You are here

Home

Install Fail2ban for Asterisk from RPM

Submitted by powerpbx on Sat, 07/07/2012 - 19:22
Sections: 
Other

Fail2ban

This procedure is what I consider the simplest possible fail2ban install procedure because it installs from RPM.  The most up to date RPM is currently found on the EPEL repository.

Set up EPEL repository

For CentOS5 32 or 64 bit

rpm -Uvh http://download.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm

For CentOS6 32 or 64 bit

rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
 

Install fail2ban set to start on boot

 
yum install fail2ban
chkconfig fail2ban on

Make sure fail2ban and iptables are set to start on boot

chkconfig --list fail2ban
fail2ban        0:off   1:off   2:on    3:on    4:on    5:on    6:off
chkconfig --list iptables
iptables        0:off   1:off   2:on    3:on    4:on    5:on    6:off

Create the asterisk fail2ban filter

nano /etc/fail2ban/filter.d/asterisk.conf
# Fail2Ban configuration file
#
#
# $Revision: 251 $
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf


[Definition]

#_daemon = asterisk

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
# Asterisk 1.8 uses Host:Port format which is reflected here

failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Wrong password
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Username/auth name mismatch
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Peer is not supposed to register
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - ACL error (permit/deny)
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
            NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>:.*' - No matching peer found
            NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>:.*' - Wrong password
            NOTICE.* <HOST> failed to authenticate as '.*'$
            NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
            NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
            NOTICE.* .*: <HOST> failed to authenticate as '.*'
            NOTICE.* .*: <HOST> tried  to authenticate with nonexistent user '.*'
            VERBOSE.*SIP/<HOST>-.*Received incoming SIP connection from unknown peer
   
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

This is just a sample.  You can do an internet search and see if there are any new lines that can be added to this fail2ban asterisk filter or if you are looking to block a specific attack.

Now go in and configure fail2ban with your email address and your preferred defaults.  You can set bantime and maxretry to your preference.  Also a good idea to enable ssh-iptables filter.  Make sure to change the port if you are using something other than 22. Lastly, check the logpath.  For CentOS the logpath is /var/log/secure for ssh-iptables.  For Asterisk it may be /var/log/asterisk/full on some existing installs and /var/log/asterisk/messages on newer installs.  Depends on how it's set on FreePBX Advanced Settings GUI and /etc/asterisk/logger_logfiles_custom.conf.  If you don't get these log paths right then fail2ban is not going to do anything.

Create the custom configuration file and edit

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
nano /etc/fail2ban/jail.local
ssh-iptables should already be there.  Just change enabled = false to enabled =true and other defaults as needed Add the asterisk-iptables entry to the end of the file.  Double check the logpath.
[ssh-iptables]
enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=22, protocol=tcp]
sendmail-whois[name=SSH, dest=root, [email protected]]|
logpath  = /var/log/secure
maxretry = 5

[asterisk-iptables]
enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
sendmail-whois[name=ASTERISK, dest=root, [email protected]]
logpath  = /var/log/asterisk/full
maxretry = 5
bantime = 86400

Lastly, make sure date format for asterisk log files is set properly for fail2ban.  If you do not see the following entry in /etc/asterisk/logger.conf or logger_general_additional.conf or logger_general_custom.conf or logger_logfiles_addional.conf or logger_logfiles_custom.conf then add it to logger_logfiles_custom.conf

dateformat=%F %T

Then restart Asterisk or Asterisk logger for changes to take effect.

amportal restart

or from Asterisk command prompt >logger reload Thats it.  Now make sure fail2ban starts.  If not double check for syntax errors in jail.conf.

service fail2ban start