asterisk and fail2ban

Home » Asterisk Users » asterisk and fail2ban
Asterisk Users 23 Comments

On Mon, Mar 28, 2011 at 9:20 AM, vip killa wrote:
> Is anyone using asterisk with fail2ban? I have it working except it takes
> way more break-in attempts than what is set in “maxretry” in jail.conf
> For example, I get an email saying:
> “The IP 199.204.45.19 has just been banned by Fail2Ban after 181 attempts
> against ASTERISK.”
> when “maxretry = 5” in jail.conf
> Perhaps someone else is experiencing this or has resolved it, thank you in
> advance for your time.

If you fixed the logging issue discussed here
http://www.fail2ban.org/wiki/index.php/Asterisk then I would assume
your logging has problems.

23 thoughts on - asterisk and fail2ban

  • How often does fail2ban check the logs? It can only block that often, so if more attempts happen in that time period it can’t do anything until it knows.

    S

  • On Tue, 29 Mar 2011 07:31:18 -0500 (CDT), Joe Greco
    wrote:

    Thanks much for the tip. I’ll study how to install/configure iptable
    and sshguard.

  • Le 29/03/2011 19:34, Sherwood McGowan a écrit :

    Well, I can tell you that our servers in europe those days are mainly
    attacked by US IP ranges (remember last year the problem with amazon
    cloud). They now disappear here in europe but lots of other US networks
    quickly replace them 🙁

  • Obviously, the other side of the world wants connections to your side, no
    matter what side you are on.
    🙂

    Cary

  • It’s not A or B, think A AND B.

    Security should be in layers — my pocket GPS is in my locked glove box,
    in my locked car, in my locked garage, in my gated community.

    If there is never a need to accept callers from North Korea, how will you
    explain to your boss that some NK script weenie discovered some weakness
    in A or B and racked up a bazillion minutes to Libya?

    What if you misconfigure A or B?

    What if A or B has a ‘window of opportunity’ during system restart?

  • Just to respond to the IP range approach. My ISP recently changed my
    external IP and now it appears that I am in New York (when I am actually
    static in Manchester, England). I’ve also been in Birmingham,
    Motherwell and Nottingham [UK] aswell! So, although banning certain
    ranges may be a good idea for you – it’s not a good idea for everyone
    (we have ‘road warriors’ that do, indeed, travel to the Far East and
    Middle East).

    I suppose the only ‘real’ way to invoke security (on any system) is to
    have very strong passwords – maybe 1234 is not the way to go :p

  • I don’t use fai2ban. Never have, never will because I simply don’t need
    it.

    Standard iptables are good enough if you can be bothered to use them to
    their full abilities. No need for anything else as iptables can do
    connection tracking and blocking against time – just like fail2ban does.
    More than X connections a second/minute/hour from a given IP address? Yes,
    iptables can detect and block that. Works for all protocolls too – SIP,
    IAX, POP, SSH, etc.

    Gordon

  • On Wed, 30 Mar 2011 16:54:51 -0500, Darrick Hartman
    wrote:

    Thanks Darrick. I’ll add it to the list of options to check out.

  • It’s easy for me because I read an undestand how things work, and deal
    with Linux firewalling in a daily basis. Fail2ban is an (almost) drop-in
    solution which requires minimal thinking – just a few lines in a config
    file to edit. (and python which I don’t have installed on my systems)

    Gordon

  • Back to the original question, for those of you using Fail2Ban,
    Does it take an unusually high amount of break-in attempts before attackers
    are banned?
    I have it set to 5 attempts in fail2ban but usually, the attacker is able to
    make over 100 attempts before fail2ban bans them.
    I’ve tried this using asterisk’s /var/log/asterisk/messages and
    /var/log/messages with same results.
    Perhaps someone else is experiencing this or has resolved it, thank you.

    On Thu, Mar 31, 2011 at 4:05 AM, Gordon Henderson <
    gordon+asterisk@drogon.net> wrote:

  • Hmmm, ok then. Mine bans pretty quick, but I wouldn’t call it instant. Within a minute or so in my tests, which is plenty quick enough for my situation.

    Sent: Thu 3/31/2011 8:59 AM

    I’m afraid you are incorrect, fail2ban reads the log once every second.

    Your delay is due to the amount of time the F2B script takes to read the log file, and due to how often it is called. I do not believe it is a realtime event. Say, every minute it’s called to read the log and act. I’m not sure of the exact numbers, but you get the idea….

  • Check your log files. With the current generation of SIP attack scripts,
    I’ve seen hundreds of attacks come in within one second, especially if
    you’ve got decent bandwidth. I’ve seen fail2ban logs that state between
    60-250 failed attempts for asterisk. I think it’s just the nature of the
    speed of the attacks.

  • I have F2B set to ban after 1 attempt. The most I have seen in the
    logs is 4-5 attemps before ban is applied. I am calling scripts that
    apply the ban to a cisco access-list, so there is script/telnet/config
    delay but it is very minimal and works very well.

    JR

  • Gordon Henderson wrote:

    And in case you missed Gordon’s post (quite awhile ago) on this topic
    this is what I use on CentOS 5 systems based on that:

    #+# 20100917raa – Testing to prevent Asterisk registration attacks
    -N AST_WHITELIST
    -A AST_WHITELIST -s 10.10.3.21 -m recent –remove –name ASTERISK -j ACCEPT
    -A RH-Firewall-1-INPUT -p udp –dport 10000:20000 -m state –state NEW
    -m recent –set –name ASTERISK
    -A RH-Firewall-1-INPUT -p udp –dport 10000:20000 -m state –state NEW
    -j AST_WHITELIST
    -A RH-Firewall-1-INPUT -p udp –dport 10000:20000 -m state –state NEW

    You can have multiple lines whitelisting IPs or ranges and set the