Giles Coochey
2013-Jul-08 11:46 UTC
[asterisk-users] Asterisk 11 security log, fail2ban, drive-by SIP attacks
Just a note that I did a little work to extend FreePBX distro with some extra Fail2Ban which deals with some drive-by SIP registration attempts. My regex is poor to middling, but the steps detailed here: http://www.coochey.net/?p=61 manage to stop IPs which try to authenticate against Asterisk which FreePBX were not able to stop before. I would welcome any improvements anyone would care to submit and I'll extend the article a little. The changes need the Asterisk security log feature, which I think was only introduced in later versions of Asterisk (e.g. v11). -- Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk giles at coochey.net -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4968 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20130708/2571ee60/attachment.bin>
Patrick Lists
2013-Jul-08 15:11 UTC
[asterisk-users] Asterisk 11 security log, fail2ban, drive-by SIP attacks
On 07/08/2013 01:46 PM, Giles Coochey wrote:> Just a note that I did a little work to extend FreePBX distro with some > extra Fail2Ban which deals with some drive-by SIP registration attempts. > > My regex is poor to middling, but the steps detailed here: > http://www.coochey.net/?p=61 manage to stop IPs which try to > authenticate against Asterisk which FreePBX were not able to stop before. > > I would welcome any improvements anyone would care to submit and I'll > extend the article a little. > > The changes need the Asterisk security log feature, which I think was > only introduced in later versions of Asterisk (e.g. v11).It seems your rule is not yet present in fail2ban 0.8.10.0. The only one close to it is: SECURITY%(__pid_re)s [^:]+: SecurityEvent="InvalidAccountID",EventTV="[0-9-]+",Severity="[a-zA-Z]+",Service="[a-zA-Z]+",EventVersion="[0-9]+",AccountID="[0-9]+",SessionID="0x[0-9a-f]+",LocalAddress="IPV[46]/(UD|TC)P/[0-9a-fA-F:.]+/[0-9]+",RemoteAddress="IPV[46]/(UD|TC)P/<HOST>/[0-9]+"$ See https://github.com/fail2ban/fail2ban/blob/0.8.10/config/filter.d/asterisk.conf Might be an idea to submit it for future inclusion. Regards, Patrick