sip attack.. fail2ban not stopping attack

Home » Asterisk Users » sip attack.. fail2ban not stopping attack
Asterisk Users 9 Comments

My server is being attached all day and fail2ban is not stopping the
attack. I updated stamstamp to match fail2ban requirements.

[2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830
handle_request_register: Registration from ‘”7002″
failed for ‘38.108.40.94’ – No matching peer found
[2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830
handle_request_register: Registration from ‘”7002″
failed for ‘38.108.40.94’ – No matching peer found
[2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830
handle_request_register: Registration from ‘”7002″
failed for ‘38.108.40.94’ – No matching peer found
[2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830
handle_request_register: Registration from ‘”7002″
failed for ‘38.108.40.94’ – No matching peer found
[2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830
handle_request_register: Registration from ‘”7002″
failed for ‘38.108.40.94’ – No matching peer found
[2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830
handle_request_register: Registration from ‘”7002″
failed for ‘38.108.40.94’ – No matching peer found
[2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830
handle_request_register: Registration from ‘”7002″
failed for ‘38.108.40.94’ – No matching peer found
[2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830
handle_request_register: Registration from ‘”7002″
failed for ‘38.108.40.94’ – No matching peer found
[2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830
handle_request_register: Registration from ‘”7002″
failed for ‘38.108.40.94’ – No matching peer found
[2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830
handle_request_register: Registration from ‘”7002″

9 thoughts on - sip attack.. fail2ban not stopping attack

  • href=”mailto:asterisk-users-bounces@lists.digium.com”>asterisk-users-bounces@lists.digium.com

    If all else fails, check your /var/log/fail2ban log file. Any error messages
    there?
    A typo in the file name of the log file to check; a jail that is set up but
    not
    turned on; double check your set up. Use iptables -L -n to check
    that fail2ban is properly setting up a chain to block ip’s. Is the
    fail2ban service even running?

    murf

  • jail.conf
    [asterisk-iptables]

    enabled = true
    filter = asterisk
    action = iptables-allports[name=ASTERISK, protocol=all]
    sendmail-whois[name=ASTERISK, dest=root,
    sender=fail2ban@example.org]
    logpath = /var/log/asterisk/messages
    maxretry = 5
    bantime = 259200

    filter asterisk.conf
    [INCLUDES]

    # Read common prefixes. If any customizations available — read them from
    # common.local
    #before = common.conf

    [Definition]

    #_daemon = asterisk

    # Option: failregex
    # Notes.: regex to match the password failures messages in the logfile. The
    # host must be matched by a group named “host”. The tag “
    can
    # be used for standard IP/hostname matching and is only an alias
    for
    # (?:::f{4,6}:)?(?P
    S+)
    # Values: TEXT
    #

    failregex = NOTICE.* .*: Registration from ‘.*’ failed for ‘‘ – Wrong
    password
    NOTICE.* .*: Registration from ‘.*’ failed for ‘
    ‘ – No
    matching peer found
    NOTICE.* .*: Registration from ‘.*’ failed for ‘
    ‘ –
    Username/auth name mismatch
    NOTICE.* .*: Registration from ‘.*’ failed for ‘
    ‘ – Device
    does not match ACL
    NOTICE.*
    failed to authenticate as ‘.*’$
    NOTICE.* .*: No registration for peer ‘.*’ (from
    )
    NOTICE.* .*: Host
    failed MD5 authentication for ‘.*’ (.*)
    NOTICE.* .*: Failed to authenticate user .*@
    .*
    ignoreregex =

    logger.conf
    [general]
    ;
    ; Customize the display of debug message time stamps
    ; this example is the ISO 8601 date format (yyyy-mm-dd HH:MM:SS)
    ;
    ; see strftime(3) Linux manual for format specifiers. Note that there is
    also
    ; a fractional second parameter which may be used in this field. Use %1q
    ; for tenths, %2q for hundredths, etc.
    ;
    dateformat=%F %T ; ISO 8601 date format
    ;dateformat=%F %T.%3q ; with milliseconds

    Dave

  • Simply to reduce the attack, and then improve the defense:

    If you don’t need traffic from some area that is attacking you, just put the
    whole area in IPTables. A list is available on VOIP-INFO.org.

    Cull out what you want to allow.

    Then tune Fail2Ban at your leisure.

    Cary Fitch

  • With asterisk 1.8+ it should be:

    failregex = NOTICE.* .*: Registration from ‘.*’ failed for
    (:[0-9]{1,5})?’ – Wrong password
    NOTICE.* .*: Registration from ‘.*’ failed for
    (:[0-9]{1,5})?’ – No matching peer found
    NOTICE.* .*: Registration from ‘.*’ failed for
    (:[0-9]{1,5})?’ – Username/auth name mismatch
    NOTICE.* .*: Registration from ‘.*’ failed for
    (:[0-9]{1,5})?’ – Device does not match ACL
    NOTICE.* .*: Registration from ‘.*’ failed for
    (:[0-9]{1,5})?’ – Peer is not supposed to register
    NOTICE.*
    failed to authenticate as ‘.*’$
    NOTICE.* .*: No registration for peer ‘.*’ (from
    )
    NOTICE.* .*: Host
    failed MD5 authentication for
    ‘.*’ (.*)
    NOTICE.* .*: Failed to authenticate user .*@
    .*

    since format of notice has changed (asterisk now adds port after HOST)

    Nick

  • [snip fail2ban config]

    Well, all looks fine. Your filter is correct. Your message log is also in the
    correct format. You can test this with:
    fail2ban-regex /var/log/asterisk/messages /etc/fail2ban/filter.d/asterisk.conf

    So is fail2ban actually running (like someone already suggested)?
    $ ps auxwww | grep fail

    Other things it could be:
    -a broken backend in jail.conf (try polling).
    -running as an unprivileged user (can’t read asterisk/messages).