Re: [asterisk-users] Blacklist failed attempts

2018-03-02 Thread Telium Technical Support 
If this is a home system, try the free edition of SecAst (www.telium.ca/?secast 
 ).  If allows you to set thresholds for the 
number of attempts, and specify the period in which they occur.  The Free 
edition of SecAst is a drop-in replacement for fail2ban (but with a lot more 
intelligence included for free).

 

If this is for a business / you are looking for a commercial product 
recommendation then post on the commercial list :)

 

 

From: asterisk-users-boun...@lists.digium.com 
[mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Atux Atux
Sent: Thursday, March 1, 2018 8:03 AM
To: Asterisk Users Mailing List - Non-Commercial Discussion 

Subject: [asterisk-users] Blacklist failed attempts

 

Hi. I would like to protect my system from failed attempts. I would like to ask 
if there is a way to do a blacklist for certain amount of time consecutive 
attempts from the same IP. For example if we have an IP that gets a wrong 
passwd an it had tried more than 3 times the last 5 minutes, blacklist it for 
an hour. I have tried to implement it through fail2ban, but it doe snot seem to 
work for my asterisk implementation.

Is there any other way?



 

-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] Blacklist failed attempts

2018-03-02 Thread Frank Vanoni 
On Thu, 2018-03-01 at 15:02 +0200, Atux Atux wrote:
> I have tried to implement it through fail2ban, but it doe snot seem
> to work for my asterisk implementation.
I'm happy with Fail2Ban protecting my Asterisk 13. Here is my
configuration:
in /etc/asterisk/logger.conf:
messages => security,notice,warning,error
in /etc/asterisk/sip.conf:
allowguest=yes
context=unauthenticated
in /etc/asterisk/extensions.conf:
[unauthenticated]
;; Incomming calls from unauthenticated caller -> Fail2Ban
exten => _X.,1,Log(WARNING,fail2ban='${CHANNEL(peerip)}') 
exten => _X.,2,Set(CDR(UserField)=SIP PEER IP: ${CHANNEL(peerip)})
exten => _X.,3,HangUp()
exten => _+X.,1,Log(WARNING,fail2ban='${CHANNEL(peerip)}') 
exten => _+X.,2,Set(CDR(UserField)=SIP PEER IP: ${CHANNEL(peerip)})
exten => _+X.,3,HangUp()
in /etc/fail2ban/jail.conf:
[asterisk]
filter   = asterisk
action = iptables-allports[name=ASTERISK]
logpath  = /var/log/asterisk/messages
maxretry = 1
findtime = 86400
bantime  = 518400
enabled = true
in /etc/fail2ban/filter.d
# Fail2Ban configuration file
#
#
# $Revision: 250 $
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them
from
# common.local
#before = common.conf
[Definition]
#_daemon = asterisk
# Option:  failregex
# Notes.:  regex to match the password failures messages in the
logfile. The
#  host must be matched by a group named "host". The tag
"" can
#  be used for standard IP/hostname matching and is only an
alias for
#  (?:::f{4,6}:)?(?P\S+)
# Values:  TEXT
#
failregex = NOTICE.* .*: Registration from '.*' failed for
':.*' - Wrong password
NOTICE.* .*: Call from '.*' \((:[0-9]{1,5})?\) to
extension '.*' rejected because extension not found in context
'unauthenticated'
NOTICE.* chan_sip.c: Call from '.*' \((:[0-
9]{1,5})?\) to extension '.*' rejected because extension not found in
context 'unauthenticated'
NOTICE.* .*: Registration from '.*' failed for
':.*' - Username/auth name mismatch
NOTICE.* .*: Registration from '.*' failed for
':.*' - No matching peer found
NOTICE.* .*: Registration from '.*' failed for
':.*' - Not a local domain
NOTICE.* .*: Registration from '.*' failed for
':.*' - Peer is not supposed to register
NOTICE.* .*: Registration from '.*' failed for
':.*' - Device does not match ACL
NOTICE.* .*: Registration from '.*' failed for
':.*' - Device not configured to use this transport type
NOTICE.* .*: No registration for peer '.*' \(from
\)
NOTICE.* .*: Host  failed MD5 authentication for
'.*' \(.*\)
NOTICE.* .*: Host  denied access to register peer
'.*'
NOTICE.* .*: Host  did not provide proper
plaintext password for '.*'
NOTICE.* .*: Registration of '.*' rejected: '.*' from:
''
NOTICE.* .*: Peer '.*' is not dynamic (from )
NOTICE.* .*: Host  denied access to register peer
'.*'
SECURITY.* .*:
SecurityEvent="InvalidAccountID".*,Severity="Error",Service="SIP".*,Rem
oteAddress="IPV[46]/(UDP|TCP|TLS)//[0-9]+"
SECURITY.* .*:
SecurityEvent="FailedACL".*,Severity="Error",Service="SIP".*,RemoteAddr
ess="IPV[46]/(UDP|TCP|TLS)//[0-9]+"
SECURITY.* .*:
SecurityEvent="InvalidPassword".*,Severity="Error",Service="SIP".*,Remo
teAddress="IPV[46]/(UDP|TCP|TLS)//[0-9]+"
SECURITY.* .*:
SecurityEvent="ChallengeResponseFailed".*,Severity="Error",Service="SIP
".*,RemoteAddress="IPV[46]/(UDP|TCP|TLS)//[0-9]+"
VERBOSE.* logger.c: -- .*IP/-.* Playing 'ss-
noservice' \(language '.*'\)
SECURITY.* .*:
SecurityEvent="ChallengeSent".*,Severity="Informational",Service="SIP".
*,AccountID="sip:.*@93.94.247.123".*,RemoteAddress="IPV[46]/(UDP|TCP|TL
S)//[0-9]+
WARNING.* .*: fail2ban=''
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] Blacklist failed attempts

2018-03-01 Thread Benoit Panizzon 
Hi

You could do somethink like this in Perl:

#!/usr/bin/perl -w
use strict;
use warnings;
my (@failhost);
my %currblocked;
my %addblocked;
my $action;

open (MYINPUTFILE, "/var/log/asterisk/messages") or die "\n", $!, "Does log 
file file exist\?\n\n";
 
while () {
my ($line) = $_;
chomp($line);
if ($line =~ m/\' failed for \'(.*?):\d+\' - No matching peer found/) {
push(@failhost,$1);
}
if ($line =~ m/\' failed for \'(.*?):\d+\' - Wrong password/) {
push(@failhost,$1);
}
}
 
my $blockedhosts = `/sbin/iptables -n -L asterisk`;
 
while ($blockedhosts =~ /(.*)/g) {
my ($line2) = $1;
chomp($line2);
if ($line2 =~ m/(\d+\.\d+\.\d+\.\d+)(\s+)/) {
$currblocked{ $1 } = 'blocked';
}
}

if (@failhost) {
&count_unique(@failhost);
while (my ($ip, $count) = each(%addblocked)) {
if (exists $currblocked{ $ip }) {
} else {
$action = `/sbin/iptables -I asterisk -s $ip -j REJECT`;
print "$ip blocked. $count attempts.\n";
}
}
} else {
#print "no failed registrations.\n";
}
 
sub count_unique {
my @array = @_;
my %count;
map { $count{$_}++ } @array;
map {($addblocked{ $_ } = ${count{$_}})} sort keys(%count);
}

Mind, this would NOT block attempts via IPv6. So I have stopped using that 
script, also reading the file over and over again is not very performant.

I have not opted to using my MirkroTik Firewall to block failed attempts, 
similar rules can also be make with iptables:

In the Mangle Ruleset:

 1;;; SIP Check Unauth
  chain=forward action=add-dst-to-address-list protocol=udp 
src-address-list=SIP-Servers address-list=sip-auth-fail 
address-list-timeout=10m 
  out-interface=IMP-PPPOE src-port=5060 content=SIP/2.0 401 Unauthorized 
log=no log-prefix=""

 2;;; tcp sip check auth fail
  chain=forward action=add-dst-to-address-list protocol=tcp 
src-address-list=SIP-Servers address-list=sip-auth-fail 
address-list-timeout=10m 
  out-interface=IMP-PPPOE src-port=5060 content=SIP/2.0 401 Unauthorized 
log=no log-prefix=""

And then you just block all source address from sip-auth-fail in your 
forwarding table. This works for IPv6 and IPv4.

(Als yes, depending on the speed of your link, this also could be ressource 
intensive on your firewall, as it does full packet inspection.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] Blacklist failed attempts

2018-03-01 Thread Antony Stone 
On Thursday 01 March 2018 at 14:02:37, Atux Atux wrote:

> Hi. I would like to protect my system from failed attempts. I would like to
> ask if there is a way to do a blacklist for certain amount of time
> consecutive attempts from the same IP.

fail2ban

> For example if we have an IP that gets a wrong passwd an it had tried more
> than 3 times the last 5 minutes, blacklist it for an hour.

Good plan.

> I have tried to implement it through fail2ban,

What have you tried?  Show us the configuration.

> but it does not seem to work for my asterisk implementation.

Which version of Asterisk are you using and how have you set up fail2ban?

> Is there any other way?

There may be other ways, but fail2ban really is the right tool for this job.


Antony.

-- 
I conclude that there are two ways of constructing a software design: One way 
is to make it so simple that there are _obviously_ no deficiencies, and the 
other way is to make it so complicated that there are no _obvious_ 
deficiencies.

 - C A R Hoare

   Please reply to the list;
 please *don't* CC me.

-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users