Is anyone using asterisk with fail2ban? I have it working except it takes way more break-in attempts than what is set in "maxretry" in jail.conf For example, I get an email saying: "The IP 199.204.45.19 has just been banned by Fail2Ban after 181 attempts against ASTERISK." when "maxretry = 5" in jail.conf Perhaps someone else is experiencing this or has resolved it, thank you in advance for your time. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20110328/29543520/attachment.htm>
On Mon, Mar 28, 2011 at 9:20 AM, vip killa <vipkilla at gmail.com> wrote:> Is anyone using asterisk with fail2ban? I have it working except it takes > way more break-in attempts than what is set in "maxretry" in jail.conf > For example, I get an email saying: > "The IP 199.204.45.19 has just been banned by Fail2Ban after?181 attempts > against ASTERISK." > when "maxretry = 5" in jail.conf > Perhaps?someone else is experiencing this or has resolved it, thank you in > advance for your time.If you fixed the logging issue discussed here http://www.fail2ban.org/wiki/index.php/Asterisk then I would assume your logging has problems. -- ~~~ Andrew "lathama" Latham lathama at gmail.com ~~~
Yes I followed directions on that page Running Asterisk 1.6.1.22, anybody else experiencing this? On Mon, Mar 28, 2011 at 8:32 AM, Andrew Latham <lathama at gmail.com> wrote:> On Mon, Mar 28, 2011 at 9:20 AM, vip killa <vipkilla at gmail.com> wrote: > > Is anyone using asterisk with fail2ban? I have it working except it takes > > way more break-in attempts than what is set in "maxretry" in jail.conf > > For example, I get an email saying: > > "The IP 199.204.45.19 has just been banned by Fail2Ban after 181 attempts > > against ASTERISK." > > when "maxretry = 5" in jail.conf > > Perhaps someone else is experiencing this or has resolved it, thank you > in > > advance for your time. > > If you fixed the logging issue discussed here > http://www.fail2ban.org/wiki/index.php/Asterisk then I would assume > your logging has problems. > > -- > ~~~ Andrew "lathama" Latham lathama at gmail.com ~~~ > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20110328/30ca85ad/attachment.htm>
On Mon, 28 Mar 2011 08:20:23 -0400, vip killa <vipkilla at gmail.com> wrote:>Is anyone using asterisk with fail2ban?Sorry for hi-jacking the thread, but I was wondering if there were a lighter alternative that I could run on appliances? Python uses too much RAM, but I need to find a way to ban hackers from trying to connect to Asterisk from the Net. Thank you.
Just to respond to the IP range approach. My ISP recently changed my external IP and now it appears that I am in New York (when I am actually static in Manchester, England). I've also been in Birmingham, Motherwell and Nottingham [UK] aswell! So, although banning certain ranges may be a good idea for you - it's not a good idea for everyone (we have 'road warriors' that do, indeed, travel to the Far East and Middle East). I suppose the only 'real' way to invoke security (on any system) is to have very strong passwords - maybe 1234 is not the way to go :p -----Original Message----- From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Gilles Sent: 30 March 2011 10:08 To: asterisk-users at lists.digium.com Subject: Re: [asterisk-users] asterisk and fail2ban On Wed, 30 Mar 2011 01:45:20 +0300, Ioan Indreias <indreias at gmail.com> wrote:>Just to provide an alternative to sshguard: you could use BFD[1]Thanks Ioan. I'll give it a shot. -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users If you have received this communication in error we would appreciate you advising us either by telephone or return of e-mail. The contents of this message, and any attachments, are the property of DataVox, and are intended for the confidential use of the named recipient only. If you are not the intended recipient, employee or agent responsible for delivery of this message to the intended recipient, take note that any dissemination, distribution or copying of this communication and its attachments is strictly prohibited, and may be subject to civil or criminal action for which you may be liable. Every effort has been made to ensure that this e-mail or any attachments are free from viruses. While the company has taken every reasonable precaution to minimise this risk, neither company, nor the sender can accept liability for any damage which you sustain as a result of viruses. It is recommended that you should carry out your own virus checks before opening any attachments. Registered in England. No. 27459085.
> From: vip killa > Sent: Thu 3/31/2011 8:17 AM > To: Asterisk Users Mailing List - Non-Commercial Discussion > Subject: Re: [asterisk-users] asterisk and fail2ban > > > Back to the original question, for those of you using Fail2Ban, > Does it take an unusually high amount of break-in attempts before attackers are banned? > I have it set to 5 attempts in fail2ban but usually, the attacker is able to make over 100 attempts before fail2ban bans them. > I've tried this using asterisk's /var/log/asterisk/messages and /var/log/messages with same results. > Perhaps someone else is experiencing this or has resolved it, thank you. >I have F2B set to ban after 1 attempt. The most I have seen in the logs is 4-5 attemps before ban is applied. I am calling scripts that apply the ban to a cisco access-list, so there is script/telnet/config delay but it is very minimal and works very well. JR -- JR Richardson Engineering for the Masses
On Thu, Mar 31, 2011 at 10:42:52AM -0500, JR Richardson wrote:> I have F2B set to ban after 1 attempt. The most I have seen in the > logs is 4-5 attemps before ban is applied. I am calling scripts that > apply the ban to a cisco access-list, so there is script/telnet/config > delay but it is very minimal and works very well.So I forge one SIP packet and I get you to block the IP address of your SIP trunk (or your IAX trunk)? Cool! -- Tzafrir Cohen icq#16849755 jabber:tzafrir.cohen at xorcom.com +972-50-7952406 mailto:tzafrir.cohen at xorcom.com http://www.xorcom.com iax:guest at local.xorcom.com/tzafrir
You are a baaaaad person! ;-) CF -----Original Message----- From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Tzafrir Cohen Sent: Thursday, March 31, 2011 10:53 AM To: asterisk-users at lists.digium.com Subject: Re: [asterisk-users] asterisk and fail2ban On Thu, Mar 31, 2011 at 10:42:52AM -0500, JR Richardson wrote:> I have F2B set to ban after 1 attempt. The most I have seen in the > logs is 4-5 attemps before ban is applied. I am calling scripts that > apply the ban to a cisco access-list, so there is script/telnet/config > delay but it is very minimal and works very well.So I forge one SIP packet and I get you to block the IP address of your SIP trunk (or your IAX trunk)? Cool! -- Tzafrir Cohen icq#16849755 jabber:tzafrir.cohen at xorcom.com +972-50-7952406 mailto:tzafrir.cohen at xorcom.com http://www.xorcom.com iax:guest at local.xorcom.com/tzafrir -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
>> I have F2B set to ban after 1 attempt. ?The most I have seen in the >> logs is 4-5 attemps before ban is applied. ?I am calling scripts that >> apply the ban to a cisco access-list, so there is script/telnet/config >> delay but it is very minimal and works very well. > > So I forge one SIP packet and I get you to block the IP address of your > SIP trunk (or your IAX trunk)? > > Cool! > > -- > ? ? ? ? ? ? ? Tzafrir CohenGood thing I ignore my own IP blocks............ JR -- JR Richardson Engineering for the Masses