Fail2ban for Asterisk, On CentOS and Gentoo

Let’s start with this mini how-to, so you can secure your asterisk box from brute force attacks, you will need basic understanding of Linux and Asterisk in case you faced any problems during installation.

1- Installation

For Gentoo:Emerge iptables

#emerge iptables

emerge python and enable threads USE flag.

#USE=threads emerge python

emerge fail2ban

#emerge fail2ban

For CentOs:

#yum -y install jwhois
#yum -y install fail2ban

2- Configuration

Copy these contents into the new file /etc/fail2ban/filter.d/asterisk.conf :

# /etc/fail2ban/filter.d/asterisk.conf
# Fail2Ban configuration file
#
#
# $Revision: 250 $
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf

[Definition]

#_daemon = asterisk

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#

failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL
            NOTICE.* .*: <HOST> failed to authenticate as '.*'$
            NOTICE.* .*: No registration for peer '.*' (from <HOST>)
            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
            NOTICE.* .*: Failed to authenticate user .*@<HOST>.*

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
#

For CentOs:

Modify the [default] ignoreip section and Add the [asterisk-iptables] section to your /etc/fail2ban/jail.conf file :

# /etc/fail2ban/jail.conf

[DEFAULT]
ignoreip = 127.0.0.1 192.168.0.0/16 10.0.0.0/8 172.16.0.0/16

[asterisk-iptables]
enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
           sendmail-whois[name=ASTERISK, dest=you@company.com, sender=fail2ban@company.com]
logpath  = /var/log/asterisk/fail2ban
maxretry = 5
bantime = 600

For Gentoo:

# /etc/fail2ban/jail.conf

[DEFAULT]
ignoreip = 127.0.0.1 192.168.0.0/16 10.0.0.0/8 172.16.0.0/16

[asterisk-iptables]
enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
           sendmail-whois[name=ASTERISK, dest=you@company.com, sender=fail2ban@company.com]
logpath  = /opt/pbxware/pw/var/log/asterisk/messages
maxretry = 5
bantime = 600

We’ll backup the logger.conf file to logger.conf.bak and create a new one.

# mv /etc/asterisk/logger.conf /etc/asterisk/logger.conf.bak
# touch /etc/asterisk/logger.conf

Copy these contents into the new file /etc/asterisk/logger.conf :

[general]
dateformat=%F %T
[logfiles]
full => notice,warning,error,debug,verbose
fail2ban => notice

Reload logger module in Asterisk :

# asterisk -rx "module reload logger"

Add Fail2ban to the list of startup services :
For Gentoo:

rc-update add fail2ban default

For CentOs:

# chkconfig fail2ban on

Start Fail2ban :

# /etc/init.d/fail2ban start

Check if fail2ban is showing up in iptables :

# iptables -L -v -n

You should see “fail2ban-ASTERISK” in your iptables output.

Any hackers that try to brute-force your SIP passwords will now be banned after 5 attempts for 600 seconds ( see jail.conf if you want to change these values )

How to test if your security is working correctly.

3- Testing

Download a software SIP client and try to connect to your Elastix box using false credentials. Make sure you don’t try this from an IP address that is on the “ignoreip” list ( 192.168.1.0/24 for instance ). If your client gets blocked after 5 attempts and you receive an email saying your IP has been blocked, then you can safely assume that your configuration is working correctly.

Enjoy! 🙂

Hello World!!

This is my real “Hello World!!” message,

from Egypt after revolution and evolution that we are hoping to change the foggy image that most of people in the world had for Egypt,

from this blog I want to interact and share my little knowledge that might help someone in this world, and to learn from others who have vast experience in our VoIP, Linux, Communication & Open-source fields.

I’d be glad to share my mini tutorials and my humble ideas and hoping to find some curious comments.

Hello everyone!