Upgrade to Asterisk 11 and fail2ban 0.8.8 to protect Asterisk
Enable security channel logs
- FreePBX users, the “Log File Setting” module does not support security as its option, so the only way is to edit the file /etc/asterisk/logger_logfiles_custom.conf. By default, the “messages” channel is also not created in FreePBX, so now when you want to take advantage of fail2ban enable it. Add the following lines for FreePBX users
messages => security,notice,warning,error - If you’re not using freepbx, simply add that above line in logger.conf under [logfiles] section
- Reload the logger
#asterisk –rx “logger reload” - Now, check if the messages log is populated, in my installation log files are in /var/log/asterisk/
#tail –f /var/log/asterisk/messages - If you see entries with “SECURITY” as the event type, then it works great, proceed to next step
Install/use/upgrade/configure/autostart to latest fail2ban
The apt repo for fail2ban is only at version 0.6.X which does not have some cool features like single host unbanning. Install fail2ban with dpkg first, then do the source file way of upgrading
- #wget http://ftp.us.debian.org/debian/pool/main/f/fail2ban/fail2ban_0.8.6-3wheezy1_all.deb
- #dpkg -i fail2ban_0.8.6-3wheezy1_all.deb
This will properly populate all files including the init.d files for you - Now, we perform the upgrade
- #wget http://www.astiostech.com/asterisk-installer/astbin/current/fail2ban_0.8.8.orig.tar.gz
- #tar –zxvf fail2ban_0.8.8.orig.tar.gz
- #cd fail2ban && python setup.py install
- Now, lets start editing the important files, be sure to copy paste correctly
- #cd /etc/fail2ban
- #cp jail.conf jail.original.conf
- #nano jail.conf
Be sure to edit the dest email, this action triggers iptables-apports meaning ban the source address from all ports for 259200 seconds after 6 attempts. Modify as you wish. An email with WHOIS information will be sent to the email address specified. Notice we are checking the /var/log/asterisk/messages as defined above for the event triggers as seen in item 15 asterisk.conf below.
Add the following codes into jail.conf at the end##start##
[asterisk-iptables]enabled = true
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
# Modify and uncomment below to send email, make sure exim4 has been reconfigured
mail-whois[name=ASTERISK, dest=support@astiostech.com, sender=root@asterisk.localhost]
logpath = /var/log/asterisk/messages
maxretry = 6
bantime = 259200##end##
- Inside jail.conf, there’s a option called ignoreip = 127.0.0.1, you can add more IPs which you want to whitelist there. "ignoreip" can be an IP address, a CIDR mask or a DNS host separated by a space for each entry.
- Now, we edit the filter, this is where we take advantage of the security log, see the final few entries which has the option for security log based log entries as well.
- #cd /etc/fail2ban/filter.d/
- #cp asterisk.conf asterisk.original.conf
- #nano asterisk.conf
Copy and paste exactly like shown below, remember, everything here must be in a single line even if it doesn’t show it that way in the blog. Change where you see fit, do note, if you don’t know what you’re doing, don’t change it.
##start##
# Fail2Ban configuration file
# Author: Xavier Devlamynck
[INCLUDES]# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT
#
log_prefix= \[\]\s*(?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[\S+\d*\])? \S+:\d*failregex = ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - Wrong password$
^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - No matching peer found$
^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - Username/auth name mismatch$
^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - Device does not match ACL$
^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - Peer is not supposed to register$
^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - ACL error \(permit/deny\)$
^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - Not a local domain$
^%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension not found in context 'default'\.$
^%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$
^%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$
^%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
^%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$
^%(log_prefix)s (?:handle_request_subscribe: )?Sending fake auth rejection for (device|user) \d*<sip:[^@]+@<HOST>>;tag=\w+\S*$
^%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d+",SessionID="0x[\da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UD|TC)P/<HOST>/\d+"(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?$# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =##end##
- And that’s it, it will now be able to detect almost any kind of security related events. If you know how to edit regexes, this will be a super security Swiss army knife for you.
- Now, start/restart fail2ban
#/etc/init.d/fail2ban restart - Checkout if fail2ban is running / not
#iptables –L –vn
You should see the fail2ban-asterisk somewhere at the end of IPTABLES chains definitions - Now, before you do this test below, be sure you’ve got a way to access your server when it does get banned
- Do a sipvicious scan on your server and after 6 lame attempts, you get banned! [or not, if this above is not configured properly]
Похожие новости:
Добавить комментарий!