Add Asterisk jail to fail2ban

stephdl · June 28, 2018, 9:22pm

@Stll0 how do you trick freepbx if you need to rewrite a configuration file. It is not a mandatory but the fail2ban team advices to enable the extra logging and use it in fail2ban to ban attackers

see https://www.fail2ban.org/wiki/index.php/Asterisk

Stll0 · June 29, 2018, 8:12am

needed configurations are in two included logfiles:
/etc/asterisk/logger_general_additional.conf: dateformat=%F %T (which is correct)
and
/etc/asterisk/logger_logfiles_additional.conf: full => debug,error,notice,verbose,warning
in this one we should add security events. This could be done from FreePBX interface -> Settings -> Asterisk logfile settings -> log files

I think that it isn’t very nice to enable it by default for two reason:

security log is verbose with FreePBX because logs a lot of false positive warnings about dialplan
changing it means change a mysql row after installation (or change FreePBX installation) and we can’t know if user changed it or if it’s a default setting

We could do it, but since it’s not mandatory and can be easily configured from interface, maybe it’s better to write it in documentation.

What do you think?

stephdl · June 29, 2018, 5:32pm

if we could break something by adding a new setting, you know the mantra, do not break existing installations. We could document it

stephdl · July 6, 2018, 8:14pm

What are the news, how many attackers have you banned ?

stephdl · July 6, 2018, 8:27pm

I could see a /var/log/asterisk/fail2ban what is the content please ?

stephdl · July 6, 2018, 9:04pm

please could you test

yum install http://packages.nethserver.org/nethserver/7.5.1804/autobuild/x86_64/Packages/nethserver-fail2ban-1.0.4-1.6.pr31.g57fccb2.ns7.noarch.rpm

think to remove your custom template

Ciandrin · July 8, 2018, 8:35am

{“TotalBannedIP”:{“sshd-ddos”:1,“recidive”:58,“apache-noscript”:88,“apache-auth”:6,“asterisk-tcp”:2957,“sshd”:1718,“asterisk-udp”:2957}}

It is empty

stephdl · July 8, 2018, 9:36am

La vache (french translation of wtf)

Did you see the asterisk number of bans :’)

Do you have installed the new rpm ?

stephdl · July 9, 2018, 12:36pm

We are implementing the asterisk jail, is it possible you send me the two logs per email (stephdl at de-labrusse dot org)

/var/log/fail2ban.log
/var/log/asterisk/full

I feel the number of bans a bit high, either you were under a heavy attack, or your users were banned, what do you think ?

did you make some configuration modifications in asterisk also

Ciandrin · July 10, 2018, 6:40am

Give me some days to install the rpm, i’m slightly busy!
the bans are hight, but it’s normal for a public vm!

stephdl · August 6, 2018, 2:52pm

Hi all

I hope that your holidays are/were good

I need some QA on this topic

thank for your help

stephdl · August 10, 2018, 5:16pm

I need this bug is verified before to release the new fail2ban statistics feature…please go on

mrmarkuz · August 10, 2018, 7:38pm

The jail should be enabled you can check it by fail2ban-client status asterisk
Check the UI, a new fieldset switch exists Communication it replaces Instant messaging
With the asterisk auth checkbox you can disable the jail if needed (/etc/fail2ban/jail.local check [asterisk]-> false or true)
On a real asterisk server you should wait to see the bans and if they are not false positive
The maxretry value is the double of the general maxretry value (/etc/fail2ban/jail.local check [asterisk])

The jail is disabled if the asterisk service is disabled (/etc/fail2ban/jail.local check [asterisk])

I disabled the asterisk service via shell and ui, did “signal-event nethserver-fail2ban-save” but the jail is still up and the config file is unchanged.

I tested on a VM with only green interface and port forwarding from the router. As client I used microsip with a wrong password to simulate bans.

stephdl · August 11, 2018, 6:45am

sorry but I cannot reproduce, can you check again, this is what I did

[root@ns7loc15 ~]# config setprop asterisk status disabled
[root@ns7loc15 ~]# signal-event nethserver-fail2ban-save 
[root@ns7loc15 ~]# fail2ban-client status asterisk
ERROR  NOK: ('asterisk',)
Sorry but the jail 'asterisk' does not exist

[root@ns7loc15 ~]# config setprop asterisk status enabled
[root@ns7loc15 ~]# signal-event nethserver-fail2ban-save 
[root@ns7loc15 ~]# fail2ban-client status asterisk
Status for the jail: asterisk
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	0
|  `- File list:	/var/log/asterisk/full
`- Actions
   |- Currently banned:	0
   |- Total banned:	0
   `- Banned IP list:

you can see also in /etc/fail2ban/jail.local that the jail is enabled/disabled

I used this rpm, is it the same ?

[root@ns7loc15 ~]# rpm -qa nethserver-fail2ban
nethserver-fail2ban-1.0.4-1.4.g41ce7d0.ns7.noarch

stephdl · August 11, 2018, 6:53am

what UI did you try, the Status/services UI stop only the service at the systemd level, nothing at the esmith layer

mrmarkuz · August 11, 2018, 7:36am

My fault. I only did a systemctl disable --now. Disabling asterisk via e-smith disables the fail2ban jail.

robb · August 11, 2018, 8:39am

Am I too paranoia when bells and whistles go off when I read such a thing? Is it necessary to make the GUI services status/stop option to also stop at e-smith layer level?

stephdl · August 11, 2018, 8:42am

I do not think so, this panel is here to manage the service restart/stop, if you want to disable completely a service, I suppose it is the role of the relevant configuration panel

for example you can stop fail2ban from the service panel, but I provide a status checkbox to disable the service in the fail2ban setting panel

stephdl · August 13, 2018, 4:06pm

@mrmarkuz can we release this rpm, does the jail is not too much aggressive and generate false positive (good guys banned) ?

merci par avance (thank in advance)

mrmarkuz · August 13, 2018, 8:40pm

On the test VM it works as expected, some bad guys were banned, my sip client still can connect.