Fail2ban is not catching failed SIP registration attempts. Please help as I have extensions getting hacked.
Fail2ban
Please check your /etc/fail2ban/jail.conf and jail.local for any configuration related to Asterisk.
Algo, check /var/log/messages to notice any output coming from the fail2ban service. There might be something that prevents F2B from loading properly.
- Edited
Make sure security=on
and warning=on
for messages
log in unembeddedPBX > Settings > Asterisk Logfile Settings
.
They are set that way by default but just in case you changed that.
In my experience, when fail2ban tries to read from a overcrowded file, it tends to miss the lines that matter.
What I've done is:
In /etc/asterisk/logger.conf
Send all notice output to a file /var/log/asterisk/fail2banIn /etc/fail2ban/jail.local
Change the Asterisk jail and point it to /var/log/asterisk/fail2ban instead of the default /var/log/asterisk/messagesRestart the Asterisk logger and then restart Failban
Check the /var/log/messages and notice if F2B is loading the jail properly
Perform an "attack" of my own PBX to see if it bans me (it should!)
Also, be sure to test the F2B filter to see it matches. Use the fail2ban-regex command like this (it should tell you which lines are being matched):
fail2ban-regex /var/log/asterisk/messages /etc/fail2ban/filter.d/asterisk.conf
Regards,
ccabrera I don't fully understand the change to the /etc/asterisk/logger.conf that you recommend.
The current config file is:
[general]
#include logger_general_additional.conf
#include logger_general_custom.conf
[logfiles]
#include logger_logfiles_additional.conf
#include logger_logfiles
How do I change it so that it is sending all notice to the file /var/log/asterisk/fail2ban ?
- Edited
morsepi Check fail2ban-client status
and make sure asterisk
is listed as one of the jails.
Have you checked that /var/log/asterisk/messages
log file has the entries that fail2ban should be banning?
It's not that hard to troubleshoot if you just follow the same steps fail2ban uses which is just to read log files. I think you can also have fail2ban read the log file and show you what it is finding if anything. How are you testing the ban action? Try test a SIP client with the wrong password. Make it try register 6 times. I tested that and know for sure that Issabel fail2ban will ban that.
supa
In the log it shows "InvalidPassword" for the failed SIP registrations and in F2B it has the following in the conf. I am sure I am missing something simple. Your help is greatly appreciated
[asterisk]
port = 5060,5061
action = %(banaction)s[name=%(name)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(name)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
%(mta)s-whois[name=%(name)s, dest="%(destemail)s"]
logpath = /var/log/asterisk/messages
maxretry = 5
- Edited
morsepi You cannot edit that file directly because it will get overwritten the next time you apply settings. It says so at the very top of that file. Do NOT edit this file as it is auto-generated by IssabelPBX
You configure that file in unembeddedPBX > Settings > Asterisk Logfile Settings
which I explained in a previous post.
If you are running a small PBX I would suggest having a look at SecAst (Free Edition). It provides security way beyond what fail2ban offers, and it does NOT use log files. It hooks into the Asterisk AMI, network card interfaces, OS, etc. and can block hackers at the PBX or at the external firewall (keep hackers outside the network). For more info on the Free Edition of SecAst check out http://www.haast.ca/?secast