Fail2ban for Asterisk, On CentOS and Gentoo

Let’s start with this mini how-to, so you can secure your asterisk box from brute force attacks, you will need basic understanding of Linux and Asterisk in case you faced any problems during installation.

1- Installation

For Gentoo:Emerge iptables

#emerge iptables

emerge python and enable threads USE flag.

#USE=threads emerge python

emerge fail2ban

#emerge fail2ban

For CentOs:

#yum -y install jwhois
#yum -y install fail2ban

2- Configuration

Copy these contents into the new file /etc/fail2ban/filter.d/asterisk.conf :

# /etc/fail2ban/filter.d/asterisk.conf
# Fail2Ban configuration file
#
#
# $Revision: 250 $
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf

[Definition]

#_daemon = asterisk

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#

failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL
            NOTICE.* .*: <HOST> failed to authenticate as '.*'$
            NOTICE.* .*: No registration for peer '.*' (from <HOST>)
            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
            NOTICE.* .*: Failed to authenticate user .*@<HOST>.*

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
#

For CentOs:

Modify the [default] ignoreip section and Add the [asterisk-iptables] section to your /etc/fail2ban/jail.conf file :

# /etc/fail2ban/jail.conf

[DEFAULT]
ignoreip = 127.0.0.1 192.168.0.0/16 10.0.0.0/8 172.16.0.0/16

[asterisk-iptables]
enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
           sendmail-whois[name=ASTERISK, dest=you@company.com, sender=fail2ban@company.com]
logpath  = /var/log/asterisk/fail2ban
maxretry = 5
bantime = 600

For Gentoo:

# /etc/fail2ban/jail.conf

[DEFAULT]
ignoreip = 127.0.0.1 192.168.0.0/16 10.0.0.0/8 172.16.0.0/16

[asterisk-iptables]
enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
           sendmail-whois[name=ASTERISK, dest=you@company.com, sender=fail2ban@company.com]
logpath  = /opt/pbxware/pw/var/log/asterisk/messages
maxretry = 5
bantime = 600

We’ll backup the logger.conf file to logger.conf.bak and create a new one.

# mv /etc/asterisk/logger.conf /etc/asterisk/logger.conf.bak
# touch /etc/asterisk/logger.conf

Copy these contents into the new file /etc/asterisk/logger.conf :

[general]
dateformat=%F %T
[logfiles]
full => notice,warning,error,debug,verbose
fail2ban => notice

Reload logger module in Asterisk :

# asterisk -rx "module reload logger"

Add Fail2ban to the list of startup services :
For Gentoo:

rc-update add fail2ban default

For CentOs:

# chkconfig fail2ban on

Start Fail2ban :

# /etc/init.d/fail2ban start

Check if fail2ban is showing up in iptables :

# iptables -L -v -n

You should see “fail2ban-ASTERISK” in your iptables output.

Any hackers that try to brute-force your SIP passwords will now be banned after 5 attempts for 600 seconds ( see jail.conf if you want to change these values )

How to test if your security is working correctly.

3- Testing

Download a software SIP client and try to connect to your Elastix box using false credentials. Make sure you don’t try this from an IP address that is on the “ignoreip” list ( 192.168.1.0/24 for instance ). If your client gets blocked after 5 attempts and you receive an email saying your IP has been blocked, then you can safely assume that your configuration is working correctly.

Enjoy! 🙂

Advertisements

Posted on April 23, 2012, in Work stuff and tagged , , . Bookmark the permalink. 2 Comments.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: