SEMI OFF-TOPIC – Fail2ban
Hi list , someone on the list has seen this type of connection attempts in asterisk, fail2ban does not stop
2015-01-08 14:59:47] SECURITY[21515] res_security_log.c:
SecurityEvent=”ChallengeSent”,EventTV=”1420750787-386840″,Severity=”Informational”,Service=”SIP”,EventVersion=”1″,AccountID=”sip:100@173.230.133.20″,SessionID=”0x169f528″,LocalAddress=”IPV4/UDP/173.230.133.20/5060″,RemoteAddress=”IPV4/UDP/63.141.229.58/5078″,Challenge=”770e84a3″
[2015-01-08 15:20:20] SECURITY[21515] res_security_log.c:
SecurityEvent=”ChallengeSent”,EventTV=”1420752020-854997″,Severity=”Informational”,Service=”SIP”,EventVersion=”1″,AccountID=”sip:102@173.230.133.20″,SessionID=”0x169f528″,LocalAddress=”IPV4/UDP/173.230.133.20/5060″,RemoteAddress=”IPV4/UDP/198.204.241.58/5074″,Challenge=”23965594″
I modified the fail2ban with the filter, but still not detected
asterisk.conf
log_prefix= \[\]\s*(?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[\S+\d*\])? \S+:\d*
failregex = ^%(log_prefix)s Registration from ‘[^’]*’ failed for
‘
^%(log_prefix)s Registration from ‘[^’]*’ failed for
‘
^%(log_prefix)s Registration from ‘[^’]*’ failed for
‘
^%(log_prefix)s Registration from ‘[^’]*’ failed for
‘
^%(log_prefix)s Registration from ‘[^’]*’ failed for
‘
^%(log_prefix)s Registration from ‘[^’]*’ failed for
‘
^%(log_prefix)s Registration from ‘[^’]*’ failed for
‘
^%(log_prefix)s Call from ‘[^’]*’ \(
‘default’
\.$
^%(log_prefix)s Host
^%(log_prefix)s No registration for peer ‘[^’]*’ \(from
^%(log_prefix)s Host
‘[^’]*’ \([^)]+\)$
^%(log_prefix)s Failed to authenticate (user|device)
[^@]+@
^%(log_prefix)s (?:handle_request_subscribe: )?Sending fake auth rejection for (device|user) \d*
$
^%(log_prefix)s SecurityEvent=”(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)”,EventTV=”[\d-]+”,Severit y=”[\w]+”,Service=”[\w]+”,EventVersion=”\d+”,AccountID=”\d+”,SessionID=”0x[\da-f]+”,LocalAddress=”IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+”,Rem oteAddress=”IPV[46]/(UD|TC)P/
ignoreregex
6 thoughts on - SEMI OFF-TOPIC – Fail2ban
Do you really want to detect “ChallengeSent”? That should occur also on legitimate login processes…
-S
Hello;
Did you remember to uncomment the dateformat in
/etc/asterisk/logger.conf? That’s necessary for fail2ban to work.
Logger.conf
[general]
dateformat=%F %T
Regards;
John
—–Original Message—
2015-01-09 9:05 GMT-06:00 Tech Support:
Hi , I’ll show my logger
dateformat=%F %T ; ISO 8601 date format use_callids= yes appendhostname= no
security=> security,notice
regardss
2015-01-09 3:53 GMT-06:00 Stefan Gofferje:
Hi , strange thing is that I still have not this asterisk in production and I see many attempts Connection.
Now keep in mind that when a connection of authentication is successful the message changes and is not exactly what you mention:
## SecurityEvent=”SuccessfulAuth”,EventTV=”1420832883-140932″,####
I think this type of connection attempts messages with my asterisk that fail2ban not detected.
I’m no expert, but the log not lie 😉
regardss
I’d suggest taking a look at the free edition of SecAst (www.generationd.com). It handles these messages perfectly (and can also use AMI security events) – so you don’t need to constantly be updating fail2ban rules. It’s a drop in replacement for fail2ban.
-M-
P.S. My opinions are my own and do not necessarily represent those of my employer. As an employee of Generation D System you can bet my opinions are biased though!
It’s nice to hear someone is making use of the AMI security events!