Fail2ban - Really worth for stopping brute force attacks against asterisk.

[pw44]

New problem - after reboot the iptables rules for fail2ban disappear. I wonder if they're are being overwritten by LinuxMCE in the boot order. Any ideas how to fix this?

At the end of /usr/pluto/bin/Network_Firewall.sh add the following line: /etc/init.d/fail2ban restart

This will solve it.

[posde]

a cleaner approach might be, to change the start order, and start fail2ban after linuxmce

[pw44]

Sure, but every time /usr/pluto/bin/Network_Firewall.sh runs (on linuxmce firewall rules changes. i.e) the fail2ban rules are lost, that's why i made the option to make it start at the end of this script. May not be the cleanest approach, but i've find out to be the surest.

[coley]

thx for the wiki page!
applied this morning, after my asterisk had been brute forced and extension found with no secret.
must have been prior to the sip secrets patch as the phones page on webadmin didn't list the extension in question. Yet freepbx listed the extension.
Maybe recreation of an orbiter or MD left me with orphan SIP extensions.

-Coley.

[pw44]

Thx! Good to know that it is being useful.
Don't forget the alwaysauthreject=yes in sip.conf. It proved to me to make a difference, confusing the scanner....

[davegravy]

Does

Code:

alwaysauthreject=yes

work for IAX.conf as well? Google hasn't helped me answer this.

[davegravy]

Checked my log today and noticed that it looks like a botnet of some sort is being used to launch brute force attacks: Each login attempt appears to come from a different IP, and so fail2ban isn't doing its job.

I've changed the threshold to 1 invalid login attempt = ban, and hopefully the botnet will run out of bot IPs before it guesses my login/passwords. If I happen to ban myself by accident I'll just have to manually unban myself.

Anyone know if there's a big performance hit from having a huge number of entries in IPTables?

[pw44]

Well, maybe this article can help.
http://sysadminman.net/blog/2010/limiting-sipiax-connections-to-asterisk-with-iptables-1082
If you configure fail2ban correctly, you will not ban yourself.
I do not have experience with iax, but i've found some links that may be helpful:
http://www.voip-info.org/wiki/view/Asterisk+config+iax.conf
http://www.freepbx.org/forum/freepbx/installation/iax2-channel-rejected-connect-attempt-from-no-iax-provisioning-configurat