Skip to main content

Install Fail2ban for Asterisk from RPM

 

This procedure is what I consider the simplest possible fail2ban install procedure because it installs from RPM.  The most up to date RPM is currently found on the EPEL repository.

Set up EPEL repository

For CentOS5 32 or 64 bit

rpm -Uvh http://download.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm

For CentOS6 32 or 64 bit

rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
 

Install fail2ban set to start on boot

  
yum install fail2ban
chkconfig fail2ban on

Make sure fail2ban and iptables are set to start on boot

chkconfig --list fail2ban
fail2ban        0:off   1:off   2:on    3:on    4:on    5:on    6:off 
chkconfig --list iptables
iptables        0:off   1:off   2:on    3:on    4:on    5:on    6:off

Create the asterisk fail2ban filter

nano /etc/fail2ban/filter.d/asterisk.conf
# Fail2Ban configuration file
#
#
# $Revision: 251 $
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf


[Definition]

#_daemon = asterisk

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
# Asterisk 1.8 uses Host:Port format which is reflected here

failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Wrong password
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Username/auth name mismatch
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Peer is not supposed to register
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - ACL error (permit/deny)
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
            NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>:.*' - No matching peer found
            NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>:.*' - Wrong password
            NOTICE.* <HOST> failed to authenticate as '.*'$
            NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
            NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
            NOTICE.* .*: <HOST> failed to authenticate as '.*'
            NOTICE.* .*: <HOST> tried  to authenticate with nonexistent user '.*'
            VERBOSE.*SIP/<HOST>-.*Received incoming SIP connection from unknown peer
   
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

This is just a sample.  You can do an internet search and see if there are any new lines that can be added to this fail2ban asterisk filter or if you are looking to block a specific attack.

Now go in and configure fail2ban with your email address and your preferred defaults.  You can set bantime and maxretry to your preference.  Also a good idea to enable ssh-iptables filter.  Make sure to change the port if you are using something other than 22. Lastly, check the logpath.  For CentOS the logpath is /var/log/secure for ssh-iptables.  For Asterisk it may be /var/log/asterisk/full on some existing installs and /var/log/asterisk/messages on newer installs.  Depends on how it's set on FreePBX Advanced Settings GUI and /etc/asterisk/logger_logfiles_custom.conf.  If you don't get these log paths right then fail2ban is not going to do anything.

Create the custom configuration file and edit

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
nano /etc/fail2ban/jail.local
ssh-iptables should already be there.  Just change enabled = false to enabled =true and other defaults as needed Add the asterisk-iptables entry to the end of the file.  Double check the logpath. 
[ssh-iptables]
enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=22, protocol=tcp]
sendmail-whois[name=SSH, dest=root, sender=asterisk@fail2ban.local]|
logpath  = /var/log/secure
maxretry = 5

[asterisk-iptables]
enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
sendmail-whois[name=ASTERISK, dest=root, sender=asterisk@fail2ban.local]
logpath  = /var/log/asterisk/full
maxretry = 5
bantime = 86400

Lastly, make sure date format for asterisk log files is set properly for fail2ban.  If you do not see the following entry in /etc/asterisk/logger.conf or logger_general_additional.conf or logger_general_custom.conf or logger_logfiles_addional.conf or logger_logfiles_custom.conf then add it to logger_logfiles_custom.conf

dateformat=%F %T

Then restart Asterisk or Asterisk logger for changes to take effect.

amportal restart

or from Asterisk command prompt >logger reload Thats it.  Now make sure fail2ban starts.  If not double check for syntax errors in jail.conf.

service fail2ban start

Comments

Post a Comment

Popular posts from this blog

Vicidial Scratch installation Alma -9

Step 1 – Download the dependencies   hostnamectl set-hostname xxxxxx.xxxxx.xxx ### Use YOUR SubDomain vi /etc/hosts ##Change domain name for actual server ip (xxx.xxx.xxx.xxx   complete domain name    subdomain only) timedatectl set-timezone Asia/Kolkata yum check-update yum update -y yum -y install epel-release yum update -y yum install git -y yum install -y kernel* sudo dnf install kernel-devel-$(uname -r) -y #Disable SELINUX sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config     reboot Step 2 – Run the Script cd /usr/src/ git clone https://github.com/manish23k/vicidial-install-scripts cd vicidial-install-scripts chmod +x alma-rocky9-ast16.sh ./alma-rocky9-ast16.sh Or the Asterisk 18 version: chmod +x alma-rocky9-ast18.sh ./alma-rocky9-ast18.sh ####For PHP 8 use this script. chmod +x main-installer-php8.sh ./main-installer-php8.sh
Post a Comment
Read more

Vicidial Scratch installation Debian 11 with Asterisk 16, WebRTC and Dynamic Portal

  Vicidial Scratch installation Debian 11  Asterisk 16, WebRTC and Dynamic Portal apt update apt upgrade apt-get install git nano wget cd /usr/src/ git clone https://github.com/manish23k/Vici_Install_Scripts_Deb_11.git cd Vici_Install_Scripts_Deb_11/ chmod +x *.sh Run ./vici_install_deb_ast16.sh Install WebRTC ./vicidial-install-webrtc.sh Once Done with Configuration Secure Server with Vici Dynamic Portal Run ./vici_dynportal.sh
Post a Comment
Read more

How to delete old call logs and other logs in vicidial or goautodial.

Step 1 : SSH to the server using the Putty Step 2:   login to mysql by typing   mysql -p                    (if you dont know password try below command )               mysql -ucron -p1234 Step 3 : select the asterisk database by typing               use asterisk step 4: Run the below command to check total disk occupied by asterisk database                SELECT table_schema AS "asterisk", ROUND(SUM(data_length + index_length) / 1024 / 1024, 2) AS "Size (MB)" FROM information_schema.TABLES GROUP BY table_schema; Step 5 : Run the below command to check disk space consumed by each table in asterisk database SELECT table_name AS "Table", ROUND(((data_length + index_length) / 1024 / 1024), 2) AS "Size (MB)" FROM information_schema.TABLES WHERE table_schema = "asterisk" ORDER BY (data_length + inde...
Post a Comment
Read more