Author Topic: Fail2ban - Really worth for stopping brute force attacks against asterisk. (Read 24474 times)

pw44 · « **Reply #30 on:** October 11, 2010, 02:54:36 pm »

Quote from: davegravy on September 23, 2010, 07:50:24 pm

New problem - after reboot the iptables rules for fail2ban disappear. I wonder if they're are being overwritten by LinuxMCE in the boot order. Any ideas how to fix this?

At the end of /usr/pluto/bin/Network_Firewall.sh add the following line: /etc/init.d/fail2ban restart

This will solve it.

Marie.O · « **Reply #31 on:** October 11, 2010, 03:31:12 pm »

a cleaner approach might be, to change the start order, and start fail2ban after linuxmce

pw44 · « **Reply #32 on:** October 11, 2010, 03:39:07 pm »

Sure, but every time /usr/pluto/bin/Network_Firewall.sh runs (on linuxmce firewall rules changes. i.e) the fail2ban rules are lost, that's why i made the option to make it start at the end of this script. May not be the cleanest approach, but i've find out to be the surest.

coley · « **Reply #33 on:** October 15, 2010, 06:22:45 pm »

thx for the wiki page!
applied this morning, after my asterisk had been brute forced and extension found with no secret.
must have been prior to the sip secrets patch as the phones page on webadmin didn't list the extension in question. Yet freepbx listed the extension.
Maybe recreation of an orbiter or MD left me with orphan SIP extensions.

-Coley.

pw44 · « **Reply #34 on:** October 16, 2010, 04:08:29 pm »

Thx! Good to know that it is being useful.
Don't forget the alwaysauthreject=yes in sip.conf. It proved to me to make a difference, confusing the scanner....

davegravy · « **Reply #35 on:** November 01, 2010, 09:54:32 pm »

Does

Code: [Select]

alwaysauthreject=yes work for IAX.conf as well? Google hasn't helped me answer this.

davegravy · « **Reply #36 on:** November 02, 2010, 03:03:47 pm »

Checked my log today and noticed that it looks like a botnet of some sort is being used to launch brute force attacks: Each login attempt appears to come from a different IP, and so fail2ban isn't doing its job.

I've changed the threshold to 1 invalid login attempt = ban, and hopefully the botnet will run out of bot IPs before it guesses my login/passwords. If I happen to ban myself by accident I'll just have to manually unban myself.

Anyone know if there's a big performance hit from having a huge number of entries in IPTables?

pw44 · « **Reply #37 on:** November 02, 2010, 05:24:46 pm »

Well, maybe this article can help.
http://sysadminman.net/blog/2010/limiting-sipiax-connections-to-asterisk-with-iptables-1082
If you configure fail2ban correctly, you will not ban yourself.
I do not have experience with iax, but i've found some links that may be helpful:
http://www.voip-info.org/wiki/view/Asterisk+config+iax.conf
http://www.freepbx.org/forum/freepbx/installation/iax2-channel-rejected-connect-attempt-from-no-iax-provisioning-configurat

News:

Author Topic: Fail2ban - Really worth for stopping brute force attacks against asterisk. (Read 24474 times)

pw44

Re: Fail2ban - Really worth for stopping brute force attacks against asterisk.

Marie.O

Re: Fail2ban - Really worth for stopping brute force attacks against asterisk.

pw44

Re: Fail2ban - Really worth for stopping brute force attacks against asterisk.

coley

Re: Fail2ban - Really worth for stopping brute force attacks against asterisk.

pw44

Re: Fail2ban - Really worth for stopping brute force attacks against asterisk.

davegravy

Re: Fail2ban - Really worth for stopping brute force attacks against asterisk.

davegravy

Re: Fail2ban - Really worth for stopping brute force attacks against asterisk.

pw44

Re: Fail2ban - Really worth for stopping brute force attacks against asterisk.