Asterisk Config for Fail2Ban

10/10/2013 - no comments.

As promised in my previous Post [Fail2ban Installation for Debian/Ubuntu] here is the Asterisk Configuration how-to for Fail2Ban.

Adding a Asterisk configuration file to Fail2Ban so that it can understand attacks against your Asterisk PBX.
Create a new filter configuration for Asterisk:

touch /etc/fail2ban/filter.d/asterisk.conf

The contents of /etc/fail2ban/filter.d/asterisk.conf should be the following:
Asterisk 1.6

# Fail2Ban configuration file

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile.
# Values:  TEXT
#
log_prefix= \[\]\s*(?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[\S+\d*\])? \S+:\d*

failregex = ^%(log_prefix)s Registration from '[^']*' failed for '(:\d+)?' - Wrong password$
            ^%(log_prefix)s Registration from '[^']*' failed for '(:\d+)?' - No matching peer found$
            ^%(log_prefix)s Registration from '[^']*' failed for '(:\d+)?' - Username/auth name mismatch$
            ^%(log_prefix)s Registration from '[^']*' failed for '(:\d+)?' - Device does not match ACL$
            ^%(log_prefix)s Registration from '[^']*' failed for '(:\d+)?' - Peer is not supposed to register$
            ^%(log_prefix)s Registration from '[^']*' failed for '(:\d+)?' - ACL error \(permit/deny\)$
            ^%(log_prefix)s Registration from '[^']*' failed for '(:\d+)?' - Not a local domain$
            ^%(log_prefix)s Call from '[^']*' \(:\d+\) to extension '\d+' rejected because extension not found in context 'default'\.$
            ^%(log_prefix)s Host  failed to authenticate as '[^']*'$
            ^%(log_prefix)s No registration for peer '[^']*' \(from \)$
            ^%(log_prefix)s Host  failed MD5 authentication for '[^']*' \([^)]+\)$
            ^%(log_prefix)s Failed to authenticate (user|device) [^@]+@\S*$
            ^%(log_prefix)s (?:handle_request_subscribe: )?Sending fake auth rejection for (device|user) \d*<sip:[^@]+@>;tag=\w+\S*$
            ^%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d+",SessionID="0x[\da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UD|TC)P//\d+"(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

Next edit /etc/fail2ban/jail.local to include the following section so that it uses the new filter. This does a 3-day ban on the IP that performed the attack. It is recommend to set the bantime in the [DEFAULT] section so if affects all attacks. It is also recommend to turn on an iptables ban for ssh, httpd/apache, and ftp if they are running on the system. Be sure to edit the sendmail-whois action to send notifications to an appropriate address:

[asterisk-iptables]

enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
           sendmail-whois[name=ASTERISK, dest=root, sender=fail2ban@yourdomain.com]
logpath  = /var/log/asterisk/messages
maxretry = 5
bantime = 259200

note: logpath = /var/log/asterisk/messages is for vanilla asterisk, use logpath = /var/log/asterisk/full for freepbx. You can check the name of the log file in logger.conf.

note: if fail2ban still failed to identify login attempts, try the syslog logging way.
Asterisk Logging

We must change how Asterisk does its time stamp for logging. The default format does not work with Fail2Ban because the pattern Fail2Ban uses that would match this format has a beginning of line character (^), and Asterisk puts its date/time inside of []. The other formats that Fail2Ban supports, however, do not have this character and can be used with Asterisk.

To change this format, open /etc/asterisk/logger.conf and add the following line under [general] section (You may have to create this before the [logfiles] section). This causes the date and time to be formatted as Year-Month-Day Hour:Minute:Second, [2008-10-01 13:40:04] is an example.

 [general]
 dateformat=%F %T

Then reload the logger module for Asterisk. At the command line, run the following command:

asterisk -rx "logger reload"

If for some reason you do not want to change the date/time format for your normal asterisk logs (maybe you already have scripts that use it or something and do not want to edit them), you can do the following instead:

In /etc/asterisk/logger.conf, add the following line under the [logfiles] section for Asterisk to log NOTICE level events to the syslog (/var/log/messages) as well as its normal log file. These entries in syslog will have a Date/Time stamp that is usable by Fail2Ban.

Be sure to reload the logger module for Asterisk — check above for the command to do so. If you chose this option, you will also have to change the /etc/fail2ban/jail.conf setting under the [asterisk-iptables] section for the logpath option to the following:

logpath  = /var/log/messages

To test your Asterisk Regular Expressions

fail2ban-regex '/var/log/asterisk/messages' /etc/fail2ban/filter.d/asterisk.conf

Please leave your Comment:

Your email address will not be published. Required fields are marked *

*