News:

Rule #1 - Be Patient - Rule #2 - Don't ask when, if you don't contribute - Rule #3 - You have coding skills - LinuxMCE's small brother is available: http://www.agocontrol.com

Main Menu

Fail2ban - Really worth for stopping brute force attacks against asterisk.

Started by pw44, September 17, 2010, 02:27:11 PM

Previous topic - Next topic

pw44

Hia,
is there someone using fail2ban on LinuxMCE 8.10?
TIA.
Paulo

cfernandes


pw44

#2
Hi CFernandes,
Regarding iptables, are they being starded by /etc/init.d/iptables or by LinuxMCE?
Could you send me the configuration files you are using, so i can compare with mines?
TIA,
Paulo


Kooma

Didn't know about fail2ban before reading your posts.

Although duct tape is strictly forbidden, could you write a short wiki for installing fail2ban? Sound like a must to have.

pw44

Kooma,
after i finish the installation and tests, i will write a wiki for it.
Fail2ban seems to be the almost perfect tool against brute force attack - which is specially indicated for asterisk users.
Regards,
Paulo

wierdbeard65

Quote from: Kooma on September 17, 2010, 07:59:33 PMAlthough duct tape is strictly forbidden
It deson't have to be duct-tape. Can this not be integrated properly? (I lack the skills to achieve this!!!)
Paul
If you have the time to help, please see where I have got to at: [url="http://wiki.linuxmce.org/index.php/User:Wierdbeard65"]http://wiki.linuxmce.org/index.php/User:Wierdbeard65[/url]

cfernandes

this is my fail2ban configuration

apt-get install fail2ban
touch /etc/fail2ban/filter.d/asterisk.conf
content off asterisk.conf

# Fail2Ban configuration file
#
#
# $Revision: 250 $
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf


[Definition]

#_daemon = asterisk

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#

failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL
            NOTICE.* .*: Registration from '.*" .* failed for '<HOST>' - Peer is not supposed to register
            NOTICE.* <HOST> failed to authenticate as '.*'$
            NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
            NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
ignoreregex =


on file /etc/fail2ban/jail.conf
i add

[asterisk-iptables]

enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
           sendmail-whois[name=ASTERISK, dest=root, sender=fail2ban@example.org]
logpath  = /var/log/asterisk/full
maxretry = 3
bantime = 259200



Kooma

Checked the fail2ban web pages, they seem to have quite ok info for newbies also. I hope to use this for more than asterisk, I think that is just one thing amongst others.

If remember right, one of the core devs if not The Dev had a problem with break-in to his system. Would fail2ban have helped to avoid this..

Considering the the LMCE will control (at least in my dreams) almost every aspect in the house, this kind of safety tool would be nice to be included in the system.

cfernandes

Paulo,

your fail2ban is working or you have some issue  ?

i have the same configuration that you post .

and this configuration is working  on my linuxmce  and on  a asterisk server in my work.

Carlos

pw44

Carlos,
it was only for checking, because when i type iptables -L -v, i do not see the fail2ban rule, as stated in the post we both used as basis for configuration. So i thought  i was doing something wrong.
Thx for the help.
Paulo

bundie

Hi Paulo,

Put the stuff for the file /etc/fail2ban/jail.conf into /etc/fail2ban/jail.local. According to the howto in your earlier post, you're not supposed to add rules the jail.conf file but jail.local instead.

So in /etc/fail2ban/jail.local you put:

[asterisk-iptables]

enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
           sendmail-whois[name=ASTERISK, dest=root, sender=fail2ban@example.org]
logpath  = /var/log/asterisk/full
maxretry = 3
bantime = 259200


Do a reload of fail2ban:

# sudo /etc/init.d/fail2ban restart

And now with:

# iptables -v -L

you should see that the asterisk rule is loaded.

Hope this helps,
Greets,
Reint.

pw44

Quote from: bundie on September 19, 2010, 07:29:45 PM
Put the stuff for the file /etc/fail2ban/jail.conf into /etc/fail2ban/jail.local. According to the howto in your earlier post, you're not supposed to add rules the jail.conf file but jail.local instead.
Sorry, i did not find any reference to jail.local in the howto. Where did you find it?
BR,
Paulo

bundie

Hi Paulo,

So sorry, I got confused  :-[

It's in the comment at the top of the jail.conf file itself. My fail2ban asterisk rule didn't show when I put it in jail.conf. After I changed it to jail.local everything worked like a charm. Its already blocking some asterisk intruders for me!

Sorry for the mix-up!
Reint.

cfernandes

Paulo ,

on my installation i not need to add on jail.local , all  configurations is made on jail.conf


Carlos