{"id":4976,"date":"2015-04-20T17:26:20","date_gmt":"2015-04-20T22:26:20","guid":{"rendered":"http:\/\/www.nurango.com\/new\/?p=4976"},"modified":"2023-02-01T21:28:21","modified_gmt":"2023-02-01T21:28:21","slug":"securing-asterisk-using-fail2ban","status":"publish","type":"post","link":"https:\/\/www.nurango.ca\/blog\/securing-asterisk-using-fail2ban","title":{"rendered":"Securing asterisk using Fail2Ban"},"content":{"rendered":"\n

The following implementation of IPtables and Fail2Ban will HELP protect your asterisk box from malicious and Brute Force attacks.<\/span><\/h4>\n\n\n\n

This solution is NOT and should NOT be your own line of defense in PBX security,<\/span>
but it is without question an essential.<\/span><\/p>\n\n\n\n

SECURITY NOTE: fail2ban is rather limited in its ability to detect attacks against asterisk. <\/span><\/code><\/span><\/code><\/span><\/p>\n\n\n\n

In a nutshell, fail2ban is a log checker therefor it is reactive, not proactive. For additional protection, check out our asterisk security tips<\/a>.<\/code><\/span><\/p>\n\n\n\n

—<\/span><\/p>\n\n\n\n

Let’s Get Started<\/span><\/h3>\n\n\n\n

Install packages from rpmforge should already be included in your OS. Optionally you can fetch the fail2ban rpm directly from rpmforge<\/a> for your specific linux distro<\/strong><\/span><\/p>\n\n\n\n

CentOS:<\/strong><\/span>
yum install fail2ban<\/span><\/p>\n\n\n\n

Debian\/Ubuntu:<\/span><\/strong>
apt-get install fail2ban<\/span><\/p>\n\n\n\n

SUSE:<\/span><\/strong>
yast2 -i fail2ban<\/span>
Vicidial:<\/span>
(pre-installed)<\/span><\/p>\n\n\n\n

Enable asterisk fail2ban: <\/strong><\/span><\/p>\n\n\n\n

Navigate to the main config file using your favourite text editor:<\/span><\/p>\n\n\n\n

nano \/etc\/fail2ban\/jail.conf<\/span><\/em><\/p>\n\n\n\n

Find the line that says [asterisk] or CTRL W – asterisk<\/em><\/span><\/p>\n\n\n\n

Add the line – “enabled = true” (without quotes)<\/span><\/p>\n\n\n\n

Save and ensure fail2ban is set on boot – “chkconfig fail2ban on”<\/span><\/p>\n\n\n\n

Start the service – “service fail2ban start” or “\/etc\/init.d\/fail2ban start<\/span><\/p>\n\n\n\n

Notes<\/em><\/span>:<\/em><\/span><\/p>\n\n\n\n

– If you will not use the email notification feature (can get annoying), simply remove the sendmail-whois line. This will save some disk space and stop root@hostname emails from trying to go out if your postfix is not setup properly.<\/span><\/p>\n\n\n\n

– If you want to enable the whois feature for IP translation in the Fail2ban email notices, install jwhois (yum install jwhois).<\/span><\/p>\n\n\n\n

Recommendations<\/em><\/span>:<\/em> Increase the ban time at the top of the jail.conf file from 600 seconds to something longer.<\/span><\/p>\n\n\n\n

Additional:<\/strong><\/span><\/p>\n\n\n\n

Location of Regex filter – <\/strong>\/etc\/fail2ban\/filter.d\/asterisk.conf<\/span><\/p>\n\n\n\n

To view the bees caught in the honey pot you can use “iptables -L” or “service fail2ban status”.<\/span><\/p>\n\n\n\n

Manual Install with IPTables from source installation:<\/span><\/h3>\n\n\n\n

Change directories to \/usr\/src:<\/span>
cd \/usr\/src<\/span><\/p>\n\n\n\n

Download and extract Fail2Ban (current stable version as of Nov-2021 is 1.0.2):<\/span><\/p>\n\n\n\n

wget https:\/\/github.com\/fail2ban\/fail2ban\/archive\/refs\/tags\/1.0.2.tar.gz<\/span>
tar xvfj fail2ban-1.0.2.tar.gz<\/span><\/p>\n\n\n\n

Note: v11.1<\/a> is available but requires changes to custom failregexs’. See the Changelog<\/a> before implementing.<\/span><\/em><\/p>\n\n\n\n

Enter the Fail2Ban directory you just extracted:<\/span><\/p>\n\n\n\n

cd fail2ban-1.0.2<\/span><\/p>\n\n\n\n

Make sure python and iptables are installed:<\/span><\/p>\n\n\n\n

CentOS\/Red Hat:<\/span><\/p>\n\n\n\n

yum install python iptables<\/span><\/p>\n\n\n\n

Debian\/Ubuntu:<\/span><\/p>\n\n\n\n

apt-get install python iptables<\/span><\/p>\n\n\n\n

Install Fail2Ban:<\/span><\/strong><\/p>\n\n\n\n

python setup.py install<\/span><\/p>\n\n\n\n

Install the Fail2Ban init script (for source installations):<\/span><\/p>\n\n\n\n

Centos\/Red Hat (if you installed via yum\/rpm, the init script has already been installed):<\/span><\/p>\n\n\n\n

cp \/usr\/src\/fail2ban-1.0.2\/files\/redhat-initd \/etc\/init.d\/fail2ban<\/span><\/em>
chmod 755 \/etc\/init.d\/fail2ban<\/span><\/em><\/p>\n\n\n\n

cp \/usr\/src\/fail2ban-1.0.2\/files\/debian-initd \/etc\/init.d\/fail2ban<\/span><\/em>
chmod 755 \/etc\/init.d\/fail2ban<\/span><\/em><\/p>\n\n\n\n

For other distributions’ init scripts such as Gentoo, SuSE, Monit, Nagios, etc, refer to the ‘\/files’ folder.<\/span><\/p>\n\n\n\n

Configure Fail2Ban<\/span><\/h3>\n\n\n\n

Fail2ban already includes the asterisk failregex in the filters folder along with other defaults located at \/etc\/fail2ban\/filter.d\/.<\/em><\/span><\/p>\n\n\n\n

The contents of \/etc\/fail2ban\/filter.d\/asterisk.conf<\/strong> reflect the following:<\/span><\/p>\n\n\n\n

# Fail2Ban configuration file
#
#
# $Revision: 250 $
#<\/em><\/span><\/p>\n\n\n\n

[INCLUDES]<\/em><\/span><\/p>\n\n\n\n

# Read common prefixes. If any customizations available — read them from
# common.local
#before = common.conf
<\/em><\/span><\/p>\n\n\n\n

[Definition]<\/em><\/span><\/p>\n\n\n\n

#_daemon = asterisk
# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named “host”. The tag “<HOST>” can
#          be used for standard IP\/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\\S+)
# Values:  TEXT
#
<\/em><\/span><\/p>\n\n\n\n

# Asterisk 1.4 use the following failregex<\/em><\/span><\/p>\n\n\n\n

failregex = NOTICE.* .*: Registration from ‘.*’ failed for ‘<HOST>’ – Wrong password<\/em><\/span><\/p>\n\n\n\n

NOTICE.* .*: Registration from ‘.*’ failed for ‘<HOST>:.*’ – No matching peer found
NOTICE.* .*: Registration from ‘.*’ failed for ‘<HOST>’ – No matching peer found
NOTICE.* .*: Registration from ‘.*’ failed for ‘<HOST>’ – Username\/auth name mismatch
NOTICE.* .*: Registration from ‘.*’ failed for ‘<HOST>’ – Device does not match ACL
NOTICE.* .*: Registration from ‘.*’ failed for ‘<HOST>’ – Peer is not supposed to register
NOTICE.* .*: Registration from ‘.*’ failed for ‘<HOST>’ – ACL error (permit\/deny)
NOTICE.* .*: Registration from ‘.*’ failed for ‘<HOST>’ – Device does not match ACL
NOTICE.* <HOST> failed to authenticate as ‘.*’$
NOTICE.* .*: No registration for peer ‘.*’ \\(from <HOST>\\)
NOTICE.* .*: Host <HOST> failed MD5 authentication for ‘.*’ (.*)
NOTICE.* .*: Failed to authenticate user .*@<HOST>;.*
NOTICE.* .*: Sending fake auth rejection for device .*\\<sip:.*\\@<HOST>\\>;tag=.*<\/em><\/span><\/p>\n\n\n\n

# In Asterisk 1.8 use the same as above, but after <HOST> add :.* before the single quote. This is because in Asterisk 1.8, the log file includes a port number which 1.4 did not.<\/em><\/span><\/p>\n\n\n\n

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =<\/em><\/span><\/p>\n\n\n\n

If you’re having issues with your system not banning properly when the “Registration from” section in your log file contains a quotation mark (“) as in this example:<\/span><\/p>\n\n\n\n

[2011-04-07 17:53:11] NOTICE[7557] chan_sip.c: Registration from ‘”69106698″<sip:69106698@123.123.123.123>;’ failed for ‘123.123.123.123’ – No matching peer found<\/span><\/p>\n\n\n\n

Add the following line, with the others above, in asterisk.conf:<\/span><\/p>\n\n\n\n

NOTICE.* .*: Registration from '\\\".*\\\".*' failed for '<HOST>' - No matching peer found<\/code><\/span><\/p>\n\n\n\n

Recently noticed attacks:<\/strong><\/span><\/p>\n\n\n\n

[2011-06-21 17:53:11] NOTICE[7557] chan_sip.c: Registration from ‘”XXXXXXXXXX”<sip:XXXXXXXXXX@123.123.123.123>;’ failed for ‘123.123.123.123’ – Wrong Password<\/span><\/p>\n\n\n\n

Adding the following line will block these attempts:<\/strong><\/span><\/p>\n\n\n\n

NOTICE.* .*: Registration from '\\\".*\\\".*' failed for '<HOST>' - Wrong password<\/code><\/samp><\/span><\/p>\n\n\n\n

Next edit \/etc\/fail2ban\/jail.conf<\/strong> to include the following section so that it uses the new filter. This does a 3-day ban on the IP that performed the attack. It is recommend to set the bantime<\/strong> in the [DEFAULT] section so if affects all attacks. It is also recommend to turn on an iptables ban for ssh, httpd\/apache, and ftp if they are running on the system. Be sure to edit the sendmail-whois<\/strong> action to send notifications to an appropriate address:<\/span><\/p>\n\n\n\n

[asterisk-iptables]<\/em><\/code><\/span><\/p>\n\n\n\n

enabled  = true
\nfilter   = asterisk
\naction   = iptables-allports[name=ASTERISK, protocol=all]
\nsendmail-whois[name=ASTERISK, dest=root, sender=fail2ban@example.org]
\nlogpath  = \/var\/log\/asterisk\/messages
\nmaxretry = 5
\nbantime = 259200<\/em><\/code><\/span><\/p>\n\n\n\n

note:<\/strong> logpath = \/var\/log\/asterisk\/messages is for vanilla asterisk, use logpath = \/var\/log\/asterisk\/full for freepbx. You can check the name of the log file in logger.conf.<\/span><\/p>\n\n\n\n

note: if fail2ban still failed to identify login attempts, try the syslog logging way.<\/span><\/p>\n\n\n\n

Don’t Ban Yourself<\/strong><\/span><\/p>\n\n\n\n

We don’t want to ban ourselves by accident. Edit \/etc\/fail2ban\/jail.conf<\/strong> and edit the ignoreip<\/strong> option under the [DEFAULT] section to include your IP addresses or network, as well as any other hosts or networks you do not wish to ban. Note that the addresses must be separated by a SPACE character!<\/span><\/p>\n\n\n\n

Asterisk Logging<\/strong><\/span><\/p>\n\n\n\n

We must change how Asterisk does its time stamp for logging. The default format does not work with Fail2Ban because the pattern Fail2Ban uses that would match this format has a beginning of line character (^), and Asterisk puts its date\/time inside of []. The other formats that Fail2Ban supports, however, do not have this character and can be used with Asterisk.<\/span><\/p>\n\n\n\n

To change this format, open \/etc\/asterisk\/logger.conf<\/strong> and add the following line under [general] section (You may have to create this before the [logfiles] section). This causes the date and time to be formatted as Year-Month-Day Hour:Minute:Second, [2008-10-01 13:40:04] is an example.<\/span><\/p>\n\n\n\n

[general]<\/samp><\/span><\/p>\n\n\n\n

dateformat=%F %T<\/samp><\/span><\/p>\n\n\n\n

Then reload the logger module for Asterisk. At the command line, run the following command:<\/span>
asterisk -rx “logger reload”<\/samp><\/span><\/p>\n\n\n\n

If for some reason you do not want to change the date\/time format for your normal asterisk logs (maybe you already have scripts that use it or something and do not want to edit them), you can do the following instead:<\/span><\/p>\n\n\n\n

In \/etc\/asterisk\/logger.conf<\/strong>, add the following line under the [logfiles] section for Asterisk to log NOTICE level events to the syslog (\/var\/log\/messages) as well as its normal log file. These entries in syslog will have a Date\/Time stamp that is usable by Fail2Ban.<\/span><\/p>\n\n\n\n

syslog.local0 => notice<\/code><\/span><\/p>\n\n\n\n

Be sure to reload the logger module for Asterisk \u2014 check above for the command to do so. If you chose this option, you will also have to change the \/etc\/fail2ban\/jail.conf<\/strong> setting under the [asterisk-iptables] section for the logpath<\/strong> option to the following:<\/span><\/p>\n\n\n\n

logpath = \/var\/log\/messages<\/span><\/p>\n\n\n\n

Turning it On<\/strong><\/span><\/p>\n\n\n\n

Now it is time to put fail2ban to work. There are a couple steps we need to do first.<\/span><\/p>\n\n\n\n


Turn IPTABLES on<\/strong><\/span><\/p>\n\n\n\n

By default, iptables allows all traffic. So if we turn it on, it will not block any traffic until Fail2Ban creates deny rules for attackers. You should create your own firewall rules and setup for iptables, but that is beyond the scope of this guide. Just know that Fail2Ban, by default, inserts rules at the top of the chain, so they will override any rules you have configured in iptables. This is good because you may allow all sip traffic in and then the Fail2Ban will block individual hosts, after they have done an attack, before they are allowed by this rule again.<\/span><\/p>\n\n\n\n

To start iptables, run the following as root:<\/span><\/p>\n\n\n\n

\/etc\/init.d\/iptables start<\/em>
or
CentOS 7: systemctl start firewalld<\/em><\/span><\/p>\n\n\n\n

Depending on your install, you may or may not have the iptables init script installed. Please refer to an iptables install\/setup guide for your distribution for more information.<\/span><\/p>\n\n\n\n


Turn on Fail2Ban<\/strong><\/span><\/p>\n\n\n\n

To start Fail2Ban, run the following as root:<\/span><\/p>\n\n\n\n

\/etc\/init.d\/fail2ban start<\/em> | systemctl start fail2ban<\/em><\/span><\/p>\n\n\n\n

Check It<\/strong><\/span><\/p>\n\n\n\n

If both started properly, issue the following command to view your iptables rules:<\/span><\/p>\n\n\n\n

iptables -L -v<\/span><\/p>\n\n\n\n

You should see something like the following for the INPUT chain (you will see more if you have other Fail2Ban filters enabled):<\/span><\/p>\n\n\n\n

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)<\/span>
pkts bytes target prot opt in out source destination<\/span>
2104K 414M fail2ban-ASTERISK all \u2014 any any anywhere anywhere<\/span><\/p>\n\n\n\n

If you do not see something similar to that, then you have some troubleshooting to do; check out \/var\/log\/fail2ban.log<\/strong>.<\/span><\/p>\n\n\n\n

If you do not see all your rules, or if you see a different subset of rules after stopping and restarting fail2ban, you may be experiencing the issue described on this page on the Fail2ban talk:Community Portal<\/a> and may wish to use the suggested fix:<\/span><\/p>\n\n\n\n

You can also test the filter regex expressions using:<\/strong><\/span><\/p>\n\n\n\n

$fail2ban-regex \/var\/log\/asterisk\/full \/etc\/fail2ban\/filter.d\/asterisk.conf<\/code><\/span><\/p>\n\n\n\n

or $fail2ban-regex \/var\/log\/asterisk\/messages \/etc\/fail2ban\/filter.d\/asterisk.conf<\/code><\/span><\/p>\n\n\n\n

and<\/span><\/p>\n\n\n\n

$fail2ban-regex \/var\/log\/secure \/etc\/fail2ban\/filter.d\/sshd.conf<\/code><\/span><\/p>\n\n\n\n

NOTE: The above rules test Asterisk and SSH rules against your log history.<\/span><\/p>\n\n\n\n

To un-ban\/remove an IP evoke: <\/span><\/p>\n\n\n\n