Fail2ban asterisk AMI jail properties

LayLow · January 28, 2019, 3:15pm

Hi,

I thought that the max tries for fail2ban jails was set to 3. I thought

Here’s what I get, anything I can do to limit attempts to max 3 pls?

Hi,

The IP 185.53.91.81 has just been banned by Fail2Ban after
158 attempts against asterisk.

LayLow · January 28, 2019, 4:01pm

My bad…

config show fail2ban shows xxx_MaxTry empty. Obviously I need to set the max tries per jail and do a signal-event update and restart.

Sorry for the noise

stephdl · January 29, 2019, 5:18am

You can set a specific maxretry per jail like you find but the global maxretry is set to 3

Maxretry is a value of fail2ban, but iirc for ssh you need to fail your passwd two or three times to match one maxretry

Something was wrong with fail2ban, by setting a specific maxretry you probably restarted the service.

You could check the jail.local and see if the global maxretry is set in each jail

LayLow · January 29, 2019, 1:28pm

@stephdl, thanks. jail.local has maxretry set at 6 times, so I wonder how it is possible one can attempt 148 times?

stephdl · January 29, 2019, 1:51pm

fail2ban-regex /var/log/asterisk/full /etc/fail2ban/filter.d/asterisk.conf --print-all-matched

this should output all matched lines, if your attackers is inside, the jail is workable, but fail2ban stopped to ban

If not, either asterisk is writing in another logs, either the syntax has changed and we do not catch it by the regex

You can test it on your log, also you can attach here the exact log lines

LayLow · January 29, 2019, 2:04pm

Output (Snippet)

Lines: 173 lines, 0 ignored, 27 matched, 146 missed
[processed in 0.04 sec]

|- Matched line(s):
| [2019-01-29 06:08:29] NOTICE[1450] res_pjsip/pjsip_distributor.c: Request ‘OPTIONS’ from ‘“sipvicious” sip:100@1.1.1.1’ failed for ‘185.53.91.44:5086’ (callid: 182649394416439887395489) - No matching endpoint found
| [2019-01-29 06:58:55] NOTICE[8470] res_pjsip/pjsip_distributor.c: Request ‘OPTIONS’ from ‘“sipvicious” sip:100@1.1.1.1’ failed for ‘185.53.91.53:5068’ (callid: 939954679526990676233405) - No matching endpoint found
| [2019-01-29 07:15:16] NOTICE[10760] res_pjsip/pjsip_distributor.c: Request ‘OPTIONS’ from ‘“sipvicious” sip:100@1.1.1.1’ failed for ‘185.53.91.44:5133’ (callid: 803368134821551636268778) - No matching endpoint found
| [2019-01-29 07:59:52] NOTICE[16840] res_pjsip/pjsip_distributor.c: Request ‘OPTIONS’ from ‘“sipvicious” sip:100@1.1.1.1’ failed for ‘37.49.231.27:5075’ (callid: 848321346759718952014621) - No matching endpoint found
| [2019-01-29 08:10:08] NOTICE[18236] res_pjsip/pjsip_distributor.c: Request ‘OPTIONS’ from ‘“sipvicious” sip:100@1.1.1.1’ failed for ‘137.74.22.148:5078’ (callid: 382528061182328321042861) - No matching endpoint found
| [2019-01-29 08:21:04] NOTICE[19735] res_pjsip/pjsip_distributor.c: Request ‘OPTIONS’ from ‘“sipvicious” sip:100@1.1.1.1’ failed for ‘185.53.91.44:5141’ (callid: 190592569010758388135326) - No matching endpoint found
| [2019-01-29 09:02:51] NOTICE[25465] res_pjsip/pjsip_distributor.c: Request ‘INVITE’ from ‘“103” sip:103@5.189.169.51’ failed for ‘62.233.65.182:5071’ (callid: a2e129ed750dc8e0dcf61d6ca3bef2be) - No matching endpoint found
| [2019-01-29 09:27:17] NOTICE[28792] res_pjsip/pjsip_distributor.c: Request ‘OPTIONS’ from ‘“sipvicious” sip:100@1.1.1.1’ failed for ‘185.53.91.44:5115’ (callid: 1101258264432760020140360) - No matching endpoint found
| [2019-01-29 09:57:37] NOTICE[629] res_pjsip/pjsip_distributor.c: Request ‘OPTIONS’ from ‘“Bob” sip:100@46.166.160.136’ failed for ‘103.50.161.207:5791’ (callid: 468873843181106665471075) - No matching endpoint found
| [2019-01-29 09:57:53] NOTICE[629] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘“1558923098” sip:1558923098@5.189.169.51’ failed for ‘103.50.161.207:6061’ (callid: 4063560344) - No matching endpoint found
etc. etc.

stephdl · January 29, 2019, 2:06pm

matched lines are not really interesting, because they were caught by the regex, missed lines are really much more interesting

LayLow · January 29, 2019, 2:25pm

Thanks.

https://pastebin.com/GhLSqt4e

stephdl · January 29, 2019, 2:38pm

131.255.92.29 is you attacker ?

LayLow · January 29, 2019, 2:42pm

yes it is

stephdl · January 29, 2019, 2:45pm

good news, the regex cannot catch this attack…let me time to think on it

LayLow · January 29, 2019, 2:46pm

Many thanks!

As a thought, “failed to authenticate as” is a common returning entry

stephdl · January 29, 2019, 2:50pm

yep but in that case we have

manager.c: 131.255.92.29 failed to authenticate as

and the regex catch
^%(__prefix_line)s%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$

so we miss the ‘:’ and a ‘.*’ to match manager.c:

stephdl · January 29, 2019, 2:52pm

you could try to add to /etc/fail2ban/filter.d/asterisk.conf

^%(__prefix_line)s%(log_prefix)s .*: <HOST> failed to authenticate as '[^']*'$

and verify with fail2ban regex

stephdl · January 29, 2019, 2:54pm

please send me your log file

LayLow · January 29, 2019, 2:58pm

I have sent you a pm with login credentials

stephdl · January 29, 2019, 4:50pm

         ^\[.*\] NOTICE\[[0-9]+\] .*: <HOST> failed to authenticate as '.*'$
         ^\[.*\] NOTICE\[[0-9]+\] .*: <HOST> tried to authenticate with nonexistent user '.*'$
         ^\[.*\] NOTICE\[[0-9]+\] .*: <HOST> failed to pass IP ACL as '.*'$

try this, workable from the log you give, add this to the /etc/fail2ban/filter.d/asterisk.conf

stephdl · January 29, 2019, 4:54pm

respect indentations in the regex files

LayLow · January 29, 2019, 4:56pm

I would like to use this http://voipbl.org/

but I do not know how to work it with the firewall in NS. Used it with SME using ipset

stephdl · January 29, 2019, 4:59pm

should be workable but I don’t know about side effect. Nethserver uses shorewall but iptables is of course there also.

Fail2ban is set to play with shorewall but a specific jail could use iptables I think