Blocking SIP brute force attacks with fail2ban

SIP brute force attacks against Asterisk servers are very popular. Best way to defend is to block sip by default and allow only allowed IPs to connect. But we can not use this approach in some cases. Here fail2ban can help.

This howto is based on trixbox install-fail2ban script, which is broken, so I have to install it by hand.

1. Install fail2ban

On centos I have used

wget http://dag.wieers.com/rpm/packages/fail2ban/fail2ban-0.8.1-1.el5.rf.noarch.rpm
rpm -i fail2ban-0.8.1-1.el5.rf.noarch.rpm

2. Create rules for asterisk in fail2ban
/etc/fail2ban/filter.d/asterisk.conf


# Fail2Ban configuration file
#
#
# : 250 $
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
# before = common.conf

[Definition]

#_daemon = asterisk

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P\S+)
# Values:  TEXT
#

failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch
            NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
            NOTICE.* .*: Failed to authenticate user .*@<HOST>.*


# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

3. Modify fail2ban to only watch asterisk logs.
Generally, I really don’t like tools which plays with iptables.

/etc/fail2ban/jail.conf


# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Edited by: Randall Degges (rdegges@fonality.com
#
# : 617 $
## The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1

# "bantime" is the number of seconds that a host is banned.
bantime  = 259200

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto". This option can be overridden in
# each jail too (use "gamin" for a jail and "polling" for another).
#
# gamin:   requires Gamin (a file alteration monitor) to be installed. If Gamin
#          is not installed, Fail2ban will use polling.
# polling: uses a polling algorithm which does not require external libraries.
# auto:    will choose Gamin if available and polling otherwise.
backend = auto

[asterisk-iptables]

enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
logpath  = /var/log/asterisk/full
maxretry = 5

4. We need full log enabled in asterisk.
/etc/asterisk/logger.conf


;
; Logging Configuration
;
; In this file, you configure logging to files or to
; the syslog system.
;
; For each file, specify what to log.
;
; For console logging, you set options at start of
; Asterisk with -v for verbose and -d for debug
; See 'asterisk -h' for more information.
;
; Directory for log files is configures in asterisk.conf
; option astlogdir
;
[logfiles]
;
; Format is "filename" and then "levels" of debugging to be included:
;    debug
;    notice
;    warning
;    error
;    verbose
;
; Special filename "console" represents the system console
;
;debug => debug
;console => notice,warning,error
;console => notice,warning,error,debug
;messages => notice,warning,error
full => notice,warning,error,debug,verbose;syslog keyword : This special keyword logs to syslog facility
;
;syslog.local0 => notice,warning,error
;[general]
dateformat=%F %T

5. Reload asterisk config, star and enable services


/usr/sbin/asterisk -rx 'logger reload'
service iptables stop
service iptables start
service fail2ban stop
service fail2ban start
chkconfig iptables on
chkconfig fail2ban on

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>