pw44
Addicted
Posts: 653
|
 |
« Reply #15 on: September 19, 2010, 08:00:29 pm » |
|
Hia, Well, fail2ban is really worth. Stopped an attack. And my sip configuration is only 2 days old  Log of my asterisk messages: [2010-09-19 15:33:32] WARNING[26690] chan_sip.c: Remote host can't match request NOTIFY to call '778e48ac49209fac609647d141de30aa@192.168.80.1'. Giving up.
[2010-09-19 15:33:48] NOTICE[26690] chan_sip.c: Registration from '"3235410554"<sip:3235410554@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"thomas"<sip:thomas@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"arsenal"<sip:arsenal@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"letmein"<sip:letmein@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"liverpool"<sip:liverpool@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"nevermind"<sip:nevermind@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"getmein"<sip:getmein@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"echo"<sip:echo@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"bmw325"<sip:bmw325@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"bmw335"<sip:bmw335@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"1q2w3e"<sip:1q2w3e@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"1q2w3e4r5t6y"<sip:1q2w3e4r5t6y@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"1q1q2w2w"<sip:1q1q2w2w@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"1q2w1q2w"<sip:1q2w1q2w@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"1q2w"<sip:1q2w@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"11q22w"<sip:11q22w@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"q1w2"<sip:q1w2@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"q1w2e3"<sip:q1w2e3@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"tvv03tvv03"<sip:tvv03tvv03@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"abcd1"<sip:abcd1@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"abcd12"<sip:abcd12@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"abcd123"<sip:abcd123@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"qq11ww22ee33rr44"<sip:qq11ww22ee33rr44@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip1"<sip:sip1@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip2"<sip:sip2@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip12"<sip:sip12@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip123"<sip:sip123@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip1234"<sip:sip1234@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip12345"<sip:sip12345@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip1111"<sip:sip1111@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"sip222"<sip:sip222@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:49] NOTICE[26690] chan_sip.c: Registration from '"1qa2ws3ed"<sip:1qa2ws3ed@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"1234asdf"<sip:1234asdf@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"1a2s3d"<sip:1a2s3d@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"1a2s3d4f"<sip:1a2s3d4f@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"asdzxc"<sip:asdzxc@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"123zxc"<sip:123zxc@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"1234zxcv"<sip:1234zxcv@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"aazzssxx"<sip:aazzssxx@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"p@ssword"<sip:p@ssword@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"p@ssw0rd"<sip:p@ssw0rd@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"pass1"<sip:pass1@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"password3"<sip:password3@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"pass12"<sip:pass12@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"account"<sip:account@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"passlogin"<sip:passlogin@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"account1"<sip:account1@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"account5"<sip:account5@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"account6"<sip:account6@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"account123"<sip:account123@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"account12"<sip:account12@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"acc1"<sip:acc1@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"acc2"<sip:acc2@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
[2010-09-19 15:33:50] NOTICE[26690] chan_sip.c: Registration from '"acc12"<sip:acc12@201.29.213.245>' failed for '173.193.194.106' - No matching peer found
Log of my fail2ban: 2010-09-19 11:12:56,130 fail2ban.jail : INFO Jail 'apache-tcpwrapper' uses poller
2010-09-19 11:12:56,131 fail2ban.filter : INFO Added logfile = /var/log/apache2/error.log
2010-09-19 11:12:56,131 fail2ban.filter : INFO Set maxRetry = 6
2010-09-19 11:12:56,133 fail2ban.filter : INFO Set findtime = 600
2010-09-19 11:12:56,133 fail2ban.actions: INFO Set banTime = 600
2010-09-19 11:12:56,138 fail2ban.jail : INFO Jail 'ssh-iptables' started
2010-09-19 11:12:56,139 fail2ban.jail : INFO Jail 'asterisk-iptables' started
2010-09-19 11:12:56,141 fail2ban.jail : INFO Jail 'apache-tcpwrapper' started
2010-09-19 15:33:50,392 fail2ban.actions: WARNING [asterisk-iptables] Ban 173.193.194.106
2010-09-19 15:34:50,982 fail2ban.actions: WARNING [asterisk-iptables] 173.193.194.106 already banned
It's working.....  |
|
|
|
« Last Edit: September 19, 2010, 08:04:15 pm by pw44 »
|
Logged
|
|
|
|
pw44
Addicted
Posts: 653
|
|
« Reply #16 on: September 20, 2010, 01:38:28 am » |
|
Fail2ban wiki created.
|
|
|
|
|
Logged
|
|
|
|
phenigma
wants to work for LinuxMCE
Posts: 779
|
|
« Reply #17 on: September 20, 2010, 03:02:21 am » |
|
Great work guys! Any chance you guys would help to implement this into LMCE?
J.
|
|
|
|
|
Logged
|
|
|
|
pw44
Addicted
Posts: 653
|
|
« Reply #18 on: September 20, 2010, 07:08:33 am » |
|
How? In webadmin?
|
|
|
|
|
Logged
|
|
|
|
|
bundie
|
|
« Reply #19 on: September 20, 2010, 08:20:44 am » |
|
Hi Paulo,
Nice work on the Wiki page!
Cheers,
Reint.
|
|
|
|
|
Logged
|
|
|
|
|
cfernandes
|
|
« Reply #20 on: September 20, 2010, 04:17:09 pm » |
|
only one comment is to reduce maxretry to 2
[asterisk-iptables]
enabled = true
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
sendmail-whois[name=ASTERISK, dest=root, sender=fail2ban@example.org]
logpath = /var/log/asterisk/full
maxretry = 2
bantime = 259200
|
|
|
|
|
Logged
|
|
|
|
pw44
Addicted
Posts: 653
|
|
« Reply #21 on: September 20, 2010, 05:23:01 pm » |
|
Done |
|
|
|
|
Logged
|
|
|
|
|
davegravy
|
|
« Reply #22 on: September 20, 2010, 08:56:33 pm » |
|
Is this normal/bad? (from /var/log/fail2ban.log) 2010-09-19 20:56:36,238 fail2ban.actions.action: ERROR printf %b "Subject: [Fail2Ban] ASTERISK: started
From: Fail2Ban <fail2ban@example.org>
To: root\n
Hi,\n
The jail ASTERISK has been started successfully.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f fail2ban@example.org root returned 7f00 |
|
|
|
|
Logged
|
|
|
|
pw44
Addicted
Posts: 653
|
|
« Reply #23 on: September 20, 2010, 09:08:04 pm » |
|
Do you have sendmail installed?
|
|
|
|
|
Logged
|
|
|
|
|
davegravy
|
|
« Reply #24 on: September 23, 2010, 06:50:24 pm » |
|
I did not have it installed - problem solved.
New problem - after reboot the iptables rules for fail2ban disappear. I wonder if they're are being overwritten by LinuxMCE in the boot order. Any ideas how to fix this?
I also have ipblock installed which could be conflicting
|
|
|
|
« Last Edit: September 23, 2010, 06:55:48 pm by davegravy »
|
Logged
|
|
|
|
|
tschak909
|
|
« Reply #25 on: September 23, 2010, 08:04:30 pm » |
|
Guys, this has to be properly integrated into LinuxMCE, the firewall rules output need to go into the database!
-Thom
|
|
|
|
|
Logged
|
|
|
|
pw44
Addicted
Posts: 653
|
|
« Reply #26 on: September 23, 2010, 08:48:36 pm » |
|
Or adding the fail2ban start script at the end /usr/pluto/bin/Network_Firewall.sh. Not ideal, but will work until it' s integrated....
|
|
|
|
|
Logged
|
|
|
|
pw44
Addicted
Posts: 653
|
|
« Reply #27 on: September 28, 2010, 11:46:43 pm » |
|
Thom and J. (phenigma),
i was looking at the code of /usr/pluto/bin/Network_Firewall.sh, and i think that, as fail2ban is dynamic, reading the log files for taking the counter measures (blocking and releasing) ip, that the best way to have it integrated would be having it's start, stop and restart called from the Network_Firewall.sh script.
What do you guys think about?
Paulo
|
|
|
|
« Last Edit: October 11, 2010, 01:52:13 pm by pw44 »
|
Logged
|
|
|
|
|
davegravy
|
|
« Reply #28 on: October 11, 2010, 01:28:34 am » |
|
|
|
|
|
|
Logged
|
|
|
|
pw44
Addicted
Posts: 653
|
|
« Reply #29 on: October 11, 2010, 01:59:49 am » |
|
There is also a parameter that should be included in the /etc/asterisk/sip.conf file: alwaysauthreject=yes It's well explained in http://sysadminman.net/blog/2009/hacking-and-securing-your-asterisk-server-592 why. Another measure is to enforce security with iptables, as described in: http://sysadminman.net/blog/2010/limiting-sipiax-connections-to-asterisk-with-iptables-1082After i installed fail2ban, i had attacks, which where blocked by fail2ban (after 100, 200, 300 tries, because the scanner is very fast). With alwaysauthreject=yes, the attacker gets confused by the response, so i get attacks, with 2, 10 tries) and fail2ban blocks the attackers ip address. |
|
|
|
|
Logged
|
|
|
|
|
