Re: [asterisk-users] Asterisk fail2ban filters - show us yours

Fri, 30 Dec 2011 08:37:15 -0800 


On 12/29/2011 01:55 PM, Bruce B wrote:


    Hi,

    I Have added this line for asterisk 1.8 (i have allowguest=yes and
    context=default in sip.conf):
    NOTICE.* .*: Call from '.*' (<HOST>) to extension '.*' rejected
    because extension not found in context 'default'.

    Em 29-12-2011 13:03, Patrick Lists escreveu:
    > Hi,
    >
    > In the thread "Interesting attack tonight & fail2ban them" Bruce
    B mentioned it would be nice to have input from the Community to
    come up with the best set of fail2ban filters. That's a great
    idea. So let's start with Bruce's filters (thanks!) and take it
    from there. Anyone have any improvements and/or additions?
    Apologies for the line wrap. No idea how to prevent that in
    Thunderbird. The filters are also at http://pastebin.com/6T9M1W3F
    >
    > Not sure but it may be possible that logging has changed between
    Asterisk 1.4, 1.6, 1.8 and 10 so please mention the asterisk
    version with your filters.
    >
    > For Asterisk 1.8:
    >
    > failregex = Registration from '.*' failed for
    '<HOST>(:[0-9]{1,5})?' - Wrong password
    >             Registration from '.*' failed for
    '<HOST>(:[0-9]{1,5})?' - No matching peer found
    >             Registration from '.*' failed for
    '<HOST>(:[0-9]{1,5})?' - Device does not match ACL
    >             Registration from '.*' failed for
    '<HOST>(:[0-9]{1,5})?' - Username/auth name mismatch
    >             Registration from '.*' failed for
    '<HOST>(:[0-9]{1,5})?' - Peer is not supposed to register
    >             NOTICE.* <HOST> failed to authenticate as '.*'$
    >             NOTICE.* .*: No registration for peer '.*' (from <HOST>)
    >             NOTICE.* .*: Host <HOST> failed MD5 authentication
    for '.*' (.*)
    >             VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing
    'ss-noservice' (language '.*')
    >
    >
    > There are 2 lines that I have which are not in this list:
    >
    > NOTICE.* .*: Registration from '.*' failed for '<HOST>' - ACL
    error (permit/deny)
    > NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
    >
    > How about those (no idea for which Asterisk version they are)?
    >
    > Regards,
    > Patrick



Thanks Patrick. This is a great initiative. Let's all build the 
strongest and most detailed filter possible. I actually looked at mine 
and now see that it has weaknesses due Asterisk 1.8.8x giving 
different type of logs or maybe FreePBX. Let's test, fix and append to 
the end of the filter. Everyone is welcome to contribute.


So far we have:

*For Asterisk 1.8:*

failregex = Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - 
Wrong password
           Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - 
No matching peer found
           Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - 
Device does not match ACL
           Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - 
Username/auth name mismatch
           Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - 
Peer is not supposed to register

           NOTICE.* <HOST> failed to authenticate as '.*'$
           NOTICE.* .*: No registration for peer '.*' (from <HOST>)

           NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' 
(.*)
           VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing 
'ss-noservice' (language '.*') *#Outdated?*
          #*Situation:* allowguest=yes and context=default in sip.con 
- *Tested by **Diego Aguirre?*
NOTICE.* .*: Call from '.*' (<HOST>) to extension '.*' rejected 
because extension not found in context 'default'



The following are what I found to be insecure but need escaping and 
fine tuning to work with filter:


*Asterisk 1.8 + FreePBX:*

*Situation:* When target is coming in from unknown DID - 
Needs character escaping
Executing [unknown@from-sip-external:1] NoOp("SIP/10.0.0.6-00000001", 
"Received incoming SIP connection from unknown peer to unknown") in 
new stack



*Situation:* Same as above except for an extension is called. Above 
was just IP call. Extension 011x doesn't exist.
Executing [0115666666@from-sip-external:1] 
NoOp("SIP/10.0.0.6-00000003", "Received incoming SIP connection from 
unknown peer to 0115666666") in new stack



*Situation: *Same as above except for extension 101 does exist but 
system still rejects calls due to no guest allowed?!
Executing [101@from-sip-external:1] NoOp("SIP/10.0.0.6-00000005", 
"Received incoming SIP connection from unknown peer to 101") in new stack



*All of above have this following which can be used as a universal 
filter: *Executing [s@from-sip-external:8] 
Playback("SIP/10.0.0.6-00000005", "ss-noservice") in new stack *

*
*

***Notice how this ss-noservice is difference from current the 
outdated filter one:
*VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing 'ss-noservice' 
(language '.*')*


-Bruce


--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
                http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
    http://lists.digium.com/mailman/listinfo/asterisk-users

Had one of my systems hit this morning too. Asterisk 1.8 branch+FreePBX 
2.9 no anonymous. 260 call attemps in 2 minutes. Here is part of the 
logs. I am updating my filter to see if it helps, THANKS Bruce!!!



[2011-12-30 06:28:43] VERBOSE[9254] pbx.c:     -- Executing 
[15895076482935@from-sip-external:1] 
NoOp("SIP/184.107.201.234-000000cc", "Received incoming SIP connection 
from unknown peer to 15895076482935") in new stack
[2011-12-30 06:28:43] VERBOSE[9255] pbx.c:     -- Executing 
[03131419338202@from-sip-external:1] 
NoOp("SIP/184.107.201.234-000000cd", "Received incoming SIP connection 
from unknown peer to 03131419338202") in new stack
[2011-12-30 06:28:43] VERBOSE[9254] pbx.c:     -- Executing 
[15895076482935@from-sip-external:2] Set("SIP/184.107.201.234-000000cc", 
"DID=15895076482935") in new stack
[2011-12-30 06:28:43] VERBOSE[9254] pbx.c:     -- Executing 
[15895076482935@from-sip-external:3] 
Goto("SIP/184.107.201.234-000000cc", "s,1") in new stack
[2011-12-30 06:28:43] VERBOSE[9254] pbx.c:     -- Goto 
(from-sip-external,s,1)
[2011-12-30 06:28:43] VERBOSE[9254] pbx.c:     -- Executing 
[s@from-sip-external:1] GotoIf("SIP/184.107.201.234-000000cc", 
"0?checklang:noanonymous") in new stack
[2011-12-30 06:28:43] VERBOSE[9254] pbx.c:     -- Goto 
(from-sip-external,s,5)
[2011-12-30 06:28:43] VERBOSE[9254] pbx.c:     -- Executing 
[s@from-sip-external:5] Set("SIP/184.107.201.234-000000cc", 
"TIMEOUT(absolute)=15") in new stack
[2011-12-30 06:28:43] VERBOSE[9254] func_timeout.c: Channel will hangup 
at 2011-12-30 06:28:58.383 CST.
[2011-12-30 06:28:43] VERBOSE[9254] pbx.c:     -- Executing 
[s@from-sip-external:6] Answer("SIP/184.107.201.234-000000cc", "") in 
new stack
[2011-12-30 06:28:43] VERBOSE[9256] pbx.c:     -- Executing 
[89851352612168@from-sip-external:1] 
NoOp("SIP/184.107.201.234-000000ce", "Received incoming SIP connection 
from unknown peer to 89851352612168") in new stack
[2011-12-30 06:28:43] VERBOSE[9256] pbx.c:     -- Executing 
[89851352612168@from-sip-external:2] Set("SIP/184.107.201.234-000000ce", 
"DID=89851352612168") in new stack
[2011-12-30 06:28:43] VERBOSE[9256] pbx.c:     -- Executing 
[89851352612168@from-sip-external:3] 
Goto("SIP/184.107.201.234-000000ce", "s,1") in new stack
[2011-12-30 06:28:43] VERBOSE[9256] pbx.c:     -- Goto 
(from-sip-external,s,1)
[2011-12-30 06:28:43] VERBOSE[9256] pbx.c:     -- Executing 
[s@from-sip-external:1] GotoIf("SIP/184.107.201.234-000000ce", 
"0?checklang:noanonymous") in new stack
[2011-12-30 06:28:43] VERBOSE[9256] pbx.c:     -- Goto 
(from-sip-external,s,5)
[2011-12-30 06:28:43] VERBOSE[9256] pbx.c:     -- Executing 
[s@from-sip-external:5] Set("SIP/184.107.201.234-000000ce", 
"TIMEOUT(absolute)=15") in new stack
[2011-12-30 06:28:43] VERBOSE[9255] pbx.c:     -- Executing 
[03131419338202@from-sip-external:2] Set("SIP/184.107.201.234-000000cd", 
"DID=03131419338202") in new stack
[2011-12-30 06:28:43] VERBOSE[9255] pbx.c:     -- Executing 
[03131419338202@from-sip-external:3] 
Goto("SIP/184.107.201.234-000000cd", "s,1") in new stack
[2011-12-30 06:28:43] VERBOSE[9255] pbx.c:     -- Goto 
(from-sip-external,s,1)
[2011-12-30 06:28:43] VERBOSE[9255] pbx.c:     -- Executing 
[s@from-sip-external:1] GotoIf("SIP/184.107.201.234-000000cd", 
"0?checklang:noanonymous") in new stack
[2011-12-30 06:28:43] VERBOSE[9255] pbx.c:     -- Goto 
(from-sip-external,s,5)
[2011-12-30 06:28:43] VERBOSE[9255] pbx.c:     -- Executing 
[s@from-sip-external:5] Set("SIP/184.107.201.234-000000cd", 
"TIMEOUT(absolute)=15") in new stack
[2011-12-30 06:28:43] VERBOSE[9255] func_timeout.c: Channel will hangup 
at 2011-12-30 06:28:58.393 CST.
[2011-12-30 06:28:43] VERBOSE[9255] pbx.c:     -- Executing 
[s@from-sip-external:6] Answer("SIP/184.107.201.234-000000cd", "") in 
new stack
[2011-12-30 06:28:43] VERBOSE[9256] func_timeout.c: Channel will hangup 
at 2011-12-30 06:28:58.390 CST.
[2011-12-30 06:28:43] VERBOSE[9256] pbx.c:     -- Executing 
[s@from-sip-external:6] Answer("SIP/184.107.201.234-000000ce", "") in 
new stack
[2011-12-30 06:28:43] VERBOSE[17231] netsock2.c:   == Using SIP RTP TOS 
bits 184
[2011-12-30 06:28:43] VERBOSE[17231] netsock2.c:   == Using SIP RTP CoS 
mark 5
[2011-12-30 06:28:43] VERBOSE[9258] pbx.c:     -- Executing 
[0442032987253@from-sip-external:1] NoOp("SIP/184.107.201.234-000000cf", 
"Received incoming SIP connection from unknown peer to 0442032987253") 
in new stack
[2011-12-30 06:28:43] VERBOSE[9258] pbx.c:     -- Executing 
[0442032987253@from-sip-external:2] Set("SIP/184.107.201.234-000000cf", 
"DID=0442032987253") in new stack
[2011-12-30 06:28:43] VERBOSE[9258] pbx.c:     -- Executing 
[0442032987253@from-sip-external:3] Goto("SIP/184.107.201.234-000000cf", 
"s,1") in new stack
[2011-12-30 06:28:43] VERBOSE[9258] pbx.c:     -- Goto 
(from-sip-external,s,1)
[2011-12-30 06:28:43] VERBOSE[9258] pbx.c:     -- Executing 
[s@from-sip-external:1] GotoIf("SIP/184.107.201.234-000000cf", 
"0?checklang:noanonymous") in new stack
[2011-12-30 06:28:43] VERBOSE[9258] pbx.c:     -- Goto 
(from-sip-external,s,5)
[2011-12-30 06:28:43] VERBOSE[9258] pbx.c:     -- Executing 
[s@from-sip-external:5] Set("SIP/184.107.201.234-000000cf", 
"TIMEOUT(absolute)=15") in new stack
[2011-12-30 06:28:43] VERBOSE[9258] func_timeout.c: Channel will hangup 
at 2011-12-30 06:28:58.458 CST.
[2011-12-30 06:28:43] VERBOSE[9258] pbx.c:     -- Executing 
[s@from-sip-external:6] Answer("SIP/184.107.201.234-000000cf", "") in 
new stack
[2011-12-30 06:28:43] VERBOSE[17231] netsock2.c:   == Using SIP RTP TOS 
bits 184
[2011-12-30 06:28:43] VERBOSE[17231] netsock2.c:   == Using SIP RTP CoS 
mark 5
[2011-12-30 06:28:43] VERBOSE[17231] netsock2.c:   == Using SIP RTP TOS 
bits 184


jonn

--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
              http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users






















					Reply via email to