Author Topic: Fail2ban - Really worth for stopping brute force attacks against asterisk.  (Read 6094 times)

pw44

  • Addicted
  • *
  • Posts: 653
    • View Profile
Re: Fail2ban - stopped attack.
« Reply #15 on: September 19, 2010, 09:00:29 pm »
Hia,
Well, fail2ban is really worth. Stopped an attack. And my sip configuration is only 2 days old  ;)
Log of my asterisk messages:
Code: [Select]
[2010-09-19 15:33:32] WARNING[26690] chan_sip.c: Remote host can't match request NOTIFY to call '778e48ac49209fac609647d141de30aa@192.168.80.1'. Giving up.                                        
[2010-09-19 15:33:48] NOTICE[26690] chan_sip.c: Registration from '"3235410554"<sip:3235410554@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                              
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"thomas"<sip:thomas@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                      
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"arsenal"<sip:arsenal@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                    
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"letmein"<sip:letmein@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                    
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"liverpool"<sip:liverpool@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"nevermind"<sip:nevermind@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"getmein"<sip:getmein@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                    
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"echo"<sip:echo@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                          
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"bmw325"<sip:bmw325@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                      
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"bmw335"<sip:bmw335@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                      
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"1q2w3e"<sip:1q2w3e@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                      
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"1q2w3e4r5t6y"<sip:1q2w3e4r5t6y@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                          
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"1q1q2w2w"<sip:1q1q2w2w@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                  
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"1q2w1q2w"<sip:1q2w1q2w@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                  
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"1q2w"<sip:1q2w@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                          
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"11q22w"<sip:11q22w@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                      
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"q1w2"<sip:q1w2@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                          
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"q1w2e3"<sip:q1w2e3@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                      
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"tvv03tvv03"<sip:tvv03tvv03@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                              
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"abcd1"<sip:abcd1@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                        
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"abcd12"<sip:abcd12@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                      
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"abcd123"<sip:abcd123@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                    
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"qq11ww22ee33rr44"<sip:qq11ww22ee33rr44@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                  
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip1"<sip:sip1@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                          
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip2"<sip:sip2@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                          
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip12"<sip:sip12@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                        
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip123"<sip:sip123@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                      
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip1234"<sip:sip1234@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                    
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip12345"<sip:sip12345@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                  
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip1111"<sip:sip1111@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                    
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip222"<sip:sip222@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                      
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"1qa2ws3ed"<sip:1qa2ws3ed@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"1234asdf"<sip:1234asdf@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                  
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"1a2s3d"<sip:1a2s3d@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                      
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"1a2s3d4f"<sip:1a2s3d4f@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                  
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"asdzxc"<sip:asdzxc@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                      
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"123zxc"<sip:123zxc@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                      
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"1234zxcv"<sip:1234zxcv@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                  
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"aazzssxx"<sip:aazzssxx@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                  
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"p@ssword"<sip:p@ssword@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                  
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"p@ssw0rd"<sip:p@ssw0rd@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                  
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"pass1"<sip:pass1@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                        
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"password3"<sip:password3@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"pass12"<sip:pass12@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                      
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"account"<sip:account@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                    
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"passlogin"<sip:passlogin@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"account1"<sip:account1@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"account5"<sip:account5@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"account6"<sip:account6@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"account123"<sip:account123@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"account12"<sip:account12@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"acc1"<sip:acc1@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"acc2"<sip:acc2@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"acc12"<sip:acc12@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
Log of my fail2ban:
Code: [Select]
2010-09-19 11:12:56,130 fail2ban.jail   : INFO   Jail 'apache-tcpwrapper' uses poller
2010-09-19 11:12:56,131 fail2ban.filter : INFO   Added logfile = /var/log/apache2/error.log
2010-09-19 11:12:56,131 fail2ban.filter : INFO   Set maxRetry = 6
2010-09-19 11:12:56,133 fail2ban.filter : INFO   Set findtime = 600
2010-09-19 11:12:56,133 fail2ban.actions: INFO   Set banTime = 600
2010-09-19 11:12:56,138 fail2ban.jail   : INFO   Jail 'ssh-iptables' started
2010-09-19 11:12:56,139 fail2ban.jail   : INFO   Jail 'asterisk-iptables' started
2010-09-19 11:12:56,141 fail2ban.jail   : INFO   Jail 'apache-tcpwrapper' started
2010-09-19 15:33:50,392 fail2ban.actions: WARNING [asterisk-iptables] Ban 173.193.194.106
2010-09-19 15:34:50,982 fail2ban.actions: WARNING [asterisk-iptables] 173.193.194.106 already banned
It's working.....  ;D
« Last Edit: September 19, 2010, 09:04:15 pm by pw44 »

pw44

  • Addicted
  • *
  • Posts: 653
    • View Profile
Re: Fail2ban - Really worth for stopping brute force attacks against asterisk.
« Reply #16 on: September 20, 2010, 02:38:28 am »
Fail2ban wiki created.

phenigma

  • NEEDS to work for LinuxMCE
  • ***
  • Posts: 1005
    • View Profile
Re: Fail2ban - Really worth for stopping brute force attacks against asterisk.
« Reply #17 on: September 20, 2010, 04:02:21 am »
Great work guys!  Any chance you guys would help to implement this into LMCE?

J.

pw44

  • Addicted
  • *
  • Posts: 653
    • View Profile
Re: Fail2ban - Really worth for stopping brute force attacks against asterisk.
« Reply #18 on: September 20, 2010, 08:08:33 am »
How? In webadmin?

bundie

  • Veteran
  • ***
  • Posts: 55
    • View Profile
Re: Fail2ban - Really worth for stopping brute force attacks against asterisk.
« Reply #19 on: September 20, 2010, 09:20:44 am »
Hi Paulo,

Nice work on the Wiki page!

Cheers,
Reint.

cfernandes

  • Guru
  • ****
  • Posts: 290
    • View Profile
    • my company web site
Re: Fail2ban - Really worth for stopping brute force attacks against asterisk.
« Reply #20 on: September 20, 2010, 05:17:09 pm »
only one comment  is to reduce  maxretry to 2 



[asterisk-iptables]
enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
           sendmail-whois[name=ASTERISK, dest=root, sender=fail2ban@example.org]
logpath  = /var/log/asterisk/full
maxretry = 2
bantime = 259200

pw44

  • Addicted
  • *
  • Posts: 653
    • View Profile
Re: Fail2ban - Really worth for stopping brute force attacks against asterisk.
« Reply #21 on: September 20, 2010, 06:23:01 pm »
Done ;)

davegravy

  • Addicted
  • *
  • Posts: 525
    • View Profile
Re: Fail2ban - Really worth for stopping brute force attacks against asterisk.
« Reply #22 on: September 20, 2010, 09:56:33 pm »
Is this normal/bad?

(from /var/log/fail2ban.log)

Code: [Select]
2010-09-19 20:56:36,238 fail2ban.actions.action: ERROR  printf %b "Subject: [Fail2Ban] ASTERISK: started
From: Fail2Ban <fail2ban@example.org>
To: root\n
Hi,\n
The jail ASTERISK has been started successfully.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f fail2ban@example.org root returned 7f00

pw44

  • Addicted
  • *
  • Posts: 653
    • View Profile
Re: Fail2ban - Really worth for stopping brute force attacks against asterisk.
« Reply #23 on: September 20, 2010, 10:08:04 pm »
Do you have sendmail installed?

davegravy

  • Addicted
  • *
  • Posts: 525
    • View Profile
Re: Fail2ban - Really worth for stopping brute force attacks against asterisk.
« Reply #24 on: September 23, 2010, 07:50:24 pm »
I did not have it installed - problem solved.

New problem - after reboot the iptables rules for fail2ban disappear. I wonder if they're are being overwritten by LinuxMCE in the boot order. Any ideas how to fix this?

I also have ipblock installed which could be conflicting
« Last Edit: September 23, 2010, 07:55:48 pm by davegravy »

tschak909

  • LinuxMCE God
  • ****
  • Posts: 5501
  • DOES work for LinuxMCE.
    • View Profile
Re: Fail2ban - Really worth for stopping brute force attacks against asterisk.
« Reply #25 on: September 23, 2010, 09:04:30 pm »
Guys, this has to be properly integrated into LinuxMCE, the firewall rules output need to go into the database!

-Thom

pw44

  • Addicted
  • *
  • Posts: 653
    • View Profile
Re: Fail2ban - Really worth for stopping brute force attacks against asterisk.
« Reply #26 on: September 23, 2010, 09:48:36 pm »
Or adding the fail2ban start script at the end /usr/pluto/bin/Network_Firewall.sh. Not ideal, but will work until it' s integrated....

pw44

  • Addicted
  • *
  • Posts: 653
    • View Profile
Re: Fail2ban - Really worth for stopping brute force attacks against asterisk.
« Reply #27 on: September 29, 2010, 12:46:43 am »
Thom and J. (phenigma),
i was looking at the code of /usr/pluto/bin/Network_Firewall.sh, and i think that, as fail2ban is dynamic, reading the log files for taking the counter measures (blocking and releasing) ip, that the best way to have it integrated would be having it's start, stop and restart called from the Network_Firewall.sh script.
What do you guys think about?
Paulo
« Last Edit: October 11, 2010, 02:52:13 pm by pw44 »


pw44

  • Addicted
  • *
  • Posts: 653
    • View Profile
Re: Fail2ban - Really worth for stopping brute force attacks against asterisk.
« Reply #29 on: October 11, 2010, 02:59:49 am »
There is also a parameter that should be included in the /etc/asterisk/sip.conf file:
alwaysauthreject=yes
It's well explained in http://sysadminman.net/blog/2009/hacking-and-securing-your-asterisk-server-592 why.

Another measure is to enforce security with iptables, as described in: http://sysadminman.net/blog/2010/limiting-sipiax-connections-to-asterisk-with-iptables-1082

After i installed fail2ban, i had attacks, which where blocked by fail2ban (after 100, 200, 300 tries, because the scanner is very fast). With alwaysauthreject=yes, the attacker gets confused by the response, so i get attacks, with 2, 10 tries) and fail2ban blocks the attackers ip address.