Fail2ban fail.

28/12/2013 - no comments.

Ok so in my previous post about fail2ban I mentioned that it banned all hacking attempts. However I noticed it is only banning Registration attempts and not calls sent directly to the incoming context. So I introduced the little script to ban any call going through the Incoming context. You will of course have to add all peers to ‘sip.conf’. All none registered peers will be forced through your Incoming context or whatever name you gave it in ‘sip.conf’.

Have a look at the code chopped from my production server and let me know your comments.

extensions.conf

[incoming]
exten => _X.,1,NoOp(Blackhole Destination)
 same => n,GoSub(getip,s,1)
 same => n,NoOp(Inbound Call ${EXTEN} FROM GW ${FROM_IP} VIA IP ${IP})
 same => n,AGI(ban.sh ${IP})
 same => n,NoOp(-------------------------------------------------------)
 same => n,NoOp(-------------- Black Hole this IP ---------------------)
 same => n,NoOp(-------------------------------------------------------)
 same => n,NoOp(----------- Banned IP ${IP} ------------------)
 same => n,NoOp(-------------------------------------------------------)

[getip]
exten => s,1,NoOp(Get DID IP address from header)
 same => n,Set(IP=${CUT(CUT(SIP_HEADER(Via), ,2),:,1)})
 same => n,Set(TESTAT=${CUT(SIP_HEADER(From),@,2)})
 same => n,GotoIf($["${TESTAT}" != ""]?hasat)
 same => n,Set(FROM_IP=${CUT(CUT(SIP_HEADER(From),>,1),:,2)})
 same => n,Goto(gotip)
 same => n(hasat),Set(FROM_IP=${CUT(CUT(CUT(SIP_HEADER(From),@,2),>,1),:,1)})
 same => n(gotip),NoOp(Gateway IP is ${FROM_IP})
 same => n,Return

ban.sh

#!/bin/bash
declare -a array
while read -e ARG && [ "$ARG" ] ; do
	array=(` echo $ARG | sed -e 's/://'`)
	export ${array[0]}=${array[1]}
done

if iptables -L INPUT -v -n | grep $agi_arg_1 
then
echo "IP $agi_arg_1 Already Banned"
else
sudo /sbin/iptables -A INPUT -s $agi_arg_1 -j DROP 2> /var/log/asterisk/error.log 
echo 'SET VARIABLE Banned "'$agi_arg_1'" '
fi

You will also need to set the ‘SetUI bit’ to allow any user to run the rooted script.

# chown root.root ban.sh
# chmod 4755 ban.sh

And then lastly

# chown asterisk:asterisk ban.sh
# visudo
asterisk ALL=(ALL) NOPASSWD: ALL

Please leave your Comment:

Your email address will not be published. Required fields are marked *

*