Issabel ISO (Latest): Download Here
Cloud Services: User Portal - Quick Guide
News: Telegram channel
Become a Patron!

Fail2ban is not catching failed SIP registration attempts. Please help as I have extensions getting hacked.

    Please check your /etc/fail2ban/jail.conf and jail.local for any configuration related to Asterisk.

    Algo, check /var/log/messages to notice any output coming from the fail2ban service. There might be something that prevents F2B from loading properly.

    Make sure security=on and warning=on for messages log in unembeddedPBX > Settings > Asterisk Logfile Settings.

    They are set that way by default but just in case you changed that.

    ccabrera I have compared to another installation and it matches exactly to a working installation.

      supa I checked and security was off and I changed it to on. unfortunately it does not seem to be causing it to work.

      • supa replied to this.

        In my experience, when fail2ban tries to read from a overcrowded file, it tends to miss the lines that matter.

        What I've done is:

        • In /etc/asterisk/logger.conf
          Send all notice output to a file /var/log/asterisk/fail2ban

        • In /etc/fail2ban/jail.local
          Change the Asterisk jail and point it to /var/log/asterisk/fail2ban instead of the default /var/log/asterisk/messages

        • Restart the Asterisk logger and then restart Failban

        • Check the /var/log/messages and notice if F2B is loading the jail properly

        • Perform an "attack" of my own PBX to see if it bans me (it should!)

        Also, be sure to test the F2B filter to see it matches. Use the fail2ban-regex command like this (it should tell you which lines are being matched):
        fail2ban-regex /var/log/asterisk/messages /etc/fail2ban/filter.d/asterisk.conf

        Regards,

        morsepi It will definitely not work with security=off on messages log. Anything else you did to troubleshoot prior to that would not have changed that.

          ccabrera I don't fully understand the change to the /etc/asterisk/logger.conf that you recommend.

          The current config file is:
          [general]
          #include logger_general_additional.conf
          #include logger_general_custom.conf

          [logfiles]
          #include logger_logfiles_additional.conf
          #include logger_logfiles
          How do I change it so that it is sending all notice to the file /var/log/asterisk/fail2ban ?

            morsepi Don't need to change that imo. You are fine using /var/log/asterisk/messages imo. Just disable Debug and Verbosity so it doesn't log too much useless junk.

              supa It is working just fine with SSH failed attempts, it is just not catching any asterisk fails. I am beating my head against the wall watching the logs

                morsepi Check fail2ban-client status and make sure asterisk is listed as one of the jails.

                Have you checked that /var/log/asterisk/messages log file has the entries that fail2ban should be banning?

                It's not that hard to troubleshoot if you just follow the same steps fail2ban uses which is just to read log files. I think you can also have fail2ban read the log file and show you what it is finding if anything. How are you testing the ban action? Try test a SIP client with the wrong password. Make it try register 6 times. I tested that and know for sure that Issabel fail2ban will ban that.

                  supa
                  In the log it shows "InvalidPassword" for the failed SIP registrations and in F2B it has the following in the conf. I am sure I am missing something simple. Your help is greatly appreciated

                  [asterisk]

                  port = 5060,5061
                  action = %(banaction)s[name=%(name)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
                  %(banaction)s[name=%(name)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
                  %(mta)s-whois[name=%(name)s, dest="%(destemail)s"]
                  logpath = /var/log/asterisk/messages
                  maxretry = 5

                    morsepi I found the issue.

                    /etc/asterisk/logger_logfiles_additional.conf was missing the following line

                    messages => error,notice,warning,security

                      morsepi You cannot edit that file directly because it will get overwritten the next time you apply settings. It says so at the very top of that file. Do NOT edit this file as it is auto-generated by IssabelPBX

                      You configure that file in unembeddedPBX > Settings > Asterisk Logfile Settings which I explained in a previous post.

                        2 months later

                        If you are running a small PBX I would suggest having a look at SecAst (Free Edition). It provides security way beyond what fail2ban offers, and it does NOT use log files. It hooks into the Asterisk AMI, network card interfaces, OS, etc. and can block hackers at the PBX or at the external firewall (keep hackers outside the network). For more info on the Free Edition of SecAst check out http://www.haast.ca/?secast

                          Write a Reply...