FANDOM


How to install Fail2BanEdit

===&nbsp SSH to your VoIP server and login as root , then type the following commands===

yum -y install jwhois
cd /usr/src/
wget http://sourceforge.net/projects/fail2ban/files/fail2ban-stable/fail2ban-0.8.4/fail2ban-0.8.4.tar.bz2/download
tar -jxf fail2ban-0.8.4.tar.bz2
cd fail2ban-0.8.4
python setup.py install
cp /usr/src/fail2ban-0.8.4/files/redhat-initd /etc/init.d/fail2ban
chmod 755 /etc/init.d/fail2ban
cd /etc/fail2ban/filter.d 
touch asterisk.conf

Copy these contents into the new file vi /etc/fail2ban/filter.d/asterisk.conf :Edit

  1. Fail2Ban configuration file
# Fail2Ban configuration file
#
 #
 # $Revision: 251 $
#
 
 [INCLUDES]
 
 # Read common prefixes. If any customizations available -- read them from
# common.local
 before = common.conf
 
 [Definition]
 
 #_daemon = asterisk

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
 #
 # Asterisk 1.8 uses Host:Port format which is reflected here

failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Wrong password
        NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
        NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Username/auth name mismatch
        NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
        NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Peer is not supposed to register
        NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - ACL error (permit/deny)
        NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
        NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>:.*' - No matching peer found
        NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>:.*' - Wrong password
        NOTICE.* <HOST> failed to authenticate as '.*'$
        NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
        NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
        NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
        NOTICE.* .*: <HOST> failed to authenticate as '.*'
        NOTICE.* .*: <HOST> tried  to authenticate with nonexistent user '.*'
        SECURITY.* .*: SecurityEvent="InvalidAccountID",.*,Severity="Error",Service="SIP",.*,.*,.*,.*,RemoteAddress=".*/.*/<HOST>/.*"
        SECURITY.* .*: SecurityEvent="ChallengeResponseFailed",.*,Severity="Error",Service="SIP",.*,.*,.*,.*,RemoteAddress=".*/.*/<HOST>/.*",.*
        SECURITY.* .*: SecurityEvent="InvalidPassword",.*,Severity="Error",Service="SIP",.*,.*,.*,.*,RemoteAddress=".*/.*/<HOST>/.*",.*

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
 #


Modify the [default] ignoreip section and Add the [asterisk-iptables] section to your /etc/fail2ban/jail.conf file :

#/etc/fail2ban/jail.conf

[DEFAULT]
ignoreip = 127.0.0.1 192.168.0.0/16 10.0.0.0/8 172.16.0.0/16

[asterisk-iptables]
enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
           sendmail-whois[name=ASTERISK, dest=you@company.com, sender=fail2ban@company.com]
logpath  = /var/log/asterisk/full
maxretry = 5
bantime = 600

We'll backup the logger.conf file to logger.conf.bak and create a new oneEdit

mv /etc/asterisk/logger.conf /etc/asterisk/logger.conf.bak
touch /etc/asterisk/logger.conf

Copy these contents into the new file nano /etc/asterisk/logger.conf :Edit

;
; Logging Configuration
;
; In this file, you configure logging to files or to
; the syslog system.
;
; For each file, specify what to log.
;
; For console logging, you set options at start of
; Asterisk with -v for verbose and -d for debug
; See 'asterisk -h' for more information.
;
; Directory for log files is configures in asterisk.conf
; option astlogdir
;

[general]
dateformat=%F %T

[logfiles]
;
; Format is "filename" and then "levels" of debugging to be included:
;    debug
;    notice
;    warning
;    error
;    verbose
;
; Special filename "console" represents the system console
;
;debug => debug
; The DTMF log is very handy if you have issues with IVR's
;dtmf => dtmf
;console => notice,warning,error
;console => notice,warning,error,debug
;messages => notice,warning,error
full => notice,warning,error,debug,verbose

;syslog keyword : This special keyword logs to syslog facility
;
;syslog.local0 => notice,warning,error
;
fail2ban => notice

Reload logger module in Asterisk :Edit

asterisk -rx "module reload logger"

Add Fail2ban to the list of startup services :Edit

chkconfig fail2ban on

Start Fail2ban :Edit

/etc/init.d/fail2ban start

Check if fail2ban is showing up in iptables :
Edit

iptables -L -v

===You should see "fail2ban-ASTERISK" in your iptables output.

Any hackers that try to brute-force your SIP passwords will now be banned after 5 attempts for 600 seconds ( see jail.conf if you want to change these values )

TIP: set -1 to permanent ban

How to test if your security is working correctly.

Download a software SIP client and try to connect to your Elastix box using false credentials. Make sure you don't try this from an IP address that is on the "ignoreip" list ( 192.168.1.0/24 for instance ). If your client gets blocked after 5 attempts and you receive an email saying your IP has been blocked, then you can safely assume that your configuration is working correctly.===


Asterisk security by Country

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.