Configuring Fail2Ban with Asterisk

Fail2Ban can compliment your Asterisk security by automatically blocking failed authentication attempts against your asterisk server. However a little configuration is needed to let Fail2Ban be aware of the structure of the asterisk log files so it can “read” the log files and block the failed attempts.

First we need to install fail2ban and jwhois from the rpmforge repository

yum install -y fail2ban jwhois

We then need to create the file /etc/fail2ban/asterisk.conf. This is telling fail2ban how to read the log files for failed authentication attempts.

# Fail2Ban configuration.
#
 
 
[INCLUDES]
 
# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf
 
[Definition]
 
#_daemon = asterisk
 
# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
 
failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Peer is not supposed to register
            NOTICE.* <HOST> failed to authenticate as '.*'$
            NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
            NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
 
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

We now need to add some information to /etc/fail2ban/jail.conf that tells fail2ban where the log files are and what to do when it sees failed authentication attempts.
This includes sending an email to alert you of the action.

[asterisk-iptables]
 
enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
           sendmail-whois[name=ASTERISK, dest=alerts@domain.com, sender=fail2ban@domain.com]
logpath  = /var/log/asterisk/full
maxretry = 5
bantime = 432000

Also in the jail.conf you would want to configure the ignoreip or whitelist to tell fail2ban to ignore certain ip addresses or subnets.

ignoreip = 172.16.0.0/12

This is almost working now but we need to tell asterisk to log the date in a specific format which is compatible with fail2ban.

Modify /etc/asterisk/logger.conf and add the following

[general]
dateformat=%F %T

The asterisk logger needs restarted after this change

 asterisk -rx "logger reload"

Now we can start up fail2ban (or restart if it is already running) and set it to start as a service at boot.

service fail2ban start
chkconfig fail2ban on

Naturally we now need to test this and ensure it works as expected. When you start the fail2ban service you should get an email notifying you that the jail has started. This is naturally a good sign. Now from a phone / softphone simply try and register the phone with invalid extension or password (ensuring it address is outwith the specified ignoreip) and repeat this 5 times. It should be banned automatically and you should receive an email notifying you of this ban. When trying to authenticate the first few time you will see a 403 forbidden message. When fail2ban has banned this IP you should notice on the phone / softphone that instead of a 403 error message it should simply state no service. This is a good sign since it appears that the phone / softphone cannot connect at all to the server – the reason is because it has been blocked by fail2ban.

You can see a list of the banned ips / addresses by running the command

iptables -L -n

Now reboot the server and ensure the fail2ban service starts at startup.