If this is a small site, I recommend you download the free version of SecAst
(www.telium.ca <http://www.telium.ca> ) and replace fail2ban. SecAst does
NOT use the log file, or regexes, to match etc.instead it talks to Asterisk
through the AMI to extract security information. Messing with regexes is a
losing battle, and the lag in reading logs can allow an attacker 100+
registration attempts before fail2ban even does anything (assuming the IP is
exposed in the Asterisk log).
If this is a large install then post in the commercial list for more
information.
-Raj-
From: asterisk-users-bounces at lists.digium.com
[mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Tech Support
Sent: Wednesday, March 1, 2017 2:37 PM
To: 'Asterisk Users Mailing List - Non-Commercial Discussion'
<asterisk-users at lists.digium.com>
Subject: Re: [asterisk-users] fail2ban Asterisk 13.13.1
It's possible that you need to increase the value of 'findtime'
to
something greater than 300 secs. You also may want to set "timestamp =
yes"
in asterisk.conf so each line in the CLI will be time stamped. Time stamping
it will be the definitive determination on whether or not the 'findtime'
is
the culprit.
Regards;
John V.
From: asterisk-users-bounces at lists.digium.com
<mailto:asterisk-users-bounces at lists.digium.com>
[mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Motty Cruz
Sent: Wednesday, March 01, 2017 01:29 PM
To: 'Asterisk Users Mailing List - Non-Commercial Discussion'
Subject: [asterisk-users] fail2ban Asterisk 13.13.1
Hello, fail2ban does not ban offending IP.
NOTICE[29784] chan_sip.c: Registration from
'"user3"<sip:1005 at asterisk-ip:5060>' failed for
'offending-IP:53417' - Wrong
password
NOTICE[29784] chan_sip.c: Registration from
'"user3"<sip:1005 at asterisk-ip:5060>' failed for
'offending-IP:53911' - Wrong
password
# A host is banned if it has generated "maxretry" during the last
"findtime"
# seconds.
findtime = 300
[asterisk-iptables]
enable = true
port = 5060,5061
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
sendmail[name=ASTERISK, dest=motty at email.com
<mailto:dest=motty at email.com> , sender=fail2ban at asterisk-ip.com
<mailto:sender=fail2ban at asterisk-ip.com> ]
#action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s",
protocol="tcp", chain="%(chain)s",
actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(port)s",
protocol="udp", chain="%(chain)s",
actname=%(banaction)s-udp]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
logpath = /var/log/asterisk/messages
maxretry = 3
findtime = 300
bantime = -1
in filter.d
asterisk.conf
failregex = ^%(__prefix_line)s%(log_prefix)s Registration from
'[^']*'
failed for '<HOST>(:\d+)?' - (Wrong password|Username/auth name
mismatch|No
matching peer found|Not a local domain|Device does not match ACL|Peer is not
supposed to register|ACL error \(permit/deny\)|Not a local domain)$
^%(__prefix_line)s%(log_prefix)s Call from '[^']*'
\(<HOST>:\d+\) to extension '[^']*' rejected because extension
not found in
context
^%(__prefix_line)s%(log_prefix)s Host <HOST> failed to
authenticate as '[^']*'$
^%(__prefix_line)s%(log_prefix)s No registration for peer
'[^']*' \(from <HOST>\)$
^%(__prefix_line)s%(log_prefix)s Host <HOST> failed MD5
authentication for '[^']*' \([^)]+\)$
^%(__prefix_line)s%(log_prefix)s Failed to authenticate
(user|device) [^@]+@<HOST>\S*$
^%(__prefix_line)s%(log_prefix)s hacking attempt detected
'<HOST>'$
^%(__prefix_line)s%(log_prefix)s
SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPa
ssword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",Eve
ntVersion="\d+",AccountID="(\d*|<unknown>)",SessionID=".+",LocalAddress="IPV
[46]/(UDP|TCP|WS)/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UDP|TCP|WS)/<HO
ST>/\d+"(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",Ex
pectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$
^%(__prefix_line)s%(log_prefix)s "Rejecting unknown SIP
connection from <HOST>"$
^%(__prefix_line)s%(log_prefix)s Request (?:'[^']*'
)?from
'[^']*' failed for '<HOST>(?::\d+)?'\s\(callid:
[^\)]*\) - (?:No matching
endpoint found|Not match Endpoint(?: Contact)? ACL|(?:Failed|Error) to
authenticate)\s*$
failregex = NOTICE.* .*: Registration from '.*' failed for
'<HOST>' - Wrong
password
NOTICE.* .*: Registration from '.*' failed for
'<HOST>:.*' - No
matching peer found
NOTICE.* .*: Registration from '.*' failed for
'<HOST>' - No
matching peer found
NOTICE.* .*: Registration from '.*' failed for
'<HOST>' -
Username/auth name mismatch
NOTICE.* .*: Registration from '.*' failed for
'<HOST>' - Device
does not match ACL
NOTICE.* .*: Registration from '.*' failed for
'<HOST>' - Peer
is not supposed to register
NOTICE.* .*: Registration from '.*' failed for
'<HOST>' - ACL
error (permit/deny)
NOTICE.* .*: Registration from '.*' failed for
'<HOST>' - Device
does not match ACL
NOTICE.* <HOST> failed to authenticate as '.*'$
NOTICE.* .*: No registration for peer '.*' \(from
<HOST>\)
NOTICE.* .*: Host <HOST> failed MD5 authentication for
'.*' (.*)
NOTICE.* .*: Failed to authenticate user .*@
<mailto:.*@%3cHOST%3e.*> <HOST>.*
NOTICE.* .*: Sending fake auth rejection for device .*\<sip:.*\@
<sip:.*\@%3cHOST> <HOST>\>;tag=.*
NOTICE.* .*: Registration from '\".*\".*' failed
for '<HOST>' -
No matching peer found
NOTICE.* .*: Registration from '\".*\".*' failed
for '<HOST>' -
Wrong password
ignoreregex
Thanks
Motty
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20170301/5b45dc50/attachment.html>
On Thursday 02 Mar 2017, Telium Technical Support wrote:> If this is a small site, I recommend you download the free version of > SecAst (www.telium.ca <http://www.telium.ca> ) and replace fail2ban. > SecAst does NOT use the log file, or regexes, to match etc.instead it > talks to Asterisk through the AMI to extract security information. > Messing with regexes is a losing battle, and the lag in reading logs can > allow an attacker 100+ registration attempts before fail2ban even does > anything (assuming the IP is exposed in the Asterisk log).I would recommend exactly the opposite. If you install proprietary, binary- only software on your system, you have no way to verify its integrity. This is no throwaway portable device, it is the heart of your business's telephone system. Do not go compromising its security by installing software that can't be independently verified. Ask yourself two questions: (1) Would you eat a cake that did not have the ingredients listed on the box? And (2) why would the manufacturer *not* tell you what ingredients they were using -- unless they suspected that if you knew for sure what was actually in the cake, you might not be so inclined to eat it after all? -- Julie Note: Originating address only accepts e-mail from list! If replying off- list, change address to asterisk1list at earthshod dot co dot uk .
John V
Are you using pjsip? We are have several test servers and I just checked my
/etc/fail2ban/filter.d/asterisk.conf and it is not updated for pjsip
implementations. Looking at the security log files and the regex I noticed that
some items are being banned but others are not due to changes in the messages
for pjsip.
Anyone got an updated asterisk.conf for fail2ban.
Bryant
----------------------------------------
From: "Telium Technical Support" <support at telium.ca>
Sent: Wednesday, March 1, 2017 9:54 PM
To: "Asterisk Users Mailing List - Non-Commercial Discussion"
<asterisk-users at lists.digium.com>
Subject: Re: [asterisk-users] fail2ban Asterisk 13.13.1
If this is a small site, I recommend you download the free version of SecAst
(www.telium.ca) and replace fail2ban. SecAst does NOT use the log file, or
regexes, to match etc.instead it talks to Asterisk through the AMI to extract
security information. Messing with regexes is a losing battle, and the lag in
reading logs can allow an attacker 100+ registration attempts before fail2ban
even does anything (assuming the IP is exposed in the Asterisk log).
If this is a large install then post in the commercial list for more
information.
-Raj-
From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces
at lists.digium.com] On Behalf Of Tech Support
Sent: Wednesday, March 1, 2017 2:37 PM
To: 'Asterisk Users Mailing List - Non-Commercial Discussion'
<asterisk-users at lists.digium.com>
Subject: Re: [asterisk-users] fail2ban Asterisk 13.13.1
It's possible that you need to increase the value of 'findtime'
to something greater than 300 secs. You also may want to set "timestamp =
yes" in asterisk.conf so each line in the CLI will be time stamped. Time
stamping it will be the definitive determination on whether or not the
'findtime' is the culprit.
Regards;
John V.
From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces
at lists.digium.com] On Behalf Of Motty Cruz
Sent: Wednesday, March 01, 2017 01:29 PM
To: 'Asterisk Users Mailing List - Non-Commercial Discussion'
Subject: [asterisk-users] fail2ban Asterisk 13.13.1
Hello, fail2ban does not ban offending IP.
NOTICE[29784] chan_sip.c: Registration from '"user3"<sip:1005
at asterisk-ip:5060>' failed for 'offending-IP:53417' - Wrong
password
NOTICE[29784] chan_sip.c: Registration from '"user3"<sip:1005
at asterisk-ip:5060>' failed for 'offending-IP:53911' - Wrong
password
# A host is banned if it has generated "maxretry" during the last
"findtime"
# seconds.
findtime = 300
[asterisk-iptables]
enable = true
port = 5060,5061
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
sendmail[name=ASTERISK, dest=motty at email.com, sender=fail2ban
at asterisk-ip.com]
#action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s",
protocol="tcp", chain="%(chain)s",
actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(port)s",
protocol="udp", chain="%(chain)s",
actname=%(banaction)s-udp]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
logpath = /var/log/asterisk/messages
maxretry = 3
findtime = 300
bantime = -1
in filter.d
asterisk.conf
failregex = ^%(__prefix_line)s%(log_prefix)s Registration from
'[^']*' failed for '<HOST>(:\d+)?' - (Wrong
password|Username/auth name mismatch|No matching peer found|Not a local
domain|Device does not match ACL|Peer is not supposed to register|ACL error
\(permit/deny\)|Not a local domain)$
^%(__prefix_line)s%(log_prefix)s Call from '[^']*'
\(<HOST>:\d+\) to extension '[^']*' rejected because extension
not found in context
^%(__prefix_line)s%(log_prefix)s Host <HOST> failed to
authenticate as '[^']*'$
^%(__prefix_line)s%(log_prefix)s No registration for peer
'[^']*' \(from <HOST>\)$
^%(__prefix_line)s%(log_prefix)s Host <HOST> failed MD5
authentication for '[^']*' \([^)]+\)$
^%(__prefix_line)s%(log_prefix)s Failed to authenticate
(user|device) [^@]+@<HOST>\S*$
^%(__prefix_line)s%(log_prefix)s hacking attempt detected
'<HOST>'$
^%(__prefix_line)s%(log_prefix)s
SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="(\d*|<unknown>)",SessionID=".+",LocalAddress="IPV[46]/(UDP|TCP|WS)/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UDP|TCP|WS)/<HOST>/\d+"(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",ExpectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$
^%(__prefix_line)s%(log_prefix)s "Rejecting unknown SIP
connection from <HOST>"$
^%(__prefix_line)s%(log_prefix)s Request (?:'[^']*'
)?from '[^']*' failed for '<HOST>(?::\d+)?'\s\(callid:
[^\)]*\) - (?:No matching endpoint found|Not match Endpoint(?: Contact)?
ACL|(?:Failed|Error) to authenticate)\s*$
failregex = NOTICE.* .*: Registration from '.*' failed for
'<HOST>' - Wrong password
NOTICE.* .*: Registration from '.*' failed for
'<HOST>:.*' - No matching peer found
NOTICE.* .*: Registration from '.*' failed for
'<HOST>' - No matching peer found
NOTICE.* .*: Registration from '.*' failed for
'<HOST>' - Username/auth name mismatch
NOTICE.* .*: Registration from '.*' failed for
'<HOST>' - Device does not match ACL
NOTICE.* .*: Registration from '.*' failed for
'<HOST>' - Peer is not supposed to register
NOTICE.* .*: Registration from '.*' failed for
'<HOST>' - ACL error (permit/deny)
NOTICE.* .*: Registration from '.*' failed for
'<HOST>' - Device does not match ACL
NOTICE.* <HOST> failed to authenticate as '.*'$
NOTICE.* .*: No registration for peer '.*' \(from
<HOST>\)
NOTICE.* .*: Host <HOST> failed MD5 authentication for
'.*' (.*)
NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
NOTICE.* .*: Sending fake auth rejection for device
.*\<sip:.*\@<HOST>\>;tag=.*
NOTICE.* .*: Registration from '\".*\".*' failed
for '<HOST>' - No matching peer found
NOTICE.* .*: Registration from '\".*\".*' failed
for '<HOST>' - Wrong password
ignoreregex =
Thanks
Motty
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20170302/ea1ed8a9/attachment-0001.html>
On 02-03-17 13:52, Bryant Zimmerman wrote:> John V > > Are you using pjsip? We are have several test servers and I just > checked my /etc/fail2ban/filter.d/asterisk.conf and it is not updated > for pjsip implementations. Looking at the security log files and the > regex I noticed that some items are being banned but others are not due > to changes in the messages for pjsip. > Anyone got an updated asterisk.conf for fail2ban.The latest upstream version of asterisk.conf can be found here: https://github.com/fail2ban/fail2ban/blob/0.10/config/filter.d/asterisk.conf This commit mentions improved pjsip support: https://github.com/fail2ban/fail2ban/commit/f85fb45b29768f687546ba25f805977cf00b6e43 HTH, Patrick