Securing Asterisk IP-PBX with Fail2Ban
Asterisk Red hat linux

Securing Asterisk IP-PBX with Fail2Ban

What is Fail2Ban?

Any service that is exposed to the internet is susceptible to attacks from malicious parties. If your service requires authentication, illegitimate users and bots will attempt to break into your system by repeatedly trying to authenticate using different credentials.

A common example of this is with SSH, which will be the subject of bot attacks that attempt to brute force common account names. Luckily, services like fail2ban were created to help us mitigate these attacks.

Fail2ban works by dynamically altering the firewall rules to ban addresses that have unsuccessfully attempted to log in a certain number of times.

Set up EPEL repository

For CentOS5 32 or 64 bit

For CentOS6 32 or 64 bit

Install fail2ban set to start on boot

Make sure fail2ban and iptables are set to start on boot

fail2ban        0:off   1:off   2:on    3:on    4:on    5:on    6:off

iptables        0:off   1:off   2:on    3:on    4:on    5:on    6:off

Create the asterisk fail2ban filter

This is just a sample.  You can do an internet search and see if there are any new lines that can be added to this fail2ban asterisk filter or if you are looking to block a specific attack.

Now go in and configure fail2ban with your email address and your preferred defaults.  You can set bantime and maxretry to your preference.  Also a good idea to enable ssh-iptables filter.  Make sure to change the port if you are using something other than 22. Lastly, check the logpath.  For CentOS the logpath is /var/log/secure for ssh-iptables.  For Asterisk it may be /var/log/asterisk/full on some existing installs and /var/log/asterisk/messages on newer installs.  Depends on how it’s set on FreePBX Advanced Settings GUI and /etc/asterisk/logger_logfiles_custom.conf.  If you don’t get these log paths right then fail2ban is not going to do anything.

Create the custom configuration file and edit

ssh-iptables should already be there.  Just change enabled = false to enabled =true and other defaults as needed Add the asterisk-iptables entry to the end of the file.  Double check the logpath.
Lastly, make sure date format for asterisk log files is set properly for fail2ban.  If you do not see the following entry in /etc/asterisk/logger.conf or logger_general_additional.conf or logger_general_custom.conf or logger_logfiles_addional.conf or logger_logfiles_custom.conf then add it to logger_logfiles_custom.conf
Then restart Asterisk or Asterisk logger for changes to take effect.
or from Asterisk command prompt >logger reload Thats it.  Now make sure fail2ban starts.  If not double check for syntax errors in jail.conf.

Leave a Reply

Your email address will not be published. Required fields are marked *