Hello, sorry for my bad english.
I'm a bit confused with the functioning of fail2ban.
I read a lot and made my own filter and jails to get several SIP
attackers trying to authenticate devices. The log show lines like this:
/[Apr 12 05:23:06] NOTICE[1645][C-00000093] chan_sip.c: Failed to
authenticate device 1001<sip:1001@10.0.2.15:5060>;tag=5ee3ff7a//
//[Apr 12 05:28:35] NOTICE[1645][C-00000094] chan_sip.c: Failed to
authenticate device 222<sip:222@10.0.2.15:5060>;tag=c2384eab/
Note that there have no IP from attacker.
I found on google to enable the "security" to /var/log/asterisk/fail2ban
on /etc/asterisk/logger.conf by add the flowing line to get more
detailed log:
/fail2ban => security,notice,warning,error/
Now I got the IP from attackers with something like this on my
/etc/asterisk/fail2ban log file:
/[Apr 11 19:17:53] SECURITY[1704] res_security_log.c:
SecurityEvent="InvalidPassword",EventTV="2017-04-11T19:17:53.017-0300",Severity="Error",Service="SIP",EventVersion="2",AccountID="001448323395006",SessionID="0x7f16ac00aa08",LocalAddress="IPV4/UDP/10.0.2.15/5060",RemoteAddress="IPV4/UDP/*195.154.16.40*/5070",Challenge="",ReceivedChallenge="",ReceivedHash=""//
//[Apr 11 19:27:42] SECURITY[1704] res_security_log.c:
SecurityEvent="InvalidPassword",EventTV="2017-04-11T19:27:42.678-0300",Severity="Error",Service="SIP",EventVersion="2",AccountID="001548323395006",SessionID="0x7f16ac00a768",LocalAddress="IPV4/UDP/10.0.2.15/5060",RemoteAddress="IPV4/UDP/*195.154.16.40*/5070",Challenge="",ReceivedChallenge="",ReceivedHash=""/
I made an filter to get it and it's looks like work ok, because the
attacker, after 3 times start to going to the iptables chains of my
filter, and after 5 times on fist jail go to the RECIDIVE jail, that we
can see with iptables -L -n:
/Chain fail2ban-ast-dev-auth (1 references)//
//target prot opt source destination //
//REJECT all -- *195.154.16.40* 0.0.0.0/0 reject-with
icmp-port-unreachable//
//RETURN all -- 0.0.0.0/0 0.0.0.0/0 //
//
//Chain fail2ban-recidive (1 references)//
//target prot opt source destination //
//REJECT all -- *195.154.16.40* 0.0.0.0/0 reject-with
icmp-port-unreachable//
//REJECT all -- 89.163.210.102 0.0.0.0/0 reject-with
icmp-port-unreachable//
//REJECT all -- 85.114.135.111 0.0.0.0/0 reject-with
icmp-port-unreachable//
//REJECT all -- 78.31.67.139 0.0.0.0/0 reject-with
icmp-port-unreachable//
//REJECT all -- 95.154.217.167 0.0.0.0/0 reject-with
icmp-port-unreachable//
//REJECT all -- 89.163.144.106 0.0.0.0/0 reject-with
icmp-port-unreachable//
//RETURN all -- 0.0.0.0/0 0.0.0.0/0 /
I think it's strange the same IP 195.154.16.40 on both Jails because
the ban time for ast-dev-auth is 1 hour and RECIDIVE is 1 week.
Thus I search on logs to understand if the ip 195.154.16.40 go into both
jail at the same time, because I think it's not possible to get into
ast-dev-auth again, if the IP was already blocked in RECIDIVE, but...
/cat /var/log/fail2ban.log |grep 195.154.16.40//
/*/1 time...../*/
//2017-04-11 14:33:30,843 fail2ban.actions[811]: WARNING
[asterisk-device-auth] Ban 195.154.16.40//
//2017-04-11 15:33:30,237 fail2ban.actions[811]: WARNING
[asterisk-device-auth] Unban 195.154.16.40//
/*/2 time...../*/
//2017-04-11 16:21:10,236 fail2ban.actions[14820]: WARNING
[asterisk-device-auth] Ban 195.154.16.40//
//2017-04-11 17:21:10,866 fail2ban.actions[14820]: WARNING
[asterisk-device-auth] Unban 195.154.16.40//
/*/3 time...../*/
//2017-04-11 18:04:19,238 fail2ban.actions[14820]: WARNING
[asterisk-device-auth] Ban 195.154.16.40//
//2017-04-11 19:04:19,949 fail2ban.actions[14820]: WARNING
[asterisk-device-auth] Unban 195.154.16.40//
/*/4 time...../*/
//2017-04-11 19:47:36,327 fail2ban.actions[14820]: WARNING
[asterisk-device-auth] Ban 195.154.16.40//
//2017-04-11 20:47:37,032 fail2ban.actions[14820]: WARNING
[asterisk-device-auth] Unban 195.154.16.40//
/*/5 time...../*/
//2017-04-11 21:33:06,866 fail2ban.actions[14820]: WARNING
[asterisk-device-auth] Ban 195.154.16.40//
//2017-04-11 22:33:07,736 fail2ban.actions[14820]: WARNING
[asterisk-device-auth] Unban 195.154.16.40//
/*/Now RECIDIVE get it..../*/
//2017-04-11 21:33:08,520 fail2ban.actions[14820]: WARNING [*recidive*]
Ban 195.154.16.40//
//
/*/But ast-dev-auth still get it again and again.... on same time it's
should be blocked by RECIDIVE/*/
//2017-04-11 23:15:02,495 fail2ban.actions[14820]: WARNING
[asterisk-device-auth] Ban 195.154.16.40//
//2017-04-12 00:15:02,902 fail2ban.actions[14820]: WARNING
[asterisk-device-auth] Unban 195.154.16.40//
//2017-04-12 00:58:19,726 fail2ban.actions[14820]: WARNING
[asterisk-device-auth] Ban 195.154.16.40//
//2017-04-12 01:58:19,926 fail2ban.actions[14820]: WARNING
[asterisk-device-auth] Unban 195.154.16.40//
//2017-04-12 02:39:14,401 fail2ban.actions[14820]: WARNING
[asterisk-device-auth] Ban 195.154.16.40//
//2017-04-12 03:39:15,342 fail2ban.actions[14820]: WARNING
[asterisk-device-auth] Unban 195.154.16.40/
I would like to understand it.
Thanks.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
