{"id":61,"date":"2013-07-06T10:08:17","date_gmt":"2013-07-06T10:08:17","guid":{"rendered":"http:\/\/www.coochey.net\/?p=61"},"modified":"2013-07-17T09:27:52","modified_gmt":"2013-07-17T09:27:52","slug":"61","status":"publish","type":"post","link":"https:\/\/coochey.net\/?p=61","title":{"rendered":"Asterisk 11 (FreePBX distribution) fail2ban configuration using the security log."},"content":{"rendered":"

I’ve been experimenting with Asterisk again, using the FreePBX distro (2.11.0.4).<\/p>\n

I have noticed that I get a lot of entries in the Asterisk log that look like this:<\/p>\n

[2013-07-06 05:11:06] NOTICE[4106][C-0000001f] chan_sip.c: Failed to authenticate device 555<sip:555@aaa.bb.ccc.dd>;tag=e9a98a30\r\n[2013-07-06 05:11:08] NOTICE[4106][C-00000020] chan_sip.c: Failed to authenticate device 555<sip:555@aaa.bb.ccc.dd>;tag=eebd8857\r\n[2013-07-06 05:11:12] NOTICE[4106][C-00000021] chan_sip.c: Failed to authenticate device 555<sip:555@aaa.bb.ccc.dd>;tag=243f3815\r\n[2013-07-06 07:19:42] NOTICE[4106][C-00000022] chan_sip.c: Failed to authenticate device 5555<sip:5555@aaa.bb.ccc.dd>;tag=a049427e\r\n[2013-07-06 07:19:45] NOTICE[4106][C-00000023] chan_sip.c: Failed to authenticate device 5555<sip:5555@7aaa.bb.ccc.dd>;tag=c3c7f81b\r\n[2013-07-06 07:19:48] NOTICE[4106][C-00000024] chan_sip.c: Failed to authenticate device 5555<sip:5555@aaa.bb.ccc.dd>;tag=6be78a0b\r\n[2013-07-06 07:19:49] NOTICE[4106][C-00000025] chan_sip.c: Failed to authenticate device 5555<sip:5555@aaa.bb.ccc.dd>;tag=1979ada5<\/pre>\n
Where, of course, aaa.bb.ccc.dd is the address of my SIP server. Unfortunately, while FreePBX contains a fail2ban module, asterisk doesn’t provide enough information in the log file to act upon these messages.<\/p>\n
The way I have got around this involves making some custom modifications to the Asterisk configuration.<\/p>\n
Firstly, we need to enable Asterisk (v11) security logging feature:<\/p>\n
Edit, \/etc\/asterisk\/logger_logfiles_custom.conf and add the following:<\/p>\n
fail2ban2\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 => security,notice,warning,error<\/pre>\n
This will create an additional log file, called \/var\/log\/asterisk\/fail2ban2<\/p>\n
Now we need to edit the fail2ban configuration in \/etc\/fail2ban to process the security logged items. FreePBX configuration is in jail.local, so we will add ours to jail.conf:<\/p>\n
\r\n[asterisk11-iptables]\r\n enabled\u00a0 = true\r\n filter\u00a0\u00a0 = asterisk11\r\n action\u00a0\u00a0 = iptables-allports[name=SIP, protocol=all]\r\n sendmail-whois[name=SIP, dest=alerts@example.com, sender=pbx@example.com]\r\n logpath\u00a0 = \/var\/log\/asterisk\/fail2ban2\r\n<\/pre>\n
Finally, we create a simple regex to get the IP address that we want to ban, and put it in the \/etc\/fail2\/ban\/filter.d\/asterisk11.conf<\/p>\n
# Fail2Ban configuration file \r\n# \r\n# \r\n# $Revision: 250 $ \r\n#\r\n[INCLUDES]\r\n# Read common prefixes. If any customizations available -- read them from \r\n# common.local \r\n#before = common.conf\r\n[Definition]\r\n#_daemon = asterisk\r\n# Option:\u00a0 failregex \r\n# Notes.:\u00a0 regex to match the password failures messages in the logfile. The \r\n#\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 host must be matched by a group named \"host\". The tag \"<HOST>\" can \r\n#\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 be used for standard IP\/hostname matching and is only an alias for \r\n#\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 (?:::f{4,6}:)?(?P<host>\\S+) \r\n# Values:\u00a0 TEXT \r\n# \r\nfailregex = SECURITY.* SecurityEvent=\\\"InvalidPassword\\\".*RemoteAddress=\\\"IPV4\/UDP\/<HOST>\/\r\n#VERBOSE.* logger.c: -- .*IP\/<HOST>-.* Playing 'ss-noservice' \\(language '.*'\\)\r\n# Option:\u00a0 ignoreregex \r\n# Notes.:\u00a0 regex to ignore. If this regex matches, the line is ignored. \r\n# Values:\u00a0 TEXT \r\n# ignoreregex =<\/pre>\n
That’s it, we now intercept messages like this one from the security log, and manage to ban these device attempts:<\/p>\n
[2013-07-06 07:19:42] SECURITY[4078] res_security_log.c: SecurityEvent=\"InvalidPassword\",EventTV=\"1373091582935268\",Severity=\"Error\",Service=\"SIP\",EventVersion=\"2\",AccountID=\"00972597103443\",SessionID=\"0x7fa42c001ac8\",LocalAddress=\"IPV4\/UDP\/aaa.bb.ccc.dd\/5060\",RemoteAddress=\"IPV4\/UDP\/37.8.1.89\/5071\",Challenge=\"61074795\",ReceivedChallenge=\"61074795\",ReceivedHash=\"b469462e8e7de800b54eb50ffe46de86\"<\/pre>\n","protected":false},"excerpt":{"rendered":"
I’ve been experimenting with Asterisk again, using the FreePBX distro (2.11.0.4). I have noticed that I get a lot of entries in the Asterisk log that look like this: [2013-07-06 05:11:06] NOTICE[4106][C-0000001f] chan_sip.c: Failed to authenticate device 555<sip:555@aaa.bb.ccc.dd>;tag=e9a98a30 [2013-07-06 05:11:08] NOTICE[4106][C-00000020] chan_sip.c: Failed to authenticate device 555<sip:555@aaa.bb.ccc.dd>;tag=eebd8857 [2013-07-06 05:11:12] NOTICE[4106][C-00000021] chan_sip.c: Failed to authenticate device […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[6],"tags":[15,16,17,21,19,20,18],"class_list":["post-61","post","type-post","status-publish","format-standard","hentry","category-ramblings","tag-asterisk","tag-fail2ban","tag-freepbx","tag-linux","tag-log","tag-pbx","tag-security"],"_links":{"self":[{"href":"https:\/\/coochey.net\/index.php?rest_route=\/wp\/v2\/posts\/61","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/coochey.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/coochey.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/coochey.net\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/coochey.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=61"}],"version-history":[{"count":5,"href":"https:\/\/coochey.net\/index.php?rest_route=\/wp\/v2\/posts\/61\/revisions"}],"predecessor-version":[{"id":72,"href":"https:\/\/coochey.net\/index.php?rest_route=\/wp\/v2\/posts\/61\/revisions\/72"}],"wp:attachment":[{"href":"https:\/\/coochey.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=61"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/coochey.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=61"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/coochey.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=61"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}