Securing Asterisk IP-PBX with Fail2Ban
Asterisk Red hat linux

Securing Asterisk IP-PBX with Fail2Ban

What is Fail2Ban?

Any service that is exposed to the internet is susceptible to attacks from malicious parties. If your service requires authentication, illegitimate users and bots will attempt to break into your system by repeatedly trying to authenticate using different credentials.

A common example of this is with SSH, which will be the subject of bot attacks that attempt to brute force common account names. Luckily, services like fail2ban were created to help us mitigate these attacks.

Fail2ban works by dynamically altering the firewall rules to ban addresses that have unsuccessfully attempted to log in a certain number of times.

Set up EPEL repository

For CentOS5 32 or 64 bit

rpm -Uvh http://download.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm

For CentOS6 32 or 64 bit

rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm

Install fail2ban set to start on boot

yum install fail2ban
chkconfig fail2ban on

Make sure fail2ban and iptables are set to start on boot

chkconfig --list fail2ban
fail2ban        0:off   1:off   2:on    3:on    4:on    5:on    6:off
chkconfig --list iptables
iptables        0:off   1:off   2:on    3:on    4:on    5:on    6:off

Create the asterisk fail2ban filter

nano /etc/fail2ban/filter.d/asterisk.conf
# Fail2Ban configuration file
#
#
# $Revision: 251 $
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf


[Definition]

#_daemon = asterisk

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
# Asterisk 1.8 uses Host:Port format which is reflected here

failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Wrong password
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Username/auth name mismatch
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Peer is not supposed to register
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - ACL error (permit/deny)
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
            NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>:.*' - No matching peer found
            NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>:.*' - Wrong password
            NOTICE.* <HOST> failed to authenticate as '.*'$
            NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
            NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
            NOTICE.* .*: <HOST> failed to authenticate as '.*'
            NOTICE.* .*: <HOST> tried  to authenticate with nonexistent user '.*'
            VERBOSE.*SIP/<HOST>-.*Received incoming SIP connection from unknown peer
   
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

This is just a sample.  You can do an internet search and see if there are any new lines that can be added to this fail2ban asterisk filter or if you are looking to block a specific attack.

Now go in and configure fail2ban with your email address and your preferred defaults.  You can set bantime and maxretry to your preference.  Also a good idea to enable ssh-iptables filter.  Make sure to change the port if you are using something other than 22. Lastly, check the logpath.  For CentOS the logpath is /var/log/secure for ssh-iptables.  For Asterisk it may be /var/log/asterisk/full on some existing installs and /var/log/asterisk/messages on newer installs.  Depends on how it’s set on FreePBX Advanced Settings GUI and /etc/asterisk/logger_logfiles_custom.conf.  If you don’t get these log paths right then fail2ban is not going to do anything.

Create the custom configuration file and edit

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
nano /etc/fail2ban/jail.local
ssh-iptables should already be there.  Just change enabled = false to enabled =true and other defaults as needed Add the asterisk-iptables entry to the end of the file.  Double check the logpath.
[ssh-iptables]
enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=22, protocol=tcp]
sendmail-whois[name=SSH, dest=root, sender=asterisk@fail2ban.local]|
logpath  = /var/log/secure
maxretry = 5

[asterisk-iptables]
enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
sendmail-whois[name=ASTERISK, dest=root, sender=asterisk@fail2ban.local]
logpath  = /var/log/asterisk/full
maxretry = 5
bantime = 86400

Lastly, make sure date format for asterisk log files is set properly for fail2ban.  If you do not see the following entry in /etc/asterisk/logger.conf or logger_general_additional.conf or logger_general_custom.conf or logger_logfiles_addional.conf or logger_logfiles_custom.conf then add it to logger_logfiles_custom.conf

dateformat=%F %T

Then restart Asterisk or Asterisk logger for changes to take effect.

amportal restart

or from Asterisk command prompt >logger reload Thats it.  Now make sure fail2ban starts.  If not double check for syntax errors in jail.conf.

service fail2ban start

Loading

Leave a Reply

Your email address will not be published. Required fields are marked *