How to install Fail2BanEdit

===&nbsp SSH to your VoIP server and login as root , then type the following commands===

yum -y install jwhois
cd /usr/src/
tar -jxf fail2ban-0.8.4.tar.bz2
cd fail2ban-0.8.4
python install
cp /usr/src/fail2ban-0.8.4/files/redhat-initd /etc/init.d/fail2ban
chmod 755 /etc/init.d/fail2ban
cd /etc/fail2ban/filter.d 
touch asterisk.conf

Copy these contents into the new file vi /etc/fail2ban/filter.d/asterisk.conf :Edit

  1. Fail2Ban configuration file
# Fail2Ban configuration file
 # $Revision: 251 $
 # Read common prefixes. If any customizations available -- read them from
# common.local
 before = common.conf
 #_daemon = asterisk

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
 # Asterisk 1.8 uses Host:Port format which is reflected here

failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Wrong password
        NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
        NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Username/auth name mismatch
        NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
        NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Peer is not supposed to register
        NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - ACL error (permit/deny)
        NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
        NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>:.*' - No matching peer found
        NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>:.*' - Wrong password
        NOTICE.* <HOST> failed to authenticate as '.*'$
        NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
        NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
        NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
        NOTICE.* .*: <HOST> failed to authenticate as '.*'
        NOTICE.* .*: <HOST> tried  to authenticate with nonexistent user '.*'
        SECURITY.* .*: SecurityEvent="InvalidAccountID",.*,Severity="Error",Service="SIP",.*,.*,.*,.*,RemoteAddress=".*/.*/<HOST>/.*"
        SECURITY.* .*: SecurityEvent="ChallengeResponseFailed",.*,Severity="Error",Service="SIP",.*,.*,.*,.*,RemoteAddress=".*/.*/<HOST>/.*",.*
        SECURITY.* .*: SecurityEvent="InvalidPassword",.*,Severity="Error",Service="SIP",.*,.*,.*,.*,RemoteAddress=".*/.*/<HOST>/.*",.*

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT

Modify the [default] ignoreip section and Add the [asterisk-iptables] section to your /etc/fail2ban/jail.conf file :


ignoreip =

enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
logpath  = /var/log/asterisk/full
maxretry = 5
bantime = 600

We'll backup the logger.conf file to logger.conf.bak and create a new oneEdit

mv /etc/asterisk/logger.conf /etc/asterisk/logger.conf.bak
touch /etc/asterisk/logger.conf

Copy these contents into the new file nano /etc/asterisk/logger.conf :Edit

; Logging Configuration
; In this file, you configure logging to files or to
; the syslog system.
; For each file, specify what to log.
; For console logging, you set options at start of
; Asterisk with -v for verbose and -d for debug
; See 'asterisk -h' for more information.
; Directory for log files is configures in asterisk.conf
; option astlogdir

dateformat=%F %T

; Format is "filename" and then "levels" of debugging to be included:
;    debug
;    notice
;    warning
;    error
;    verbose
; Special filename "console" represents the system console
;debug => debug
; The DTMF log is very handy if you have issues with IVR's
;dtmf => dtmf
;console => notice,warning,error
;console => notice,warning,error,debug
;messages => notice,warning,error
full => notice,warning,error,debug,verbose

;syslog keyword : This special keyword logs to syslog facility
;syslog.local0 => notice,warning,error
fail2ban => notice

Reload logger module in Asterisk :Edit

asterisk -rx "module reload logger"

Add Fail2ban to the list of startup services :Edit

chkconfig fail2ban on

Start Fail2ban :Edit

/etc/init.d/fail2ban start

Check if fail2ban is showing up in iptables :

iptables -L -v

===You should see "fail2ban-ASTERISK" in your iptables output.

Any hackers that try to brute-force your SIP passwords will now be banned after 5 attempts for 600 seconds ( see jail.conf if you want to change these values )

TIP: set -1 to permanent ban

How to test if your security is working correctly.

Download a software SIP client and try to connect to your Elastix box using false credentials. Make sure you don't try this from an IP address that is on the "ignoreip" list ( for instance ). If your client gets blocked after 5 attempts and you receive an email saying your IP has been blocked, then you can safely assume that your configuration is working correctly.===

Asterisk security by Country

Ad blocker interference detected!

Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.