Fail2ban - Really worth for stopping brute force attacks against asterisk.

[pw44]

Hia,
is there someone using fail2ban on LinuxMCE 8.10?
TIA.
Paulo

[cfernandes]

yeah ,  i use on my home .

[pw44]

Hi CFernandes,
Regarding iptables, are they being starded by /etc/init.d/iptables or by LinuxMCE?
Could you send me the configuration files you are using, so i can compare with mines?
TIA,
Paulo

[Kooma]

Didn't know about fail2ban before reading your posts.

Although duct tape is strictly forbidden, could you write a short wiki for installing fail2ban? Sound like a must to have.

[pw44]

Kooma,
after i finish the installation and tests, i will write a wiki for it.
Fail2ban seems to be the almost perfect tool against brute force attack - which is specially indicated for asterisk users.
Regards,
Paulo

[wierdbeard65]

Although duct tape is strictly forbidden

It deson't have to be duct-tape. Can this not be integrated properly? (I lack the skills to achieve this!!!)

[cfernandes]

this is my fail2ban configuration

apt-get install fail2ban
touch /etc/fail2ban/filter.d/asterisk.conf
content off asterisk.conf

# Fail2Ban configuration file
#
#
# $Revision: 250 $
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf


[Definition]

#_daemon = asterisk

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#

failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL
            NOTICE.* .*: Registration from '.*" .* failed for '<HOST>' - Peer is not supposed to register
            NOTICE.* <HOST> failed to authenticate as '.*'$
            NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
            NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
ignoreregex =


on file /etc/fail2ban/jail.conf
i add

[asterisk-iptables]

enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
           sendmail-whois[name=ASTERISK, dest=root, sender=fail2ban@example.org]
logpath  = /var/log/asterisk/full
maxretry = 3
bantime = 259200

[pw44]

http://www.voip-info.org/wiki/view/Fail2Ban+(with+iptables)+And+Asterisk

[Kooma]

Checked the fail2ban web pages, they seem to have quite ok info for newbies also. I hope to use this for more than asterisk, I think that is just one thing amongst others.

If remember right, one of the core devs if not The Dev had a problem with break-in to his system. Would fail2ban have helped to avoid this..

Considering the the LMCE will control (at least in my dreams) almost every aspect in the house, this kind of safety tool would be nice to be included in the system.

[cfernandes]

Paulo,

your fail2ban is working or you have some issue  ?

i have the same configuration that you post .

and this configuration is working  on my linuxmce  and on  a asterisk server in my work.

Carlos

[pw44]

Carlos,
it was only for checking, because when i type iptables -L -v, i do not see the fail2ban rule, as stated in the post we both used as basis for configuration. So i thought  i was doing something wrong.
Thx for the help.
Paulo

[bundie]

Hi Paulo,

Put the stuff for the file /etc/fail2ban/jail.conf into /etc/fail2ban/jail.local. According to the howto in your earlier post, you're not supposed to add rules the jail.conf file but jail.local instead.

So in /etc/fail2ban/jail.local you put:

Code:

[asterisk-iptables]

enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
           sendmail-whois[name=ASTERISK, dest=root, sender=fail2ban@example.org]
logpath  = /var/log/asterisk/full
maxretry = 3
bantime = 259200

Do a reload of fail2ban:

Code:

# sudo /etc/init.d/fail2ban restart

And now with:

Code:

# iptables -v -L

you should see that the asterisk rule is loaded.

Hope this helps,
Greets,
Reint.

[pw44]

Put the stuff for the file /etc/fail2ban/jail.conf into /etc/fail2ban/jail.local. According to the howto in your earlier post, you're not supposed to add rules the jail.conf file but jail.local instead.

Sorry, i did not find any reference to jail.local in the howto. Where did you find it?
BR,
Paulo

[bundie]

Hi Paulo,

So sorry, I got confused 

It's in the comment at the top of the jail.conf file itself. My fail2ban asterisk rule didn't show when I put it in jail.conf. After I changed it to jail.local everything worked like a charm. Its already blocking some asterisk intruders for me!

Sorry for the mix-up!
Reint.

[cfernandes]

Paulo ,

on my installation i not need to add on jail.local , all  configurations is made on jail.conf


Carlos