Fail2ban asterisk AMI jail properties

fail2ban

(HF) #1

Hi,

I thought that the max tries for fail2ban jails was set to 3. I thought :wink:

Here’s what I get, anything I can do to limit attempts to max 3 pls?


Hi,

The IP 185.53.91.81 has just been banned by Fail2Ban after
158 attempts against asterisk.


(HF) #2

My bad…

config show fail2ban shows xxx_MaxTry empty. Obviously I need to set the max tries per jail and do a signal-event update and restart.

Sorry for the noise


(Stéphane de Labrusse) #3

You can set a specific maxretry per jail like you find but the global maxretry is set to 3

Maxretry is a value of fail2ban, but iirc for ssh you need to fail your passwd two or three times to match one maxretry

Something was wrong with fail2ban, by setting a specific maxretry you probably restarted the service.

You could check the jail.local and see if the global maxretry is set in each jail


(HF) #4

@stephdl, thanks. jail.local has maxretry set at 6 times, so I wonder how it is possible one can attempt 148 times?


(Stéphane de Labrusse) #5

fail2ban-regex /var/log/asterisk/full /etc/fail2ban/filter.d/asterisk.conf --print-all-matched

this should output all matched lines, if your attackers is inside, the jail is workable, but fail2ban stopped to ban

If not, either asterisk is writing in another logs, either the syntax has changed and we do not catch it by the regex

You can test it on your log, also you can attach here the exact log lines


(HF) #6

Output (Snippet)

Lines: 173 lines, 0 ignored, 27 matched, 146 missed
[processed in 0.04 sec]

|- Matched line(s):
| [2019-01-29 06:08:29] NOTICE[1450] res_pjsip/pjsip_distributor.c: Request ‘OPTIONS’ from ‘“sipvicious” sip:100@1.1.1.1’ failed for ‘185.53.91.44:5086’ (callid: 182649394416439887395489) - No matching endpoint found
| [2019-01-29 06:58:55] NOTICE[8470] res_pjsip/pjsip_distributor.c: Request ‘OPTIONS’ from ‘“sipvicious” sip:100@1.1.1.1’ failed for ‘185.53.91.53:5068’ (callid: 939954679526990676233405) - No matching endpoint found
| [2019-01-29 07:15:16] NOTICE[10760] res_pjsip/pjsip_distributor.c: Request ‘OPTIONS’ from ‘“sipvicious” sip:100@1.1.1.1’ failed for ‘185.53.91.44:5133’ (callid: 803368134821551636268778) - No matching endpoint found
| [2019-01-29 07:59:52] NOTICE[16840] res_pjsip/pjsip_distributor.c: Request ‘OPTIONS’ from ‘“sipvicious” sip:100@1.1.1.1’ failed for ‘37.49.231.27:5075’ (callid: 848321346759718952014621) - No matching endpoint found
| [2019-01-29 08:10:08] NOTICE[18236] res_pjsip/pjsip_distributor.c: Request ‘OPTIONS’ from ‘“sipvicious” sip:100@1.1.1.1’ failed for ‘137.74.22.148:5078’ (callid: 382528061182328321042861) - No matching endpoint found
| [2019-01-29 08:21:04] NOTICE[19735] res_pjsip/pjsip_distributor.c: Request ‘OPTIONS’ from ‘“sipvicious” sip:100@1.1.1.1’ failed for ‘185.53.91.44:5141’ (callid: 190592569010758388135326) - No matching endpoint found
| [2019-01-29 09:02:51] NOTICE[25465] res_pjsip/pjsip_distributor.c: Request ‘INVITE’ from ‘“103” sip:103@5.189.169.51’ failed for ‘62.233.65.182:5071’ (callid: a2e129ed750dc8e0dcf61d6ca3bef2be) - No matching endpoint found
| [2019-01-29 09:27:17] NOTICE[28792] res_pjsip/pjsip_distributor.c: Request ‘OPTIONS’ from ‘“sipvicious” sip:100@1.1.1.1’ failed for ‘185.53.91.44:5115’ (callid: 1101258264432760020140360) - No matching endpoint found
| [2019-01-29 09:57:37] NOTICE[629] res_pjsip/pjsip_distributor.c: Request ‘OPTIONS’ from ‘“Bob” sip:100@46.166.160.136’ failed for ‘103.50.161.207:5791’ (callid: 468873843181106665471075) - No matching endpoint found
| [2019-01-29 09:57:53] NOTICE[629] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘“1558923098” sip:1558923098@5.189.169.51’ failed for ‘103.50.161.207:6061’ (callid: 4063560344) - No matching endpoint found
etc. etc.


(Stéphane de Labrusse) #7

matched lines are not really interesting, because they were caught by the regex, missed lines are really much more interesting


(HF) #8

Thanks.

https://pastebin.com/GhLSqt4e


(Stéphane de Labrusse) #9

131.255.92.29 is you attacker ?


(HF) #10

yes it is


(Stéphane de Labrusse) #11

good news, the regex cannot catch this attack…let me time to think on it


(HF) #12

Many thanks!

As a thought, “failed to authenticate as” is a common returning entry


(Stéphane de Labrusse) #13

yep but in that case we have

manager.c: 131.255.92.29 failed to authenticate as

and the regex catch
^%(__prefix_line)s%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$

so we miss the ‘:’ and a ‘.*’ to match manager.c:


(Stéphane de Labrusse) #14

you could try to add to /etc/fail2ban/filter.d/asterisk.conf

^%(__prefix_line)s%(log_prefix)s .*: <HOST> failed to authenticate as '[^']*'$

and verify with fail2ban regex


(Stéphane de Labrusse) #15

please send me your log file


(HF) #16

I have sent you a pm with login credentials


(Stéphane de Labrusse) #17
         ^\[.*\] NOTICE\[[0-9]+\] .*: <HOST> failed to authenticate as '.*'$
         ^\[.*\] NOTICE\[[0-9]+\] .*: <HOST> tried to authenticate with nonexistent user '.*'$
         ^\[.*\] NOTICE\[[0-9]+\] .*: <HOST> failed to pass IP ACL as '.*'$

try this, workable from the log you give, add this to the /etc/fail2ban/filter.d/asterisk.conf


(Stéphane de Labrusse) #18

respect indentations in the regex files :smiley:


(HF) #19

I would like to use this http://voipbl.org/

but I do not know how to work it with the firewall in NS. Used it with SME using ipset


(Stéphane de Labrusse) #20

should be workable but I don’t know about side effect. Nethserver uses shorewall but iptables is of course there also.

Fail2ban is set to play with shorewall but a specific jail could use iptables I think