Blacklist Failed Attempts

Home » Asterisk Users » Blacklist Failed Attempts
Asterisk Users 4 Comments

Hi. I would like to protect my system from failed attempts. I would like to ask if there is a way to do a blacklist for certain amount of time consecutive attempts from the same IP. For example if we have an IP that gets a wrong passwd an it had tried more than 3 times the last 5 minutes, blacklist it for an hour. I have tried to implement it through fail2ban, but it doe snot seem to work for my asterisk implementation. Is there any other way?

4 thoughts on - Blacklist Failed Attempts

  • fail2ban

    Good plan.

    What have you tried? Show us the configuration.

    Which version of Asterisk are you using and how have you set up fail2ban?

    There may be other ways, but fail2ban really is the right tool for this job.

    Antony.

  • Hi

    You could do somethink like this in Perl:

    #!/usr/bin/perl -w use strict;
    use warnings;
    my (@failhost);
    my %currblocked;
    my %addblocked;
    my $action;

    open (MYINPUTFILE, “/var/log/asterisk/messages”) or die “\n”, $!, “Does log file file exist\?\n\n”;

    while () {
    my ($line) = $_;
    chomp($line);
    if ($line =~ m/\’ failed for \'(.*?):\d+\’ – No matching peer found/) {
    push(@failhost,$1);
    }
    if ($line =~ m/\’ failed for \'(.*?):\d+\’ – Wrong password/) {
    push(@failhost,$1);
    }
    }

    my $blockedhosts = `/sbin/iptables -n -L asterisk`;

    while ($blockedhosts =~ /(.*)/g) {
    my ($line2) = $1;
    chomp($line2);
    if ($line2 =~ m/(\d+\.\d+\.\d+\.\d+)(\s+)/) {
    $currblocked{ $1 } = ‘blocked’;
    }
    }

    if (@failhost) {
    &count_unique(@failhost);
    while (my ($ip, $count) = each(%addblocked)) {
    if (exists $currblocked{ $ip }) {
    } else {
    $action = `/sbin/iptables -I asterisk -s $ip -j REJECT`;
    print “$ip blocked. $count attempts.\n”;
    }
    }
    } else {
    # print “no failed registrations.\n”;
    }

    sub count_unique {
    my @array = @_;
    my %count;
    map { $count{$_}++ } @array;
    map {($addblocked{ $_ } = ${count{$_}})} sort keys(%count);
    }

    Mind, this would NOT block attempts via IPv6. So I have stopped using that script, also reading the file over and over again is not very performant.

    I have not opted to using my MirkroTik Firewall to block failed attempts, similar rules can also be make with iptables:

    In the Mangle Ruleset:

    1 ;;; SIP Check Unauth
    chain=forward action=add-dst-to-address-list protocol=udp src-address-list=SIP-Servers address-list=sip-auth-fail address-list-timeout=10m
    out-interface=IMP-PPPOE src-port=5060 content=SIP/2.0 401 Unauthorized log=no log-prefix=””

    2 ;;; tcp sip check auth fail
    chain=forward action=add-dst-to-address-list protocol=tcp src-address-list=SIP-Servers address-list=sip-auth-fail address-list-timeout=10m
    out-interface=IMP-PPPOE src-port=5060 content=SIP/2.0 401 Unauthorized log=no log-prefix=””

    And then you just block all source address from sip-auth-fail in your forwarding table. This works for IPv6 and IPv4.

    (Als yes, depending on the speed of your link, this also could be ressource intensive on your firewall, as it does full packet inspection.

    Mit freundlichen Grüssen

    -Benoît Panizzon-

    I m p r o W a r e A G – Leiter Commerce Kunden

  • I’m happy with Fail2Ban protecting my Asterisk 13. Here is my configuration:
    in /etc/asterisk/logger.conf:
    messages => security,notice,warning,error in /etc/asterisk/sip.conf:
    allowguest=yes context=unauthenticated in /etc/asterisk/extensions.conf:
    [unauthenticated]
    ;; Incomming calls from unauthenticated caller -> Fail2Ban exten => _X.,1,Log(WARNING,fail2ban=’${CHANNEL(peerip)}’)

  • If this is a home system, try the free edition of SecAst (www.telium.ca/?secast <http://www.telium.ca/?secast> ). If allows you to set thresholds for the number of attempts, and specify the period in which they occur. The Free edition of SecAst is a drop-in replacement for fail2ban (but with a lot more intelligence included for free).

    If this is for a business / you are looking for a commercial product recommendation then post on the commercial list 🙂

    From: asterisk-users-bounces@lists.digium.com [mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of Atux Atux Sent: Thursday, March 1, 2018 8:03 AM
    To: Asterisk Users Mailing List – Non-Commercial Discussion
    Subject: [asterisk-users] Blacklist failed attempts

    Hi. I would like to protect my system from failed attempts. I would like to ask if there is a way to do a blacklist for certain amount of time consecutive attempts from the same IP. For example if we have an IP that gets a wrong passwd an it had tried more than 3 times the last 5 minutes, blacklist it for an hour. I have tried to implement it through fail2ban, but it doe snot seem to work for my asterisk implementation.

    Is there any other way?