News:

Rule #1 - Be Patient - Rule #2 - Don't ask when, if you don't contribute - Rule #3 - You have coding skills - LinuxMCE's small brother is available: http://www.agocontrol.com

Main Menu

Fail2ban - Really worth for stopping brute force attacks against asterisk.

Started by pw44, September 17, 2010, 02:27:11 PM

Previous topic - Next topic

pw44

Quote from: davegravy on September 23, 2010, 07:50:24 PM
New problem - after reboot the iptables rules for fail2ban disappear. I wonder if they're are being overwritten by LinuxMCE in the boot order. Any ideas how to fix this?

At the end of /usr/pluto/bin/Network_Firewall.sh add the following line: /etc/init.d/fail2ban restart

This will solve it.

Marie.O

a cleaner approach might be, to change the start order, and start fail2ban after linuxmce
If I helped you, feel free to buy me a coffee: [url="https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=2VKASZLTJH7ES"]https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=2VKASZLTJH7ES[/url]

pw44

Sure, but every time /usr/pluto/bin/Network_Firewall.sh runs (on linuxmce firewall rules changes. i.e) the fail2ban rules are lost, that's why i made the option to make it start at the end of this script. May not be the cleanest approach, but i've find out to be the surest.

coley

thx for the wiki page!
applied this morning, after my asterisk had been brute forced and extension found with no secret.
must have been prior to the sip secrets patch as the phones page on webadmin didn't list the extension in question. Yet freepbx listed the extension.
Maybe recreation of an orbiter or MD left me with orphan SIP extensions.

-Coley.
~ 12.04 Alpha: [url="http://linuxmce.iptp.org/snapshots"]http://linuxmce.iptp.org/snapshots[/url]
~ 10.04 Final: [url="http://linuxmce.iptp.org/release/LinuxMCE-1004-final.iso"]http://linuxmce.iptp.org/release/LinuxMCE-1004-final.iso[/url]
~ My setup: [url="http://wiki.linuxmce.org/index.php/User:Coley"]http://wiki.linuxmce.org/index.php/User:Coley[/url]

pw44

Thx! Good to know that it is being useful.
Don't forget the alwaysauthreject=yes in sip.conf. It proved to me to make a difference, confusing the scanner....

davegravy

Does alwaysauthreject=yes work for IAX.conf as well? Google hasn't helped me answer this.

davegravy

Checked my log today and noticed that it looks like a botnet of some sort is being used to launch brute force attacks: Each login attempt appears to come from a different IP, and so fail2ban isn't doing its job.

I've changed the threshold to 1 invalid login attempt = ban, and hopefully the botnet will run out of bot IPs before it guesses my login/passwords. If I happen to ban myself by accident I'll just have to manually unban myself.

Anyone know if there's a big performance hit from having a huge number of entries in IPTables?

pw44