Difference between revisions of "Asterisk"

From Fail2ban
Jump to navigationJump to search
 
(7 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
Asterisk is an open source VOIP PBX. If you have your asterisk exposed to the Internet, you may see people bruteforcing for usernames and passwords; apart from the obvious security risks, this often occurs at a high rate, causing high CPU and bandwidth usage.
 
Asterisk is an open source VOIP PBX. If you have your asterisk exposed to the Internet, you may see people bruteforcing for usernames and passwords; apart from the obvious security risks, this often occurs at a high rate, causing high CPU and bandwidth usage.
  
'''WARNING: There are certain types of asterisk attacks fail2ban is ineffective against. For more details see the discussion page.'''
+
 
 +
== '''WARNING: There are certain types of asterisk attacks fail2ban is ineffective against. For more details see the discussion page. (this mainly applies to Asterisk versions before 10.x - for later versions see info below)''' ==
 +
 
  
 
{{Logging_Outputs}}
 
{{Logging_Outputs}}
 +
 +
'''Asterisk 10.x and newer'''
 +
 +
The Asterisk team have introduced a new log - the security log. This takes care of logging extra information for security events - which can be used by fail2ban to stop attacks - specially attempts to make calls without registration which couldn't be blocked before using fail2ban.
 +
 +
First the security log needs to be enabled in /etc/asterisk/logger.conf:
 +
 +
messages => security, notice,warning,error
 +
 +
Also, modify the date format so fail2ban understands the log file:
 +
 +
[general]
 +
dateformat=%F %T
 +
 +
Then restart Asterisk logger module:
 +
 +
asterisk -rx "logger reload"
 +
 +
For filter examples, use the ones coming with fail2ban. Don't forget to point fail2ban (in jail.conf) to /var/log/asterisk/messages or /var/log/asterisk/messages and /var/log/asterisk/security - if you have configured the security log separate from the main log. The above config will output security messages in the main asterisk log.
 +
 +
 +
'''Older Asterisk versions - without the /var/log/asterisk/security log'''
  
 
Asterisk 1.4 (Debian: 1:1.4.21.2~dfsg-3+lenny1)
 
Asterisk 1.4 (Debian: 1:1.4.21.2~dfsg-3+lenny1)
Line 10: Line 34:
  
 
The second line is what you get if you instruct asterisk to log to syslog by adding <tt>syslog.local0 => notice,warning,error</tt> to <tt>/etc/asterisk/logger.conf</tt> (and obviously configuring your syslogd to log local0 to some file).
 
The second line is what you get if you instruct asterisk to log to syslog by adding <tt>syslog.local0 => notice,warning,error</tt> to <tt>/etc/asterisk/logger.conf</tt> (and obviously configuring your syslogd to log local0 to some file).
 +
 +
Fail2ban 0.8.3+ recognizes the Asterisk 1.8.x log format and there's no need to enable syslog.local0 as it'll just fill up your messages/syslog file. Use fail2ban-regex to test your conf files and you'll see they're working.
  
 
<div style="padding: 1em;border: 1px dashed #2f6fab;color: black;background-color: #f9f9f9;line-height: 1.1em;">
 
<div style="padding: 1em;border: 1px dashed #2f6fab;color: black;background-color: #f9f9f9;line-height: 1.1em;">
Line 39: Line 65:
  
  
= Original page content =
+
= Setting Asterisk Conf & Jail Rules =
  
Hello all,
+
jail.conf:
  
I have fail2ban installed on CentOS 4.7 with Shoreline Firewall (Shorewall) and IpTables. This works well with SSH, Apache and Named bans. However, I am still trying to get it to ban failed SIP registration attempts in Asterisk.
+
[DEFAULT]
 +
bantime = 3600
 +
findtime = 21600
 +
maxretry = 3
 +
backend = auto
  
My jail.conf contains the following for Asterisk:
 
  
 
  [asterisk-iptables]
 
  [asterisk-iptables]
   
+
  # if more than 4 attempts are made within 6 hours, ban for 24 hours
 
  enabled  = true
 
  enabled  = true
 
  filter  = asterisk
 
  filter  = asterisk
 
  action  = iptables-allports[name=ASTERISK, protocol=all]
 
  action  = iptables-allports[name=ASTERISK, protocol=all]
 
               sendmail[name=ASTERISK, dest=you@yourmail.co.uk, sender=fail2ban@local.local]
 
               sendmail[name=ASTERISK, dest=you@yourmail.co.uk, sender=fail2ban@local.local]
  logpath  = /var/log/messages
+
  logpath  = /var/log/asterisk/messages
  maxretry = 2
+
  maxretry = 4
  bantime = 259200
+
findtime = 21600
 +
  bantime = 86400
  
Here is the filter.d/asterisk file:
+
filter.d/asterisk.conf file for Asterisk 1.4/1.6:
  
 
  # Fail2Ban configuration file
 
  # Fail2Ban configuration file
 
  #
 
  #
 
  #
 
  #
  # $Revision: 250 $
+
  # $Revision: 251 $
 
  #
 
  #
 
   
 
   
Line 69: Line 99:
 
  # Read common prefixes. If any customizations available -- read them from
 
  # Read common prefixes. If any customizations available -- read them from
 
  # common.local
 
  # common.local
  #before = common.conf
+
  before = common.conf
 
   
 
   
 
   
 
   
Line 99: Line 129:
 
  #
 
  #
 
  ignoreregex =
 
  ignoreregex =
 
I cannot figure out why this is not banning. Do I have the right log file? This is the one I was directed to in the online instructions. Can anyone help me please?
 
  
Thank you in advance for any assistance
+
filter.d/asterisk.conf file for Asterisk 1.8:
 
 
Phil
 
 
 
[Response: dysloke]
 
 
 
Phil, You must enter the correct log path of Asterisk in jail.conf, correct path is /var/log/asterisk/messages and you have /var/log/messages
 
  
 +
# Fail2Ban configuration file
 +
#
 +
#
 +
# $Revision: 251 $
 +
#
 +
 +
[INCLUDES]
 +
 +
# Read common prefixes. If any customizations available -- read them from
 +
# common.local
 +
before = common.conf
 +
 +
 +
[Definition]
 +
 +
#_daemon = asterisk
 +
 +
# Option:  failregex
 +
# Notes.:  regex to match the password failures messages in the logfile. The
 +
#          host must be matched by a group named "host". The tag "<HOST>" can
 +
#          be used for standard IP/hostname matching and is only an alias for
 +
#          (?:::f{4,6}:)?(?P<host>\S+)
 +
# Values:  TEXT
 +
#
 +
# Asterisk 1.8 uses Host:Port format which is reflected here
 +
 +
failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Wrong password
 +
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
 +
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
 +
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Username/auth name mismatch
 +
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
 +
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Peer is not supposed to register
 +
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - ACL error (permit/deny)
 +
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
 +
            NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>:.*' - No matching peer found
 +
            NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>:.*' - Wrong password
 +
            NOTICE.* <HOST> failed to authenticate as '.*'$
 +
            NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
 +
            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
 +
            NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
 +
            NOTICE.* .*: <HOST> failed to authenticate as '.*'
 +
            NOTICE.* .*: <HOST> tried  to authenticate with nonexistent user '.*'
 +
            VERBOSE.*SIP/<HOST>-.*Received incoming SIP connection from unknown peer
 +
   
 +
# Option:  ignoreregex
 +
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
 +
# Values:  TEXT
 +
#
 +
ignoreregex =
  
  
 
[[Category:VOIP]]
 
[[Category:VOIP]]

Latest revision as of 12:33, 5 July 2013

Asterisk is an open source VOIP PBX. If you have your asterisk exposed to the Internet, you may see people bruteforcing for usernames and passwords; apart from the obvious security risks, this often occurs at a high rate, causing high CPU and bandwidth usage.


WARNING: There are certain types of asterisk attacks fail2ban is ineffective against. For more details see the discussion page. (this mainly applies to Asterisk versions before 10.x - for later versions see info below)

Asterisk 10.x and newer

The Asterisk team have introduced a new log - the security log. This takes care of logging extra information for security events - which can be used by fail2ban to stop attacks - specially attempts to make calls without registration which couldn't be blocked before using fail2ban.

First the security log needs to be enabled in /etc/asterisk/logger.conf:

messages => security, notice,warning,error

Also, modify the date format so fail2ban understands the log file:

[general] dateformat=%F %T

Then restart Asterisk logger module:

asterisk -rx "logger reload"

For filter examples, use the ones coming with fail2ban. Don't forget to point fail2ban (in jail.conf) to /var/log/asterisk/messages or /var/log/asterisk/messages and /var/log/asterisk/security - if you have configured the security log separate from the main log. The above config will output security messages in the main asterisk log.


Older Asterisk versions - without the /var/log/asterisk/security log

Asterisk 1.4 (Debian: 1:1.4.21.2~dfsg-3+lenny1)

The first line is from /var/log/asterisk/messages, which is written by asterisk. It is not usable for fail2ban (0.8.3) because of the timestamp that is enclosed in brackets.

The second line is what you get if you instruct asterisk to log to syslog by adding syslog.local0 => notice,warning,error to /etc/asterisk/logger.conf (and obviously configuring your syslogd to log local0 to some file).

Fail2ban 0.8.3+ recognizes the Asterisk 1.8.x log format and there's no need to enable syslog.local0 as it'll just fill up your messages/syslog file. Use fail2ban-regex to test your conf files and you'll see they're working.

  • [Aug 8 14:31:33] NOTICE[1687] chan_sip.c: Registration from '"150"<sip:150@hostname>' failed for '192.0.2.1' - No matching peer found
  • Aug 8 14:31:33 hostname asterisk[1617]: NOTICE[1687]: chan_sip.c:15642 in handle_request_register: Registration from '"154"<sip:154@hostname>' failed for '192.0.2.1' - No matching peer found

Template:Logger.conf 


05/14/2011 - Don't forget to add this to /etc/asterisk/logger.conf.

[general]
dateformat=%F %T

Thats important, otherwise fail2ban will will not be able to properly parse the log file.
FSD


Failregex

The regular expressions below are proposed failregex for this software. Multiple regular expressions for failregex will only work with a version of Fail2ban greater than or equal to 0.7.6.

The tag <HOST> in the regular expressions below is just an alias for (?:::f{4,6}:)?(?P<host>\S+). The replacement is done automatically by Fail2ban when adding the regular expression. At the moment, exactly one named group host or <HOST> tag must be present in each regular expression.

Please, before editing this section, propose your changes in the discussion page first. 

failregex = asterisk.*chan_sip.c.*Registration from .* failed for '<HOST>' - No matching peer found


Setting Asterisk Conf & Jail Rules

jail.conf: 

[DEFAULT]
bantime = 3600
findtime = 21600
maxretry = 3
backend = auto



[asterisk-iptables]
# if more than 4 attempts are made within 6 hours, ban for 24 hours
enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
              sendmail[name=ASTERISK, dest=you@yourmail.co.uk, sender=fail2ban@local.local]
logpath  = /var/log/asterisk/messages
maxretry = 4
findtime = 21600
bantime = 86400

filter.d/asterisk.conf file for Asterisk 1.4/1.6: 

# Fail2Ban configuration file
#
#
# $Revision: 251 $
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf


[Definition]

#_daemon = asterisk

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#

failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch
            NOTICE.* <HOST> failed to authenticate as '.*'$
            NOTICE.* .*: No registration for peer '.*' (from )
            NOTICE.* .*: Host  failed MD5 authentication for '.*' (.*)
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL
            NOTICE.* .*: Registration from '.*" .* failed for '<HOST>' - Peer is not supposed to register
            VERBOSE.*SIP/<HOST>-.*Received incoming SIP connection from unknown peer
   
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

filter.d/asterisk.conf file for Asterisk 1.8: 

# Fail2Ban configuration file
#
#
# $Revision: 251 $
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf


[Definition]

#_daemon = asterisk

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
# Asterisk 1.8 uses Host:Port format which is reflected here

failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Wrong password
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Username/auth name mismatch
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Peer is not supposed to register
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - ACL error (permit/deny)
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
            NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>:.*' - No matching peer found
            NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>:.*' - Wrong password
            NOTICE.* <HOST> failed to authenticate as '.*'$
            NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
            NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
            NOTICE.* .*: <HOST> failed to authenticate as '.*'
            NOTICE.* .*: <HOST> tried  to authenticate with nonexistent user '.*'
            VERBOSE.*SIP/<HOST>-.*Received incoming SIP connection from unknown peer
   
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
Retrieved from "http://wiki.fail2ban.org/wiki/index.php?title=Asterisk&oldid=4911"