What is Fail2Ban?
Any service that is exposed to the internet is susceptible to attacks from malicious parties. If your service requires authentication, illegitimate users and bots will attempt to break into your system by repeatedly trying to authenticate using different credentials.
A common example of this is with SSH, which will be the subject of bot attacks that attempt to brute force common account names. Luckily, services like fail2ban were created to help us mitigate these attacks.
Fail2ban works by dynamically altering the firewall rules to ban addresses that have unsuccessfully attempted to log in a certain number of times.
Set up EPEL repository
For CentOS5 32 or 64 bit
rpm -Uvh http://download.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm
For CentOS6 32 or 64 bit
rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
Install fail2ban set to start on boot
yum install fail2ban chkconfig fail2ban on
Make sure fail2ban and iptables are set to start on boot
chkconfig --list fail2ban
chkconfig --list iptables
Create the asterisk fail2ban filter
nano /etc/fail2ban/filter.d/asterisk.conf
# Fail2Ban configuration file # # # $Revision: 251 $ # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] #_daemon = asterisk # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>\S+) # Values: TEXT # # Asterisk 1.8 uses Host:Port format which is reflected here failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Wrong password NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Username/auth name mismatch NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Peer is not supposed to register NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - ACL error (permit/deny) NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>:.*' - No matching peer found NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>:.*' - Wrong password NOTICE.* <HOST> failed to authenticate as '.*'$ NOTICE.* .*: No registration for peer '.*' \(from <HOST>\) NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*) NOTICE.* .*: Failed to authenticate user .*@<HOST>.* NOTICE.* .*: <HOST> failed to authenticate as '.*' NOTICE.* .*: <HOST> tried to authenticate with nonexistent user '.*' VERBOSE.*SIP/<HOST>-.*Received incoming SIP connection from unknown peer # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =
This is just a sample. You can do an internet search and see if there are any new lines that can be added to this fail2ban asterisk filter or if you are looking to block a specific attack.
Now go in and configure fail2ban with your email address and your preferred defaults. You can set bantime and maxretry to your preference. Also a good idea to enable ssh-iptables filter. Make sure to change the port if you are using something other than 22. Lastly, check the logpath. For CentOS the logpath is /var/log/secure
for ssh-iptables. For Asterisk it may be /var/log/asterisk/full
on some existing installs and /var/log/asterisk/messages
on newer installs. Depends on how it’s set on FreePBX Advanced Settings GUI and /etc/asterisk/logger_logfiles_custom.conf
. If you don’t get these log paths right then fail2ban is not going to do anything.
Create the custom configuration file and edit
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
nano /etc/fail2ban/jail.local
[ssh-iptables] enabled = true filter = sshd action = iptables[name=SSH, port=22, protocol=tcp] sendmail-whois[name=SSH, dest=root, sender=asterisk@fail2ban.local]| logpath = /var/log/secure maxretry = 5 [asterisk-iptables] enabled = true filter = asterisk action = iptables-allports[name=ASTERISK, protocol=all] sendmail-whois[name=ASTERISK, dest=root, sender=asterisk@fail2ban.local] logpath = /var/log/asterisk/full maxretry = 5 bantime = 86400
Lastly, make sure date format for asterisk log files is set properly for fail2ban. If you do not see the following entry in /etc/asterisk/logger.conf
or logger_general_additional.conf
or logger_general_custom.conf
or logger_logfiles_addional.conf
or logger_logfiles_custom.conf
then add it to logger_logfiles_custom.conf
dateformat=%F %T
Then restart Asterisk or Asterisk logger for changes to take effect.
amportal restart
or from Asterisk command prompt >logger reload
Thats it. Now make sure fail2ban starts. If not double check for syntax errors in jail.conf.
service fail2ban start