How
to install and setup fail2ban for Asterisk to prevent brute force
attacks:
Ubuntu:
1.
Install
fail2ban with below command
-
apt-get install fail2ban
2.
Optionally you can install sendmail to send email notifications for
block IPs
apt-get
install sendmail-bin sendmail (Optional)
3.
Now
you need to setup logger.conf file
- mv /etc/asterisk/logger.conf
/etc/asterisk/logger.conf.orig
- open, nano
/etc/asterisk/logger.conf
-
if it is FreePBX then open, nano
/etc/asterisk/logger_logfiles_custom.conf
- add below general and
logfiles sections mentioned in bold, in it and save
[general]
dateformat=%F
%T ; ISO 8601 date format
[logfiles]
console
=> notice,warning,error
messages
=> security,notice,warning,error
-
from asterisk cli apply this command to take changes into effect
ankit-desktop*CLI>
logger reload
== Parsing
'/etc/asterisk/logger.conf': Found
Asterisk Queue Logger
restarted
4.
Now
open file, nano /etc/fail2ban/jail.conf
For
asterisk fail2ban configuration add below content and save, replace
dest,sender and ignoreip parameters to yours. If it is FreePBX then you can set logpath to /var/log/asterisk/full
[asterisk-tcp]
enabled = true
filter = asterisk
action =
iptables-multiport[name=asterisk-tcp, port="5060",
protocol=tcp]
sendmail[name=Asterisk,
dest=abc@xyx.com, sender=info@xyz.com]
logpath =
/var/log/asterisk/messages
maxretry = 3
findtime = 12000
bantime = 259200
ignoreip = 192.168.0.46
[asterisk-udp]
enabled = true
filter = asterisk
action =
iptables-multiport[name=asterisk-udp, port="5060",
protocol=udp]
sendmail[name=Asterisk,
dest=abc@xyz.com, sender=info@xyz.com]
logpath =
/var/log/asterisk/messages
maxretry = 3
findtime = 12000
bantime = 259200
ignoreip = 192.168.0.46
5.
Add
below content in nano /etc/fail2ban/filter.d/asterisk.conf and save
#
Fail2Ban configuration file
#
#
#
$Revision: 251 $
#
[INCLUDES]
#
Read common prefixes. If any customizations available -- read them
from
#
common.local
before
= common.conf
[Definition]
#_daemon
= asterisk
#
Option: failregex
#
Notes.: regex to match the password failures messages in the logfile.
The
#
host must be matched by a group named "host". The tag
"<HOST>" can
#
be used for standard IP/hostname matching and is only an alias for
#
(?:::f{4,6}:)?(?P<host>\S+)
#
Values: TEXT
#
#
Asterisk 1.8 uses Host:Port format which is reflected here
failregex
= NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' -
Wrong password
NOTICE.*
.*: Registration from '.*' failed for '<HOST>:.*' - No matching
peer found
NOTICE.*
.*: Registration from '.*' failed for '<HOST>:.*' - No matching
peer found
NOTICE.*
.*: Registration from '.*' failed for '<HOST>:.*' -
Username/auth name mismatch
NOTICE.*
.*: Registration from '.*' failed for '<HOST>:.*' - Device does
not match ACL
NOTICE.*
.*: Registration from '.*' failed for '<HOST>:.*' - Peer is not
supposed to register
NOTICE.*
.*: Registration from '.*' failed for '<HOST>:.*' - ACL error
(permit/deny)
NOTICE.*
.*: Registration from '.*' failed for '<HOST>:.*' - Device does
not match ACL
NOTICE.*
.*: Registration from '\".*\".*' failed for '<HOST>:.*'
- No matching peer found
NOTICE.*
.*: Registration from '\".*\".*' failed for '<HOST>:.*'
- Wrong password
NOTICE.*
<HOST> failed to authenticate as '.*'$
NOTICE.*
.*: No registration for peer '.*' \(from <HOST>\)
NOTICE.*
.*: Host <HOST> failed MD5 authentication for '.*' (.*)
NOTICE.*
.*: Failed to authenticate user .*@<HOST>.*
NOTICE.*
.*: <HOST> failed to authenticate as '.*'
NOTICE.*
.*: <HOST> tried to authenticate with nonexistent user '.*'
VERBOSE.*SIP/<HOST>-.*Received
incoming SIP connection from unknown peer
#
Option: ignoreregex
#
Notes.: regex to ignore. If this regex matches, the line is ignored.
#
Values: TEXT
#
ignoreregex
=
6.
Restart fail2ban service
-
service fail2ban restart
7.
Some useful commands
-
to block IP address
iptables
-A INPUT -s 190.53.232.25 -j DROP
- how
to delete iptables rule by line number
iptables -L --line-numbers
iptables
-D fail2ban-asterisk-tcp 1
iptables
-D fail2ban-asterisk-udp 1
No comments:
Post a Comment