LinuxMCE Forums

General => Users => Topic started by: pw44 on September 17, 2010, 02:27:11 pm

Title: Fail2ban - Really worth for stopping brute force attacks against asterisk.
Post by: pw44 on September 17, 2010, 02:27:11 pm
Hia,
is there someone using fail2ban on LinuxMCE 8.10?
TIA.
Paulo
Title: Re: Fail2ban - using?
Post by: cfernandes on September 17, 2010, 04:31:07 pm
yeah ,  i use on my home .

Title: Re: Fail2ban - using?
Post by: pw44 on September 17, 2010, 07:01:37 pm
Hi CFernandes,
Regarding iptables, are they being starded by /etc/init.d/iptables or by LinuxMCE?
Could you send me the configuration files you are using, so i can compare with mines?
TIA,
Paulo

Title: Re: Fail2ban - using?
Post by: Kooma on September 17, 2010, 07:59:33 pm
Didn't know about fail2ban before reading your posts.

Although duct tape is strictly forbidden, could you write a short wiki for installing fail2ban? Sound like a must to have.
Title: Re: Fail2ban - using?
Post by: pw44 on September 17, 2010, 08:05:36 pm
Kooma,
after i finish the installation and tests, i will write a wiki for it.
Fail2ban seems to be the almost perfect tool against brute force attack - which is specially indicated for asterisk users.
Regards,
Paulo
Title: Re: Fail2ban - using?
Post by: wierdbeard65 on September 17, 2010, 10:44:33 pm
Although duct tape is strictly forbidden
It deson't have to be duct-tape. Can this not be integrated properly? (I lack the skills to achieve this!!!)
Title: Re: Fail2ban - using?
Post by: cfernandes on September 18, 2010, 03:38:49 pm
this is my fail2ban configuration

apt-get install fail2ban
touch /etc/fail2ban/filter.d/asterisk.conf
content off asterisk.conf

# Fail2Ban configuration file
#
#
# $Revision: 250 $
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf


[Definition]

#_daemon = asterisk

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#

failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL
            NOTICE.* .*: Registration from '.*" .* failed for '<HOST>' - Peer is not supposed to register
            NOTICE.* <HOST> failed to authenticate as '.*'$
            NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
            NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
ignoreregex =


on file /etc/fail2ban/jail.conf
i add

[asterisk-iptables]

enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
           sendmail-whois[name=ASTERISK, dest=root, sender=fail2ban@example.org]
logpath  = /var/log/asterisk/full
maxretry = 3
bantime = 259200

Title: Re: Fail2ban - using?
Post by: pw44 on September 19, 2010, 02:32:27 am
http://www.voip-info.org/wiki/view/Fail2Ban+(with+iptables)+And+Asterisk
Title: Re: Fail2ban - using?
Post by: Kooma on September 19, 2010, 01:54:22 pm
Checked the fail2ban web pages, they seem to have quite ok info for newbies also. I hope to use this for more than asterisk, I think that is just one thing amongst others.

If remember right, one of the core devs if not The Dev had a problem with break-in to his system. Would fail2ban have helped to avoid this..

Considering the the LMCE will control (at least in my dreams) almost every aspect in the house, this kind of safety tool would be nice to be included in the system.
Title: Re: Fail2ban - using?
Post by: cfernandes on September 19, 2010, 03:50:24 pm
Paulo,

your fail2ban is working or you have some issue  ?

i have the same configuration that you post .

and this configuration is working  on my linuxmce  and on  a asterisk server in my work.

Carlos
Title: Re: Fail2ban - using?
Post by: pw44 on September 19, 2010, 04:08:43 pm
Carlos,
it was only for checking, because when i type iptables -L -v, i do not see the fail2ban rule, as stated in the post we both used as basis for configuration. So i thought  i was doing something wrong.
Thx for the help.
Paulo
Title: Re: Fail2ban - using?
Post by: bundie on September 19, 2010, 07:29:45 pm
Hi Paulo,

Put the stuff for the file /etc/fail2ban/jail.conf into /etc/fail2ban/jail.local. According to the howto in your earlier post, you're not supposed to add rules the jail.conf file but jail.local instead.

So in /etc/fail2ban/jail.local you put:

Code: [Select]
[asterisk-iptables]

enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
           sendmail-whois[name=ASTERISK, dest=root, sender=fail2ban@example.org]
logpath  = /var/log/asterisk/full
maxretry = 3
bantime = 259200

Do a reload of fail2ban:

Code: [Select]
# sudo /etc/init.d/fail2ban restart
And now with:

Code: [Select]
# iptables -v -L
you should see that the asterisk rule is loaded.

Hope this helps,
Greets,
Reint.
Title: Re: Fail2ban - using?
Post by: pw44 on September 19, 2010, 07:58:22 pm
Put the stuff for the file /etc/fail2ban/jail.conf into /etc/fail2ban/jail.local. According to the howto in your earlier post, you're not supposed to add rules the jail.conf file but jail.local instead.
Sorry, i did not find any reference to jail.local in the howto. Where did you find it?
BR,
Paulo
Title: Re: Fail2ban - using?
Post by: bundie on September 19, 2010, 08:33:05 pm
Hi Paulo,

So sorry, I got confused  :-[

It's in the comment at the top of the jail.conf file itself. My fail2ban asterisk rule didn't show when I put it in jail.conf. After I changed it to jail.local everything worked like a charm. Its already blocking some asterisk intruders for me!

Sorry for the mix-up!
Reint.
Title: Re: Fail2ban - using?
Post by: cfernandes on September 19, 2010, 08:51:30 pm
Paulo ,

on my installation i not need to add on jail.local , all  configurations is made on jail.conf


Carlos
Title: Re: Fail2ban - stopped attack.
Post by: pw44 on September 19, 2010, 09:00:29 pm
Hia,
Well, fail2ban is really worth. Stopped an attack. And my sip configuration is only 2 days old  ;)
Log of my asterisk messages:
Code: [Select]
[2010-09-19 15:33:32] WARNING[26690] chan_sip.c: Remote host can't match request NOTIFY to call '778e48ac49209fac609647d141de30aa@192.168.80.1'. Giving up.                                        
[2010-09-19 15:33:48] NOTICE[26690] chan_sip.c: Registration from '"3235410554"<sip:3235410554@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                              
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"thomas"<sip:thomas@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                      
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"arsenal"<sip:arsenal@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                    
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"letmein"<sip:letmein@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                    
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"liverpool"<sip:liverpool@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"nevermind"<sip:nevermind@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"getmein"<sip:getmein@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                    
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"echo"<sip:echo@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                          
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"bmw325"<sip:bmw325@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                      
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"bmw335"<sip:bmw335@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                      
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"1q2w3e"<sip:1q2w3e@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                      
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"1q2w3e4r5t6y"<sip:1q2w3e4r5t6y@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                          
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"1q1q2w2w"<sip:1q1q2w2w@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                  
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"1q2w1q2w"<sip:1q2w1q2w@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                  
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"1q2w"<sip:1q2w@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                          
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"11q22w"<sip:11q22w@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                      
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"q1w2"<sip:q1w2@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                          
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"q1w2e3"<sip:q1w2e3@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                      
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"tvv03tvv03"<sip:tvv03tvv03@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                              
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"abcd1"<sip:abcd1@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                        
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"abcd12"<sip:abcd12@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                      
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"abcd123"<sip:abcd123@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                    
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"qq11ww22ee33rr44"<sip:qq11ww22ee33rr44@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                  
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip1"<sip:sip1@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                          
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip2"<sip:sip2@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                          
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip12"<sip:sip12@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                        
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip123"<sip:sip123@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                      
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip1234"<sip:sip1234@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                    
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip12345"<sip:sip12345@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                  
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip1111"<sip:sip1111@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                    
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip222"<sip:sip222@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                      
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"1qa2ws3ed"<sip:1qa2ws3ed@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"1234asdf"<sip:1234asdf@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                  
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"1a2s3d"<sip:1a2s3d@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                      
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"1a2s3d4f"<sip:1a2s3d4f@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                  
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"asdzxc"<sip:asdzxc@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                      
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"123zxc"<sip:123zxc@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                      
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"1234zxcv"<sip:1234zxcv@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                  
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"aazzssxx"<sip:aazzssxx@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                  
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"p@ssword"<sip:p@ssword@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                  
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"p@ssw0rd"<sip:p@ssw0rd@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                  
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"pass1"<sip:pass1@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                        
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"password3"<sip:password3@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"pass12"<sip:pass12@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                      
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"account"<sip:account@201.29.213.245>' failed for '173.193.194.106' - No matching peer found                                    
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"passlogin"<sip:passlogin@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"account1"<sip:account1@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"account5"<sip:account5@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"account6"<sip:account6@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"account123"<sip:account123@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"account12"<sip:account12@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"acc1"<sip:acc1@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"acc2"<sip:acc2@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"acc12"<sip:acc12@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
Log of my fail2ban:
Code: [Select]
2010-09-19 11:12:56,130 fail2ban.jail   : INFO   Jail 'apache-tcpwrapper' uses poller
2010-09-19 11:12:56,131 fail2ban.filter : INFO   Added logfile = /var/log/apache2/error.log
2010-09-19 11:12:56,131 fail2ban.filter : INFO   Set maxRetry = 6
2010-09-19 11:12:56,133 fail2ban.filter : INFO   Set findtime = 600
2010-09-19 11:12:56,133 fail2ban.actions: INFO   Set banTime = 600
2010-09-19 11:12:56,138 fail2ban.jail   : INFO   Jail 'ssh-iptables' started
2010-09-19 11:12:56,139 fail2ban.jail   : INFO   Jail 'asterisk-iptables' started
2010-09-19 11:12:56,141 fail2ban.jail   : INFO   Jail 'apache-tcpwrapper' started
2010-09-19 15:33:50,392 fail2ban.actions: WARNING [asterisk-iptables] Ban 173.193.194.106
2010-09-19 15:34:50,982 fail2ban.actions: WARNING [asterisk-iptables] 173.193.194.106 already banned
It's working.....  ;D
Title: Re: Fail2ban - Really worth for stopping brute force attacks against asterisk.
Post by: pw44 on September 20, 2010, 02:38:28 am
Fail2ban wiki created.
Title: Re: Fail2ban - Really worth for stopping brute force attacks against asterisk.
Post by: phenigma on September 20, 2010, 04:02:21 am
Great work guys!  Any chance you guys would help to implement this into LMCE?

J.
Title: Re: Fail2ban - Really worth for stopping brute force attacks against asterisk.
Post by: pw44 on September 20, 2010, 08:08:33 am
How? In webadmin?
Title: Re: Fail2ban - Really worth for stopping brute force attacks against asterisk.
Post by: bundie on September 20, 2010, 09:20:44 am
Hi Paulo,

Nice work on the Wiki page!

Cheers,
Reint.
Title: Re: Fail2ban - Really worth for stopping brute force attacks against asterisk.
Post by: cfernandes on September 20, 2010, 05:17:09 pm
only one comment  is to reduce  maxretry to 2 



[asterisk-iptables]
enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
           sendmail-whois[name=ASTERISK, dest=root, sender=fail2ban@example.org]
logpath  = /var/log/asterisk/full
maxretry = 2
bantime = 259200
Title: Re: Fail2ban - Really worth for stopping brute force attacks against asterisk.
Post by: pw44 on September 20, 2010, 06:23:01 pm
Done ;)
Title: Re: Fail2ban - Really worth for stopping brute force attacks against asterisk.
Post by: davegravy on September 20, 2010, 09:56:33 pm
Is this normal/bad?

(from /var/log/fail2ban.log)

Code: [Select]
2010-09-19 20:56:36,238 fail2ban.actions.action: ERROR  printf %b "Subject: [Fail2Ban] ASTERISK: started
From: Fail2Ban <fail2ban@example.org>
To: root\n
Hi,\n
The jail ASTERISK has been started successfully.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f fail2ban@example.org root returned 7f00
Title: Re: Fail2ban - Really worth for stopping brute force attacks against asterisk.
Post by: pw44 on September 20, 2010, 10:08:04 pm
Do you have sendmail installed?
Title: Re: Fail2ban - Really worth for stopping brute force attacks against asterisk.
Post by: davegravy on September 23, 2010, 07:50:24 pm
I did not have it installed - problem solved.

New problem - after reboot the iptables rules for fail2ban disappear. I wonder if they're are being overwritten by LinuxMCE in the boot order. Any ideas how to fix this?

I also have ipblock installed which could be conflicting
Title: Re: Fail2ban - Really worth for stopping brute force attacks against asterisk.
Post by: tschak909 on September 23, 2010, 09:04:30 pm
Guys, this has to be properly integrated into LinuxMCE, the firewall rules output need to go into the database!

-Thom
Title: Re: Fail2ban - Really worth for stopping brute force attacks against asterisk.
Post by: pw44 on September 23, 2010, 09:48:36 pm
Or adding the fail2ban start script at the end /usr/pluto/bin/Network_Firewall.sh. Not ideal, but will work until it' s integrated....
Title: Re: Fail2ban - Really worth for stopping brute force attacks against asterisk.
Post by: pw44 on September 29, 2010, 12:46:43 am
Thom and J. (phenigma),
i was looking at the code of /usr/pluto/bin/Network_Firewall.sh, and i think that, as fail2ban is dynamic, reading the log files for taking the counter measures (blocking and releasing) ip, that the best way to have it integrated would be having it's start, stop and restart called from the Network_Firewall.sh script.
What do you guys think about?
Paulo
Title: Re: Fail2ban - Really worth for stopping brute force attacks against asterisk.
Post by: davegravy on October 11, 2010, 02:28:34 am
http://it.slashdot.org/story/10/10/10/2313255/In-Australia-Rising-VoIP-Attacks-Mean-Huge-Bills-For-Victims
Title: Re: Fail2ban - Really worth for stopping brute force attacks against asterisk.
Post by: pw44 on October 11, 2010, 02:59:49 am
There is also a parameter that should be included in the /etc/asterisk/sip.conf file:
alwaysauthreject=yes
It's well explained in http://sysadminman.net/blog/2009/hacking-and-securing-your-asterisk-server-592 why.

Another measure is to enforce security with iptables, as described in: http://sysadminman.net/blog/2010/limiting-sipiax-connections-to-asterisk-with-iptables-1082

After i installed fail2ban, i had attacks, which where blocked by fail2ban (after 100, 200, 300 tries, because the scanner is very fast). With alwaysauthreject=yes, the attacker gets confused by the response, so i get attacks, with 2, 10 tries) and fail2ban blocks the attackers ip address.

 


Title: Re: Fail2ban - Really worth for stopping brute force attacks against asterisk.
Post by: pw44 on October 11, 2010, 02:54:36 pm
New problem - after reboot the iptables rules for fail2ban disappear. I wonder if they're are being overwritten by LinuxMCE in the boot order. Any ideas how to fix this?

At the end of /usr/pluto/bin/Network_Firewall.sh add the following line: /etc/init.d/fail2ban restart

This will solve it.
Title: Re: Fail2ban - Really worth for stopping brute force attacks against asterisk.
Post by: Marie.O on October 11, 2010, 03:31:12 pm
a cleaner approach might be, to change the start order, and start fail2ban after linuxmce
Title: Re: Fail2ban - Really worth for stopping brute force attacks against asterisk.
Post by: pw44 on October 11, 2010, 03:39:07 pm
Sure, but every time /usr/pluto/bin/Network_Firewall.sh runs (on linuxmce firewall rules changes. i.e) the fail2ban rules are lost, that's why i made the option to make it start at the end of this script. May not be the cleanest approach, but i've find out to be the surest.
Title: Re: Fail2ban - Really worth for stopping brute force attacks against asterisk.
Post by: coley on October 15, 2010, 06:22:45 pm
thx for the wiki page!
applied this morning, after my asterisk had been brute forced and extension found with no secret.
must have been prior to the sip secrets patch as the phones page on webadmin didn't list the extension in question. Yet freepbx listed the extension.
Maybe recreation of an orbiter or MD left me with orphan SIP extensions.

-Coley.
Title: Re: Fail2ban - Really worth for stopping brute force attacks against asterisk.
Post by: pw44 on October 16, 2010, 04:08:29 pm
Thx! Good to know that it is being useful.
Don't forget the alwaysauthreject=yes in sip.conf. It proved to me to make a difference, confusing the scanner....
Title: Re: Fail2ban - Really worth for stopping brute force attacks against asterisk.
Post by: davegravy on November 01, 2010, 09:54:32 pm
Does
Code: [Select]
alwaysauthreject=yes work for IAX.conf as well? Google hasn't helped me answer this.
Title: Re: Fail2ban - Really worth for stopping brute force attacks against asterisk.
Post by: davegravy on November 02, 2010, 03:03:47 pm
Checked my log today and noticed that it looks like a botnet of some sort is being used to launch brute force attacks: Each login attempt appears to come from a different IP, and so fail2ban isn't doing its job.

I've changed the threshold to 1 invalid login attempt = ban, and hopefully the botnet will run out of bot IPs before it guesses my login/passwords. If I happen to ban myself by accident I'll just have to manually unban myself.

Anyone know if there's a big performance hit from having a huge number of entries in IPTables?
Title: Re: Fail2ban - Really worth for stopping brute force attacks against asterisk.
Post by: pw44 on November 02, 2010, 05:24:46 pm
Well, maybe this article can help.
http://sysadminman.net/blog/2010/limiting-sipiax-connections-to-asterisk-with-iptables-1082
If you configure fail2ban correctly, you will not ban yourself.
I do not have experience with iax, but i've found some links that may be helpful:
http://www.voip-info.org/wiki/view/Asterisk+config+iax.conf
http://www.freepbx.org/forum/freepbx/installation/iax2-channel-rejected-connect-attempt-from-no-iax-provisioning-configurat