Add Asterisk jail to fail2ban

fail2ban
asterisk

(Alessandro) #1

NethServer Version: 7.5.1804
Module: fail2ban

Hi,
I would like to create/enable a jail for asterisk.
In security -> fail2ban there’s no asterisk checkbox.
How can i add this jail without breaking anything else?


(Michael Träumner) #2

@support_team
I found this:

https://www.fail2ban.org/wiki/index.php/Asterisk

Has somebody an idea how to do it?


(Rob Bosch) #3

Maybe @stephdl can have a look. He’s the maintainer for fail2ban.


(Stéphane de Labrusse) #4

do you have some evidences of tentative of intrusion in asterisk logs , could be a good start


(Stéphane de Labrusse) #5

create a file

vim /etc/e-smith/templates/etc/fail2ban/jail.local/10Asterisk

put this content

[asterisk]
enabled  = true
port     = 5060,5061
logpath  = /var/log/asterisk/messages
maxretry = 3

I suppose that the log file is /var/log/asterisk/messages, please double check

then expand the file

signal-event nethserver-fail2ban-save

verifiy the jail exists

fail2ban-listban

run few days and report, if you want a precise statistic then do

cat /var/lib/nethserver/fail2ban/fail2ban.json


(Alessandro) #6

Thanks for support!
the log path is /var/log/asterisk/full

I followed your instruction and it works perfectly!

asterisk Jail enabled
- Currently banned: 7 - Total banned after service start: 7
- Banned IP: list of banned ip

Here a sample of bad registration tentative:
[2018-06-27 22:29:47] NOTICE[774]: res_pjsip/pjsip_distributor.c:649 log_failed_request: Request ‘REGISTER’ from ‘“2001” sip:2001@XX.XX.XX.XX’ failed for ‘46.17.41.96:5209’ (callid: 2302148521) - Failed to authenticate


(Stéphane de Labrusse) #7

if you uninstall asterisk, think to remove the custom file, please monitor it and we could add it per default


(Stéphane de Labrusse) #8

please could you take a look to https://www.fail2ban.org/wiki/index.php/Asterisk

and could you paste the content of /etc/asterisk/logger.conf


(Alessandro) #9

The file is all commented.

;--------------------------------------------------------------------------------;
; Do NOT edit this file as it is auto-generated by FreePBX. All modifications to ;
; this file must be done via the web gui. There are alternative files to make    ;
; custom modifications, details at: http://freepbx.org/configuration_files       ;
;--------------------------------------------------------------------------------;
;
; This file is part of FreePBX.
;
;    FreePBX is free software: you can redistribute it and/or modify
;    it under the terms of the GNU General Public License as published by
;    the Free Software Foundation, either version 2 of the License, or
;    (at your option) any later version.
;
;    FreePBX is distributed in the hope that it will be useful,
;    but WITHOUT ANY WARRANTY; without even the implied warranty of
;    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;    GNU General Public License for more details.
;
;    You should have received a copy of the GNU General Public License
;    along with FreePBX.  If not, see <http://www.gnu.org/licenses/>.
;
; Copyright (C) 2007 Astrogen LLC (USA)

[general]
#include logger_general_additional.conf
#include logger_general_custom.conf

[logfiles]
#include logger_logfiles_additional.conf
#include logger_logfiles_custom.conf

(Stéphane de Labrusse) #10

@Stll0 how do you trick freepbx if you need to rewrite a configuration file. It is not a mandatory but the fail2ban team advices to enable the extra logging and use it in fail2ban to ban attackers

see https://www.fail2ban.org/wiki/index.php/Asterisk


(Stefano Fancello) #11

needed configurations are in two included logfiles:
/etc/asterisk/logger_general_additional.conf: dateformat=%F %T (which is correct)
and
/etc/asterisk/logger_logfiles_additional.conf: full => debug,error,notice,verbose,warning
in this one we should add security events. This could be done from FreePBX interface -> Settings -> Asterisk logfile settings -> log files

I think that it isn’t very nice to enable it by default for two reason:

  • security log is verbose with FreePBX because logs a lot of false positive warnings about dialplan
  • changing it means change a mysql row after installation (or change FreePBX installation) and we can’t know if user changed it or if it’s a default setting

We could do it, but since it’s not mandatory and can be easily configured from interface, maybe it’s better to write it in documentation.

What do you think?


(Stéphane de Labrusse) #12

if we could break something by adding a new setting, you know the mantra, do not break existing installations. We could document it


(Stéphane de Labrusse) #13

What are the news, how many attackers have you banned ?


(Stéphane de Labrusse) #14

I could see a /var/log/asterisk/fail2ban what is the content please ?


(Stéphane de Labrusse) #15

please could you test

yum install http://packages.nethserver.org/nethserver/7.5.1804/autobuild/x86_64/Packages/nethserver-fail2ban-1.0.4-1.6.pr31.g57fccb2.ns7.noarch.rpm

think to remove your custom template


(Alessandro) #16

{“TotalBannedIP”:{“sshd-ddos”:1,“recidive”:58,“apache-noscript”:88,“apache-auth”:6,“asterisk-tcp”:2957,“sshd”:1718,“asterisk-udp”:2957}}

It is empty


(Stéphane de Labrusse) #17

La vache (french translation of wtf)

Did you see the asterisk number of bans :’)

Do you have installed the new rpm ?


(Stéphane de Labrusse) #18

We are implementing the asterisk jail, is it possible you send me the two logs per email (stephdl at de-labrusse dot org)

/var/log/fail2ban.log
/var/log/asterisk/full

I feel the number of bans a bit high, either you were under a heavy attack, or your users were banned, what do you think ?

did you make some configuration modifications in asterisk also


(Alessandro) #19

Give me some days to install the rpm, i’m slightly busy!
the bans are hight, but it’s normal for a public vm!


(Stéphane de Labrusse) #20

Hi all

I hope that your holidays are/were good

I need some QA on this topic

thank for your help


New fail2ban statistic feature