Fail2Ban is a limited intrusion detection/prevention system. It works by scanning log files and then taking action based on the entries in those logs. In here a will show you howto configure Fail2Ban for Asterisk. I will implement Fail2Ban with a configuration to be able to prevent SIP brute force attacks against your Asterisk PBXs.

You can get Fail2Ban, as well as more documentation, at www.fail2ban.org. At the time this is being written, the current release is 0.8.4.

Requirements

Execute the following command as root on your Asterisk server.

1

yum install fail2ban

If your CentOS doesn't find the package, please execute the following command and then try again.

1

rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm

Make sure python and iptables is installed on your server.

1

yum install python iptables

Configure Fail2Ban for Asterisk

First we need to create a configuration file for Fail2Ban so it can understand the logfiles of Asterisk and get IP addresses from it to ban. Create the configuration as follows.

1

vi /etc/fail2ban/filter.d/asterisk.conf

Fill this configuration with the followin text.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

# Fail2Ban configuration file
#
#
# $Revision: 250 $
#
 
[INCLUDES]
 
# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf
 
 
[Definition]
 
#_daemon = asterisk
 
# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
 
failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Peer is not supposed to register
            NOTICE.* <HOST> failed to authenticate as '.*'$
            NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
            NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
 
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

Next edit /etc/fail2ban/jail.conf

1

vi /etc/fail2ban/jail.conf

Add the following section so that it uses the new filter. This example does a 3-day ban (set to -1 for always ban) on the IP that performed the attack (bantime). It is recommend to set the bantime in the [DEFAULT] section so if affects all attacks. It is also recommend to turn on an iptables ban for ssh, httpd/apache, and ftp if they are running on the system. Be sure to edit the sendmail-whois action to send notifications to an appropriate address.

1
2
3
4
5
6
7
8
9

[asterisk-iptables]
 
enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
           sendmail-whois[name=ASTERISK, dest=root, sender=fail2ban@example.org]
logpath  = /var/log/asterisk/full
maxretry = 5
bantime = 259200

Note that you logpath can be different depending an your solution. You can check it in the file /etc/asterisk/logger.conf.

Exclude yourself from being banned; by opening the jail.conf.

1

vi /etc/fail2ban/jail.conf

Add your IP addresses and every other IP adres you want to be ignored into the ignore sections, for example.

1
2
3
4

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 192.168.1.1/24 188.188.2.2 199.199.0.3

Asterisk logging

We must change how Asterisk does its time stamp for logging. The default format does not work with Fail2Ban because the pattern Fail2Ban uses that would match this format has a beginning of line character (^), and Asterisk puts its date/time inside of []. The other formats that Fail2Ban supports, however, do not have this character and can be used with Asterisk.

To change this format, open /etc/asterisk/logger.conf

1

vi /etc/asterisk/logger.conf

Add the following line under [general] section (You may have to create this before the [logfiles] section). This causes the date and time to be formatted as Year-Month-Day Hour:Minute:Second, [2008-10-01 13:40:04] for example.

1
2

[general]
dateformat=%F %T

Then reload the logger module for Asterisk. At the command line of your Asterisk server, run the following command as root:

1

asterisk -rx "logger reload"

Finalize your setup

If iptables is not running yet start it. (You need to be root)

1

/etc/init.d/iptables start

Then start Fail2Ban as follows (only for the user root)

1

/etc/init.d/fail2ban start

Check your installation

If iptables and fail2ban started properly, please execute the next command.

1

iptables -L -v

You should see something like the following for the INPUT chain (you will see more if you have other Fail2Ban filters enabled):

1
2
3

Chain INPUT (policy ACCEPT 0 packets, 0 bytes) 
pkts bytes target     prot opt in     out     source               destination          
2104K  414M fail2ban-ASTERISK  all  —  any    any     anywhere             anywhere 

If you do not see something similar to that, then you have some troubleshooting to do; check out /var/log/fail2ban.log.