• Photos Photos
  • Linked In Linked In
  • Google + Google +
  • Facebook Facebook
  • Flickr Flickr
  • Vimeo Vimeo

www.gavinwill.me.uk

Photography, IT, Bikes and more.

  • Pages

    • About
    • Blog
    • Contact
    • Home
  • Archives

    • January 2013
    • September 2012
    • August 2012
    • July 2012
    • June 2012
    • May 2012
    • April 2012
    • March 2012
    • February 2012
    • January 2012
    • December 2011
    • November 2011
  • Search:

Posts

  • View Archive

Configuring Fail2Ban with Asterisk

Fail2Ban can compliment your Asterisk security by automatically blocking failed authentication attempts against your asterisk server. However a little configuration is needed to let Fail2Ban be aware of the structure of the asterisk log files so it can “read” the log files and block the failed attempts.

First we need to install fail2ban and jwhois from the rpmforge repository

yum install -y fail2ban jwhois

yum install -y fail2ban jwhois

We then need to create the file /etc/fail2ban/asterisk.conf. This is telling fail2ban how to read the log files for failed authentication attempts.

# Fail2Ban configuration.
#
 
 
[INCLUDES]
 
# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf
 
[Definition]
 
#_daemon = asterisk
 
# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
 
failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Peer is not supposed to register
            NOTICE.* <HOST> failed to authenticate as '.*'$
            NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
            NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
 
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

# Fail2Ban configuration. # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local #before = common.conf [Definition] #_daemon = asterisk # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>\S+) # Values: TEXT # failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Peer is not supposed to register NOTICE.* <HOST> failed to authenticate as '.*'$ NOTICE.* .*: No registration for peer '.*' \(from <HOST>\) NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*) NOTICE.* .*: Failed to authenticate user .*@<HOST>.* # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =

We now need to add some information to /etc/fail2ban/jail.conf that tells fail2ban where the log files are and what to do when it sees failed authentication attempts.
This includes sending an email to alert you of the action.

[asterisk-iptables]
 
enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
           sendmail-whois[name=ASTERISK, dest=alerts@domain.com, sender=fail2ban@domain.com]
logpath  = /var/log/asterisk/full
maxretry = 5
bantime = 432000

[asterisk-iptables] enabled = true filter = asterisk action = iptables-allports[name=ASTERISK, protocol=all] sendmail-whois[name=ASTERISK, dest=alerts@domain.com, sender=fail2ban@domain.com] logpath = /var/log/asterisk/full maxretry = 5 bantime = 432000

Also in the jail.conf you would want to configure the ignoreip or whitelist to tell fail2ban to ignore certain ip addresses or subnets.

ignoreip = 172.16.0.0/12

This is almost working now but we need to tell asterisk to log the date in a specific format which is compatible with fail2ban.

Modify /etc/asterisk/logger.conf and add the following

[general]
dateformat=%F %T

[general] dateformat=%F %T

The asterisk logger needs restarted after this change

 asterisk -rx "logger reload"

asterisk -rx "logger reload"

Now we can start up fail2ban (or restart if it is already running) and set it to start as a service at boot.

service fail2ban start
chkconfig fail2ban on

service fail2ban start chkconfig fail2ban on

Naturally we now need to test this and ensure it works as expected. When you start the fail2ban service you should get an email notifying you that the jail has started. This is naturally a good sign. Now from a phone / softphone simply try and register the phone with invalid extension or password (ensuring it address is outwith the specified ignoreip) and repeat this 5 times. It should be banned automatically and you should receive an email notifying you of this ban. When trying to authenticate the first few time you will see a 403 forbidden message. When fail2ban has banned this IP you should notice on the phone / softphone that instead of a 403 error message it should simply state no service. This is a good sign since it appears that the phone / softphone cannot connect at all to the server – the reason is because it has been blocked by fail2ban.

You can see a list of the banned ips / addresses by running the command

iptables -L -n

iptables -L -n

Now reboot the server and ensure the fail2ban service starts at startup.

  • January 28, 2012
  • Linux, VOIP
  • 0

Discussion1 Comment

  1. Ben Curtis says:
    February 7, 2012 at 10:17 am

    Security is a major issue now a days, specially for voip service provider, as internet has become a basic need, most of the attackers are always lurking in the bandwidth streets to prown upon any un protected system. I just installed a fresh asterisk server and yesterday on asterisk cli, I saw a never-ending stream of registration attemps. Currently there are only iptables in-place but after reading your article, I am going to try with fail2ban this coming weekend.

    Reply
Cancel Reply

Copyright © 2021 www.gavinwill.me.uk.

  • LinkedIn
  • Google +
  • Facebook
  • Flickr
  • Vimeo
Back to Top