Fail2ban Asterisk 13.13.1

Home » Asterisk Users » Fail2ban Asterisk 13.13.1
Asterisk Users 7 Comments

Hello, fail2ban does not ban offending IP.

NOTICE[29784] chan_sip.c: Registration from
‘”user3″‘ failed for ‘offending-IP:53417’ – Wrong password

NOTICE[29784] chan_sip.c: Registration from
‘”user3″‘ failed for ‘offending-IP:53911’ –
Wrong password

systemctl status fail2ban

● fail2ban.service – Fail2Ban Service

Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)

Active: active (running) since Wed 2017-03-01 00:40:43 PST; 470min ago

Docs: man:fail2ban(1)

jail.local

[DEFAULT]

# “bantime” is the number of seconds that a host is banned.

bantime = -1

# A host is banned if it has generated “maxretry” during the last “findtime”

# seconds.

findtime = 300

# “maxretry” is the number of failures before a host get banned.

maxretry = 3

[asterisk-iptables]

enable = true

port = 5060,5061

filter = asterisk

action = iptables-allports[name=ASTERISK, protocol=all]

sendmail[name=ASTERISK, dest=motty@email.com, sender

7 thoughts on - Fail2ban Asterisk 13.13.1

  • It’s possible that you need to increase the value of ‘findtime’ to something greater than 300 secs. You also may want to set “timestamp = yes”
    in asterisk.conf so each line in the CLI will be time stamped. Time stamping it will be the definitive determination on whether or not the ‘findtime’ is the culprit.

    Regards;

    John V.

    From: asterisk-users-bounces@lists.digium.com
    [mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of Motty Cruz Sent: Wednesday, March 01, 2017 01:29 PM
    To: ‘Asterisk Users Mailing List – Non-Commercial Discussion’
    Subject: [asterisk-users] fail2ban Asterisk 13.13.1

    Hello, fail2ban does not ban offending IP.

    NOTICE[29784] chan_sip.c: Registration from
    ‘”user3″‘ failed for ‘offending-IP:53417’ – Wrong password

    NOTICE[29784] chan_sip.c: Registration from
    ‘”user3″‘ failed for ‘offending-IP:53911’ – Wrong password

    # A host is banned if it has generated “maxretry” during the last “findtime”

    # seconds.

    findtime = 300

    [asterisk-iptables]

    enable = true

    port = 5060,5061

    filter = asterisk

    action = iptables-allports[name=ASTERISK, protocol=all]

    sendmail[name=ASTERISK, dest=motty@email.com, sender

  • If this is a small site, I recommend you download the free version of SecAst
    (www.telium.ca < http://www.telium.ca> ) and replace fail2ban. SecAst does NOT use the log file, or regexes, to match etc.instead it talks to Asterisk through the AMI to extract security information. Messing with regexes is a losing battle, and the lag in reading logs can allow an attacker 100+
    registration attempts before fail2ban even does anything (assuming the IP is exposed in the Asterisk log).

    If this is a large install then post in the commercial list for more information.

    -Raj-

    From: asterisk-users-bounces@lists.digium.com
    [mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of Tech Support Sent: Wednesday, March 1, 2017 2:37 PM
    To: ‘Asterisk Users Mailing List – Non-Commercial Discussion’

    Subject: Re: [asterisk-users] fail2ban Asterisk 13.13.1

    It’s possible that you need to increase the value of ‘findtime’ to something greater than 300 secs. You also may want to set “timestamp = yes”
    in asterisk.conf so each line in the CLI will be time stamped. Time stamping it will be the definitive determination on whether or not the ‘findtime’ is the culprit.

    Regards;

    John V.

    From: asterisk-users-bounces@lists.digium.com

    [mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of Motty Cruz Sent: Wednesday, March 01, 2017 01:29 PM
    To: ‘Asterisk Users Mailing List – Non-Commercial Discussion’
    Subject: [asterisk-users] fail2ban Asterisk 13.13.1

    Hello, fail2ban does not ban offending IP.

    NOTICE[29784] chan_sip.c: Registration from
    ‘”user3″‘ failed for ‘offending-IP:53417’ – Wrong password

    NOTICE[29784] chan_sip.c: Registration from
    ‘”user3″‘ failed for ‘offending-IP:53911’ – Wrong password

    # A host is banned if it has generated “maxretry” during the last “findtime”

    # seconds.

    findtime = 300

    [asterisk-iptables]

    enable = true

    port = 5060,5061

    filter = asterisk

    action = iptables-allports[name=ASTERISK, protocol=all]

    sendmail[name=ASTERISK, dest=motty@email.com
    , sender

  • I would recommend exactly the opposite. If you install proprietary, binary-
    only software on your system, you have no way to verify its integrity. This is no throwaway portable device, it is the heart of your business’s telephone system. Do not go compromising its security by installing software that can’t be independently verified.

    Ask yourself two questions: (1) Would you eat a cake that did not have the ingredients listed on the box? And (2) why would the manufacturer *not*
    tell you what ingredients they were using — unless they suspected that if you knew for sure what was actually in the cake, you might not be so inclined to eat it after all?

  • John V

    Are you using pjsip? We are have several test servers and I just checked my /etc/fail2ban/filter.d/asterisk.conf and it is not updated for pjsip implementations. Looking at the security log files and the regex I noticed that some items are being banned but others are not due to changes in the messages for pjsip.
    Anyone got an updated asterisk.conf for fail2ban.

    Bryant

    ————————————–

  • 2017-03-02 16:38 GMT+01:00 Patrick Laimbock :

    I confirm that we have improved asterisk pjsip support in fail2ban, however, I think we might still have some corner cases not covered by our patches.

    For now, finally we enable security logs for two main reasons: it works for everything out of box, and it generates less logs than pjsip or chan_sip:
    fail2ban consumes less CPU time to parse logs.