Fail2ban

Home » Asterisk Users » Fail2ban
Asterisk Users 7 Comments

Hello

I’m using the Fail2ban. I configuration below. I want to try to prevent the continuous password. Fail2ban password that does not prevent this form. (Asterisk 1.8 / Elastix interface)

What could be the problem ?

Asterisk log;
“Registration from ‘‘ failed for
‘x.x.x.x:32956’ – Wrong password”

Fail2ban asterisk filter;

# Fail2Ban filter for asterisk authentication failures
#

[INCLUDES]

# Read common prefixes. If any customizations available — read them from

# common.local before = common.conf

[Definition]

_daemon = asterisk

__pid_re = (?:\[\d+\])

# All Asterisk log messages begin like this:
log_prefix= (?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])?
\S+:\d*( in \w+:)?

failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration from ‘[^’]*’ failed for ‘(:\d+)?’ – (Wrong password|Username/auth name mismatch|No m$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from
‘[^’]*’ \(:\d+\) to extension ‘\d+’ rejected because extension not found in context ‘de$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host
failed to authenticate as ‘[^’]*’$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration for peer ‘[^’]*’ \(from \)$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host
failed MD5 authentication for ‘[^’]*’ \([^)]+\)$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from
‘[^’]*’ \(:\d+\) to extension ‘\d+’ rejected because extension not found in context ‘de$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host
failed to authenticate as ‘[^’]*’$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration for peer ‘[^’]*’ \(from \)$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host
failed MD5 authentication for ‘[^’]*’ \([^)]+\)$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to authenticate (user|device) [^@]+@\S*$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s
(?:handle_request_subscribe: )?Sending fake auth rejection for
(device|user) \d*>;tag=$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s SecurityEvent=”(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)”,EventTV=”[\d-]+”,S$
^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])?
)Ext\. s: “Rejecting unknown SIP connection from “$

ignoreregex

# Author: Xavier Devlamynck / Daniel Black
#
# General log format – main/logger.c:ast_log
# Address format – ast_sockaddr_stringify
#
# First regex: channels/chan_sip.c
#
# main/logger.c:ast_log_vsyslog – “in {functionname}:” only occurs in s

7 thoughts on - Fail2ban

  • In the fail2ban website they have several versions of asterisk.conf depending on the version of Asterisk you are using. If you have the latest fail2ban that one has the version for Asterisk 11. Go there and download the correct version for your setup.


    Telecomunicaciones Abiertas de México S.A. de C.V. Carlos Chávez dCAP #1349
    +52 (55)9116-91161

  • Is this a home/small installation? If so try SecAst (from http://www.telium.ca) as a free drop in replacement for fail2ban. You won’t have to mess with regexes etc…and it should address the continuous password issue.

    -Raj-

    P.S. My opinions are my own and may not represent those of my employer.
    As an empolyee of Telium you can bet however that my opinions are biased 🙂

  • Sometimes minor tweaks to the file are in order. My suggestion is to use the fail2ban-regex utility to test the log file entry until it is detected. Just put the line generated by asterisk in a test file and then run the regex.

    # /usr/bin/fail2ban-regex -?
    Usage: /usr/bin/fail2ban-regex [OPTIONS] [IGNOREREGEX]

    example:

    /usr/bin/fail2ban-regex testlogfile /etc/fail2ban/filter.d/asterisk.conf

  • I solved the problem. “action.d/iptables-custom.conf” include only udp. service fail2ban restart

    Thank you.

  • Another problem is too late to do the ban. The reason for this yetmemse of CPU power. I’m simulating an attack. Of course, eating CPU.

  • The problem with fail2ban is it is an ‘after the fact’ approach. It depends on packets already going where they don’t belong and put the responsibility on the application (Asterisk) to log the offending packets so fail2ban can scan the logs and create rules.

    Years ago (2010?) Gordon Henderson published an iptables script that handled things like invite and registration flooding.

    If you take care of these things before they eat resources and before they get to the logging that fail2ban depends on you will save a lot of cycles.

    If Gordon is still on list, maybe he can re-publish. I’d be interested to see if he has any new tricks included.