Author Topic: Fail2ban - Really worth for stopping brute force attacks against asterisk.  (Read 24490 times)

pw44

  • Addicted
  • *
  • Posts: 666
    • View Profile
Re: Fail2ban - Really worth for stopping brute force attacks against asterisk.
« Reply #30 on: October 11, 2010, 02:54:36 pm »
New problem - after reboot the iptables rules for fail2ban disappear. I wonder if they're are being overwritten by LinuxMCE in the boot order. Any ideas how to fix this?

At the end of /usr/pluto/bin/Network_Firewall.sh add the following line: /etc/init.d/fail2ban restart

This will solve it.

Marie.O

  • Administrator
  • LinuxMCE God
  • *****
  • Posts: 3676
  • Wastes Life On LinuxMCE Since 2007
    • View Profile
    • My Home
Re: Fail2ban - Really worth for stopping brute force attacks against asterisk.
« Reply #31 on: October 11, 2010, 03:31:12 pm »
a cleaner approach might be, to change the start order, and start fail2ban after linuxmce

pw44

  • Addicted
  • *
  • Posts: 666
    • View Profile
Re: Fail2ban - Really worth for stopping brute force attacks against asterisk.
« Reply #32 on: October 11, 2010, 03:39:07 pm »
Sure, but every time /usr/pluto/bin/Network_Firewall.sh runs (on linuxmce firewall rules changes. i.e) the fail2ban rules are lost, that's why i made the option to make it start at the end of this script. May not be the cleanest approach, but i've find out to be the surest.
« Last Edit: October 11, 2010, 10:11:11 pm by pw44 »

coley

  • Guru
  • ****
  • Posts: 492
    • View Profile
Re: Fail2ban - Really worth for stopping brute force attacks against asterisk.
« Reply #33 on: October 15, 2010, 06:22:45 pm »
thx for the wiki page!
applied this morning, after my asterisk had been brute forced and extension found with no secret.
must have been prior to the sip secrets patch as the phones page on webadmin didn't list the extension in question. Yet freepbx listed the extension.
Maybe recreation of an orbiter or MD left me with orphan SIP extensions.

-Coley.

pw44

  • Addicted
  • *
  • Posts: 666
    • View Profile
Re: Fail2ban - Really worth for stopping brute force attacks against asterisk.
« Reply #34 on: October 16, 2010, 04:08:29 pm »
Thx! Good to know that it is being useful.
Don't forget the alwaysauthreject=yes in sip.conf. It proved to me to make a difference, confusing the scanner....

davegravy

  • Addicted
  • *
  • Posts: 551
    • View Profile
Re: Fail2ban - Really worth for stopping brute force attacks against asterisk.
« Reply #35 on: November 01, 2010, 09:54:32 pm »
Does
Code: [Select]
alwaysauthreject=yes work for IAX.conf as well? Google hasn't helped me answer this.

davegravy

  • Addicted
  • *
  • Posts: 551
    • View Profile
Re: Fail2ban - Really worth for stopping brute force attacks against asterisk.
« Reply #36 on: November 02, 2010, 03:03:47 pm »
Checked my log today and noticed that it looks like a botnet of some sort is being used to launch brute force attacks: Each login attempt appears to come from a different IP, and so fail2ban isn't doing its job.

I've changed the threshold to 1 invalid login attempt = ban, and hopefully the botnet will run out of bot IPs before it guesses my login/passwords. If I happen to ban myself by accident I'll just have to manually unban myself.

Anyone know if there's a big performance hit from having a huge number of entries in IPTables?

pw44

  • Addicted
  • *
  • Posts: 666
    • View Profile
« Last Edit: December 16, 2010, 08:24:32 pm by pw44 »