Fail2ban fail.

28/12/2013 - no comments.

Ok so in my previous post about fail2ban I mentioned that it banned all hacking attempts. However I noticed it is only banning Registration attempts and not calls sent directly to the incoming context. So I introduced the little script to ban any call going through the Incoming context. You will of course have to add all peers to ‘sip.conf’. All none registered peers will be forced through your Incoming context or whatever name you gave it in ‘sip.conf’.

Have a look at the code chopped from my production server and let me know your comments.


exten => _X.,1,NoOp(Blackhole Destination)
 same => n,GoSub(getip,s,1)
 same => n,NoOp(Inbound Call ${EXTEN} FROM GW ${FROM_IP} VIA IP ${IP})
 same => n,AGI( ${IP})
 same => n,NoOp(-------------------------------------------------------)
 same => n,NoOp(-------------- Black Hole this IP ---------------------)
 same => n,NoOp(-------------------------------------------------------)
 same => n,NoOp(----------- Banned IP ${IP} ------------------)
 same => n,NoOp(-------------------------------------------------------)

exten => s,1,NoOp(Get DID IP address from header)
 same => n,Set(IP=${CUT(CUT(SIP_HEADER(Via), ,2),:,1)})
 same => n,Set(TESTAT=${CUT(SIP_HEADER(From),@,2)})
 same => n,GotoIf($["${TESTAT}" != ""]?hasat)
 same => n,Set(FROM_IP=${CUT(CUT(SIP_HEADER(From),>,1),:,2)})
 same => n,Goto(gotip)
 same => n(hasat),Set(FROM_IP=${CUT(CUT(CUT(SIP_HEADER(From),@,2),>,1),:,1)})
 same => n(gotip),NoOp(Gateway IP is ${FROM_IP})
 same => n,Return

declare -a array
while read -e ARG && [ "$ARG" ] ; do
	array=(` echo $ARG | sed -e 's/://'`)
	export ${array[0]}=${array[1]}

if iptables -L INPUT -v -n | grep $agi_arg_1 
echo "IP $agi_arg_1 Already Banned"
sudo /sbin/iptables -A INPUT -s $agi_arg_1 -j DROP 2> /var/log/asterisk/error.log 
echo 'SET VARIABLE Banned "'$agi_arg_1'" '

You will also need to set the ‘SetUI bit’ to allow any user to run the rooted script.

# chown root.root
# chmod 4755

And then lastly

# chown asterisk:asterisk
# visudo

Please leave your Comment:

Your email address will not be published. Required fields are marked *