending-IP:53911' - Wrong password  

   

   

# A host is banned if it has generated "maxretry" during the last "findtime"  

# seconds.  

findtime  = 300  

   

[asterisk-iptables]  

enable = true  

port     = 5060,5061  

filter   = asterisk  

action   = iptables-allports[name=ASTERISK, protocol=all]  

              sendmail[name=ASTERISK, dest=motty at email.com, sender=fail2ban at asterisk-ip.com]  

#action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]  

           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]  

           %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]  

logpath  = /var/log/asterisk/messages  

maxretry = 3  

findtime  = 300  

bantime  = -1  

   

   

in filter.d  

asterisk.conf  

failregex = ^%(__prefix_line)s%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$  

            ^%(__prefix_line)s%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '[^']*' rejected because extension not found in context  

            ^%(__prefix_line)s%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$  

            ^%(__prefix_line)s%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$  

            ^%(__prefix_line)s%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$  

            ^%(__prefix_line)s%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$  

            ^%(__prefix_line)s%(log_prefix)s hacking attempt detected '<HOST>'$  

            ^%(__prefix_line)s%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="(\d*|<unknown>)",SessionID=".+",LocalAddress="IPV[46]/(UDP|TCP|WS)/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UDP|TCP|WS)/<HOST>/\d+"(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",ExpectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$  

            ^%(__prefix_line)s%(log_prefix)s "Rejecting unknown SIP connection from <HOST>"$  

            ^%(__prefix_line)s%(log_prefix)s Request (?:'[^']*' )?from '[^']*' failed for '<HOST>(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching endpoint found|Not match Endpoint(?: Contact)? ACL|(?:Failed|Error) to authenticate)\s*$  

   

failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password  

            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found  

            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found  

            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch  

            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL  

            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Peer is not supposed to register  

            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - ACL error (permit/deny)  

            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL  

            NOTICE.* <HOST> failed to authenticate as '.*'$  

            NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)  

            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)  

            NOTICE.* .*: Failed to authenticate user .*@<HOST>.*  

            NOTICE.* .*: Sending fake auth rejection for device .*\<sip:.*\@<HOST>\>;tag=.*  

            NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>' - No matching peer found  

            NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>' - Wrong password  

   

ignoreregex =  

   

Thanks  

Motty 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20170302/ea1ed8a9/attachment-0001.html>

More information about the asterisk-users mailing list