I’ve been experimenting with Asterisk again, using the FreePBX distro (2.11.0.4).
I have noticed that I get a lot of entries in the Asterisk log that look like this:
[2013-07-06 05:11:06] NOTICE[4106][C-0000001f] chan_sip.c: Failed to authenticate device 555<sip:555@aaa.bb.ccc.dd>;tag=e9a98a30 [2013-07-06 05:11:08] NOTICE[4106][C-00000020] chan_sip.c: Failed to authenticate device 555<sip:555@aaa.bb.ccc.dd>;tag=eebd8857 [2013-07-06 05:11:12] NOTICE[4106][C-00000021] chan_sip.c: Failed to authenticate device 555<sip:555@aaa.bb.ccc.dd>;tag=243f3815 [2013-07-06 07:19:42] NOTICE[4106][C-00000022] chan_sip.c: Failed to authenticate device 5555<sip:5555@aaa.bb.ccc.dd>;tag=a049427e [2013-07-06 07:19:45] NOTICE[4106][C-00000023] chan_sip.c: Failed to authenticate device 5555<sip:5555@7aaa.bb.ccc.dd>;tag=c3c7f81b [2013-07-06 07:19:48] NOTICE[4106][C-00000024] chan_sip.c: Failed to authenticate device 5555<sip:5555@aaa.bb.ccc.dd>;tag=6be78a0b [2013-07-06 07:19:49] NOTICE[4106][C-00000025] chan_sip.c: Failed to authenticate device 5555<sip:5555@aaa.bb.ccc.dd>;tag=1979ada5
Where, of course, aaa.bb.ccc.dd is the address of my SIP server. Unfortunately, while FreePBX contains a fail2ban module, asterisk doesn’t provide enough information in the log file to act upon these messages.
The way I have got around this involves making some custom modifications to the Asterisk configuration.
Firstly, we need to enable Asterisk (v11) security logging feature:
Edit, /etc/asterisk/logger_logfiles_custom.conf and add the following:
fail2ban2 => security,notice,warning,error
This will create an additional log file, called /var/log/asterisk/fail2ban2
Now we need to edit the fail2ban configuration in /etc/fail2ban to process the security logged items. FreePBX configuration is in jail.local, so we will add ours to jail.conf:
[asterisk11-iptables] enabled = true filter = asterisk11 action = iptables-allports[name=SIP, protocol=all] sendmail-whois[name=SIP, dest=alerts@example.com, sender=pbx@example.com] logpath = /var/log/asterisk/fail2ban2
Finally, we create a simple regex to get the IP address that we want to ban, and put it in the /etc/fail2/ban/filter.d/asterisk11.conf
# Fail2Ban configuration file
#
#
# $Revision: 250 $
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf
[Definition]
#_daemon = asterisk
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex = SECURITY.* SecurityEvent=\"InvalidPassword\".*RemoteAddress=\"IPV4/UDP/<HOST>/
#VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing 'ss-noservice' \(language '.*'\)
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
# ignoreregex =
That’s it, we now intercept messages like this one from the security log, and manage to ban these device attempts:
[2013-07-06 07:19:42] SECURITY[4078] res_security_log.c: SecurityEvent="InvalidPassword",EventTV="1373091582935268",Severity="Error",Service="SIP",EventVersion="2",AccountID="00972597103443",SessionID="0x7fa42c001ac8",LocalAddress="IPV4/UDP/aaa.bb.ccc.dd/5060",RemoteAddress="IPV4/UDP/37.8.1.89/5071",Challenge="61074795",ReceivedChallenge="61074795",ReceivedHash="b469462e8e7de800b54eb50ffe46de86"
Wonderful article post.Thanks Again.
Hi, thanks for the post.
All works.
But every day I have lost a string:
fail2ban2 => security,notice,warning,error
and I have it every day to recover.
What to do?
Hi Ralcom,
It is important that the file you edit is the one that ends in “_custom.conf”, otherwise you will find that the FreePBX GUI will overwrite your changes.
So in my case I put that line in /etc/asterisk/logger_logfiles_custom.conf
You might need to create the file if it doesn’t exist.
If you edit logger_logfiles_additional.conf by mistake then the GUI will overwrite your changes.
Hope that helps!
Giles
Thank you. OK.
I edited my conf files with these instructions, not realising how important syntax was and actually broke my fail2ban installation because I was careless.
Have managed to sort it out, by way of removing a few spaces here and there, but just a heads-up to others out there to TEST YOUR FAIL2BAN AFTERWARDS with the command /etc/init.d/fail2ban start
Thanks for the tips, though. Glad to be more secure now.
Awesome tutorial works 100%
Thank you very much! 🙂
Your blog is very informative but I am a newbie on FreePBX. I just installed 2.11 latest version and unable to access FreePBX via my external IP however I can access the GUI via my local network Server IP. I can also use Putty and SSH to access the Server via root. I need extensive help in determining if I am banned by Fail2ban and how to unban my IP. Thanks.
Hi,
By running ‘iptables -L’ you should be able to get a list of the banned IPs in the various Jails
In order to unban an IP you can use the fail2ban-client, look for the actionunban operation in the manual.
Googling for the above should return various documents about this.
Very well written! Thank you!
Great tutorial – I have to admit I found this after pulling out much hair with Asterisk 11. Have you compared this to SecAst (www.generationd.com)? Their free version handles all the rules of fail2ban and more – without having to constantly update regex’s etc.
Hi ;
First off thank you very much for sharing this information . I’ve got the same problem but after using your scripts as well still there are some people trying to get in the server and the script isn’t blocking them .
I saw on the asterisk11.conf file that the formatting should be a bit different and I should add ” .+?”.* ” at the end so I did that as well but still no result
fail2ban is still working and blocking IP’s that have the IP addresses in the warning but not the security lines
I’m very new to asterisk and fail2ban so any help would be much appreciated .
Thank you
The latest release of the failan daemon includes jails and configuration files for Asterisk by default.
Today, this method works, fail2ban 0.9.6 & asterisk 13.23, not banning this attack. In my case add in jail.local below [asterisk11-iptables] port = 5060,5062… all sip ports i use