Add Asterisk jail to fail2ban

NethServer Version: 7.5.1804
Module: fail2ban

Hi,
I would like to create/enable a jail for asterisk.
In security -> fail2ban there’s no asterisk checkbox.
How can i add this jail without breaking anything else?

2 Likes

@support_team
I found this:

https://www.fail2ban.org/wiki/index.php/Asterisk

Has somebody an idea how to do it?

Maybe @stephdl can have a look. He’s the maintainer for fail2ban.

do you have some evidences of tentative of intrusion in asterisk logs , could be a good start

create a file

vim /etc/e-smith/templates/etc/fail2ban/jail.local/10Asterisk

put this content

[asterisk]
enabled  = true
port     = 5060,5061
logpath  = /var/log/asterisk/messages
maxretry = 3

I suppose that the log file is /var/log/asterisk/messages, please double check

then expand the file

signal-event nethserver-fail2ban-save

verifiy the jail exists

fail2ban-listban

run few days and report, if you want a precise statistic then do

cat /var/lib/nethserver/fail2ban/fail2ban.json

1 Like

Thanks for support!
the log path is /var/log/asterisk/full

I followed your instruction and it works perfectly!

asterisk Jail enabled
- Currently banned: 7 - Total banned after service start: 7
- Banned IP: list of banned ip

Here a sample of bad registration tentative:
[2018-06-27 22:29:47] NOTICE[774]: res_pjsip/pjsip_distributor.c:649 log_failed_request: Request ‘REGISTER’ from ‘“2001” sip:2001@XX.XX.XX.XX’ failed for ‘46.17.41.96:5209’ (callid: 2302148521) - Failed to authenticate

3 Likes

if you uninstall asterisk, think to remove the custom file, please monitor it and we could add it per default

4 Likes

please could you take a look to https://www.fail2ban.org/wiki/index.php/Asterisk

and could you paste the content of /etc/asterisk/logger.conf

The file is all commented.

;--------------------------------------------------------------------------------;
; Do NOT edit this file as it is auto-generated by FreePBX. All modifications to ;
; this file must be done via the web gui. There are alternative files to make    ;
; custom modifications, details at: http://freepbx.org/configuration_files       ;
;--------------------------------------------------------------------------------;
;
; This file is part of FreePBX.
;
;    FreePBX is free software: you can redistribute it and/or modify
;    it under the terms of the GNU General Public License as published by
;    the Free Software Foundation, either version 2 of the License, or
;    (at your option) any later version.
;
;    FreePBX is distributed in the hope that it will be useful,
;    but WITHOUT ANY WARRANTY; without even the implied warranty of
;    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;    GNU General Public License for more details.
;
;    You should have received a copy of the GNU General Public License
;    along with FreePBX.  If not, see <http://www.gnu.org/licenses/>.
;
; Copyright (C) 2007 Astrogen LLC (USA)

[general]
#include logger_general_additional.conf
#include logger_general_custom.conf

[logfiles]
#include logger_logfiles_additional.conf
#include logger_logfiles_custom.conf

@Stll0 how do you trick freepbx if you need to rewrite a configuration file. It is not a mandatory but the fail2ban team advices to enable the extra logging and use it in fail2ban to ban attackers

see https://www.fail2ban.org/wiki/index.php/Asterisk

needed configurations are in two included logfiles:
/etc/asterisk/logger_general_additional.conf: dateformat=%F %T (which is correct)
and
/etc/asterisk/logger_logfiles_additional.conf: full => debug,error,notice,verbose,warning
in this one we should add security events. This could be done from FreePBX interface -> Settings -> Asterisk logfile settings -> log files

I think that it isn’t very nice to enable it by default for two reason:

  • security log is verbose with FreePBX because logs a lot of false positive warnings about dialplan
  • changing it means change a mysql row after installation (or change FreePBX installation) and we can’t know if user changed it or if it’s a default setting

We could do it, but since it’s not mandatory and can be easily configured from interface, maybe it’s better to write it in documentation.

What do you think?

3 Likes

if we could break something by adding a new setting, you know the mantra, do not break existing installations. We could document it

What are the news, how many attackers have you banned ?

I could see a /var/log/asterisk/fail2ban what is the content please ?

please could you test

yum install http://packages.nethserver.org/nethserver/7.5.1804/autobuild/x86_64/Packages/nethserver-fail2ban-1.0.4-1.6.pr31.g57fccb2.ns7.noarch.rpm

think to remove your custom template

{“TotalBannedIP”:{“sshd-ddos”:1,“recidive”:58,“apache-noscript”:88,“apache-auth”:6,“asterisk-tcp”:2957,“sshd”:1718,“asterisk-udp”:2957}}

It is empty

1 Like

La vache (french translation of wtf)

Did you see the asterisk number of bans :’)

Do you have installed the new rpm ?

1 Like

We are implementing the asterisk jail, is it possible you send me the two logs per email (stephdl at de-labrusse dot org)

/var/log/fail2ban.log
/var/log/asterisk/full

I feel the number of bans a bit high, either you were under a heavy attack, or your users were banned, what do you think ?

did you make some configuration modifications in asterisk also

2 Likes

Give me some days to install the rpm, i’m slightly busy!
the bans are hight, but it’s normal for a public vm!

Hi all

I hope that your holidays are/were good

I need some QA on this topic

thank for your help