John V Are you using pjsip? We are have several test servers and I just checked my /etc/fail2ban/filter.d/asterisk.conf and it is not updated for pjsip implementations. Looking at the security log files and the regex I noticed that some items are being banned but others are not due to changes in the messages for pjsip. Anyone got an updated asterisk.conf for fail2ban.
Bryant ---------------------------------------- From: "Telium Technical Support" <[email protected]> Sent: Wednesday, March 1, 2017 9:54 PM To: "Asterisk Users Mailing List - Non-Commercial Discussion" <[email protected]> Subject: Re: [asterisk-users] fail2ban Asterisk 13.13.1 If this is a small site, I recommend you download the free version of SecAst (www.telium.ca) and replace fail2ban. SecAst does NOT use the log file, or regexes, to match etc.instead it talks to Asterisk through the AMI to extract security information. Messing with regexes is a losing battle, and the lag in reading logs can allow an attacker 100+ registration attempts before fail2ban even does anything (assuming the IP is exposed in the Asterisk log). If this is a large install then post in the commercial list for more information. -Raj- From: [email protected] [mailto:[email protected]] On Behalf Of Tech Support Sent: Wednesday, March 1, 2017 2:37 PM To: 'Asterisk Users Mailing List - Non-Commercial Discussion' <[email protected]> Subject: Re: [asterisk-users] fail2ban Asterisk 13.13.1 It's possible that you need to increase the value of 'findtime' to something greater than 300 secs. You also may want to set "timestamp = yes" in asterisk.conf so each line in the CLI will be time stamped. Time stamping it will be the definitive determination on whether or not the 'findtime' is the culprit. Regards; John V. From: [email protected] [mailto:[email protected]] On Behalf Of Motty Cruz Sent: Wednesday, March 01, 2017 01:29 PM To: 'Asterisk Users Mailing List - Non-Commercial Discussion' Subject: [asterisk-users] fail2ban Asterisk 13.13.1 Hello, fail2ban does not ban offending IP. NOTICE[29784] chan_sip.c: Registration from '"user3"<sip:1005@asterisk-ip:5060>' failed for 'offending-IP:53417' - Wrong password NOTICE[29784] chan_sip.c: Registration from '"user3"<sip:1005@asterisk-ip:5060>' failed for 'offending-IP:53911' - Wrong password # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 300 [asterisk-iptables] enable = true port = 5060,5061 filter = asterisk action = iptables-allports[name=ASTERISK, protocol=all] sendmail[name=ASTERISK, [email protected], [email protected]] #action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] logpath = /var/log/asterisk/messages maxretry = 3 findtime = 300 bantime = -1 in filter.d asterisk.conf failregex = ^%(__prefix_line)s%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$ ^%(__prefix_line)s%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '[^']*' rejected because extension not found in context ^%(__prefix_line)s%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$ ^%(__prefix_line)s%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$ ^%(__prefix_line)s%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$ ^%(__prefix_line)s%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$ ^%(__prefix_line)s%(log_prefix)s hacking attempt detected '<HOST>'$ ^%(__prefix_line)s%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="(\d*|<unknown>)",SessionID=".+",LocalAddress="IPV[46]/(UDP|TCP|WS)/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UDP|TCP|WS)/<HOST>/\d+"(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",ExpectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$ ^%(__prefix_line)s%(log_prefix)s "Rejecting unknown SIP connection from <HOST>"$ ^%(__prefix_line)s%(log_prefix)s Request (?:'[^']*' )?from '[^']*' failed for '<HOST>(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching endpoint found|Not match Endpoint(?: Contact)? ACL|(?:Failed|Error) to authenticate)\s*$ failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Peer is not supposed to register NOTICE.* .*: Registration from '.*' failed for '<HOST>' - ACL error (permit/deny) NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL NOTICE.* <HOST> failed to authenticate as '.*'$ NOTICE.* .*: No registration for peer '.*' \(from <HOST>\) NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*) NOTICE.* .*: Failed to authenticate user .*@<HOST>.* NOTICE.* .*: Sending fake auth rejection for device .*\<sip:.*\@<HOST>\>;tag=.* NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>' - No matching peer found NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>' - Wrong password ignoreregex = Thanks Motty
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
