Author Topic: Fail2ban - Really worth for stopping brute force attacks against asterisk.  (Read 5584 times)

pw44

  • Addicted
  • *
  • Posts: 653
    • View Profile
Hia,
is there someone using fail2ban on LinuxMCE 8.10?
TIA.
Paulo
« Last Edit: September 19, 2010, 09:01:23 pm by pw44 »

cfernandes

  • Guru
  • ****
  • Posts: 286
    • View Profile
    • my company web site
Re: Fail2ban - using?
« Reply #1 on: September 17, 2010, 04:31:07 pm »
yeah ,  i use on my home .


pw44

  • Addicted
  • *
  • Posts: 653
    • View Profile
Re: Fail2ban - using?
« Reply #2 on: September 17, 2010, 07:01:37 pm »
Hi CFernandes,
Regarding iptables, are they being starded by /etc/init.d/iptables or by LinuxMCE?
Could you send me the configuration files you are using, so i can compare with mines?
TIA,
Paulo

« Last Edit: September 17, 2010, 08:03:09 pm by pw44 »

Kooma

  • Veteran
  • ***
  • Posts: 102
    • View Profile
Re: Fail2ban - using?
« Reply #3 on: September 17, 2010, 07:59:33 pm »
Didn't know about fail2ban before reading your posts.

Although duct tape is strictly forbidden, could you write a short wiki for installing fail2ban? Sound like a must to have.

pw44

  • Addicted
  • *
  • Posts: 653
    • View Profile
Re: Fail2ban - using?
« Reply #4 on: September 17, 2010, 08:05:36 pm »
Kooma,
after i finish the installation and tests, i will write a wiki for it.
Fail2ban seems to be the almost perfect tool against brute force attack - which is specially indicated for asterisk users.
Regards,
Paulo

wierdbeard65

  • Guru
  • ****
  • Posts: 449
    • View Profile
    • My Quest
Re: Fail2ban - using?
« Reply #5 on: September 17, 2010, 10:44:33 pm »
Although duct tape is strictly forbidden
It deson't have to be duct-tape. Can this not be integrated properly? (I lack the skills to achieve this!!!)
Paul
If you have the time to help, please see where I have got to at: http://wiki.linuxmce.org/index.php/User:Wierdbeard65

cfernandes

  • Guru
  • ****
  • Posts: 286
    • View Profile
    • my company web site
Re: Fail2ban - using?
« Reply #6 on: September 18, 2010, 03:38:49 pm »
this is my fail2ban configuration

apt-get install fail2ban
touch /etc/fail2ban/filter.d/asterisk.conf
content off asterisk.conf

# Fail2Ban configuration file
#
#
# $Revision: 250 $
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf


[Definition]

#_daemon = asterisk

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#

failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL
            NOTICE.* .*: Registration from '.*" .* failed for '<HOST>' - Peer is not supposed to register
            NOTICE.* <HOST> failed to authenticate as '.*'$
            NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
            NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
ignoreregex =


on file /etc/fail2ban/jail.conf
i add

[asterisk-iptables]

enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
           sendmail-whois[name=ASTERISK, dest=root, sender=fail2ban@example.org]
logpath  = /var/log/asterisk/full
maxretry = 3
bantime = 259200


pw44

  • Addicted
  • *
  • Posts: 653
    • View Profile

Kooma

  • Veteran
  • ***
  • Posts: 102
    • View Profile
Re: Fail2ban - using?
« Reply #8 on: September 19, 2010, 01:54:22 pm »
Checked the fail2ban web pages, they seem to have quite ok info for newbies also. I hope to use this for more than asterisk, I think that is just one thing amongst others.

If remember right, one of the core devs if not The Dev had a problem with break-in to his system. Would fail2ban have helped to avoid this..

Considering the the LMCE will control (at least in my dreams) almost every aspect in the house, this kind of safety tool would be nice to be included in the system.

cfernandes

  • Guru
  • ****
  • Posts: 286
    • View Profile
    • my company web site
Re: Fail2ban - using?
« Reply #9 on: September 19, 2010, 03:50:24 pm »
Paulo,

your fail2ban is working or you have some issue  ?

i have the same configuration that you post .

and this configuration is working  on my linuxmce  and on  a asterisk server in my work.

Carlos

pw44

  • Addicted
  • *
  • Posts: 653
    • View Profile
Re: Fail2ban - using?
« Reply #10 on: September 19, 2010, 04:08:43 pm »
Carlos,
it was only for checking, because when i type iptables -L -v, i do not see the fail2ban rule, as stated in the post we both used as basis for configuration. So i thought  i was doing something wrong.
Thx for the help.
Paulo

bundie

  • Veteran
  • ***
  • Posts: 55
    • View Profile
Re: Fail2ban - using?
« Reply #11 on: September 19, 2010, 07:29:45 pm »
Hi Paulo,

Put the stuff for the file /etc/fail2ban/jail.conf into /etc/fail2ban/jail.local. According to the howto in your earlier post, you're not supposed to add rules the jail.conf file but jail.local instead.

So in /etc/fail2ban/jail.local you put:

Code: [Select]
[asterisk-iptables]

enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
           sendmail-whois[name=ASTERISK, dest=root, sender=fail2ban@example.org]
logpath  = /var/log/asterisk/full
maxretry = 3
bantime = 259200

Do a reload of fail2ban:

Code: [Select]
# sudo /etc/init.d/fail2ban restart
And now with:

Code: [Select]
# iptables -v -L
you should see that the asterisk rule is loaded.

Hope this helps,
Greets,
Reint.

pw44

  • Addicted
  • *
  • Posts: 653
    • View Profile
Re: Fail2ban - using?
« Reply #12 on: September 19, 2010, 07:58:22 pm »
Put the stuff for the file /etc/fail2ban/jail.conf into /etc/fail2ban/jail.local. According to the howto in your earlier post, you're not supposed to add rules the jail.conf file but jail.local instead.
Sorry, i did not find any reference to jail.local in the howto. Where did you find it?
BR,
Paulo

bundie

  • Veteran
  • ***
  • Posts: 55
    • View Profile
Re: Fail2ban - using?
« Reply #13 on: September 19, 2010, 08:33:05 pm »
Hi Paulo,

So sorry, I got confused  :-[

It's in the comment at the top of the jail.conf file itself. My fail2ban asterisk rule didn't show when I put it in jail.conf. After I changed it to jail.local everything worked like a charm. Its already blocking some asterisk intruders for me!

Sorry for the mix-up!
Reint.

cfernandes

  • Guru
  • ****
  • Posts: 286
    • View Profile
    • my company web site
Re: Fail2ban - using?
« Reply #14 on: September 19, 2010, 08:51:30 pm »
Paulo ,

on my installation i not need to add on jail.local , all  configurations is made on jail.conf


Carlos