Hi. I would like to protect my system from failed attempts. I would like to ask if there is a way to do a blacklist for certain amount of time consecutive attempts from the same IP. For example if we have an IP that gets a wrong passwd an it had tried more than 3 times the last 5 minutes, blacklist it for an hour. I have tried to implement it through fail2ban, but it doe snot seem to work for my asterisk implementation. Is there any other way? -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20180301/914c2bb6/attachment.html>
On Thursday 01 March 2018 at 14:02:37, Atux Atux wrote:> Hi. I would like to protect my system from failed attempts. I would like to > ask if there is a way to do a blacklist for certain amount of time > consecutive attempts from the same IP.fail2ban> For example if we have an IP that gets a wrong passwd an it had tried more > than 3 times the last 5 minutes, blacklist it for an hour.Good plan.> I have tried to implement it through fail2ban,What have you tried? Show us the configuration.> but it does not seem to work for my asterisk implementation.Which version of Asterisk are you using and how have you set up fail2ban?> Is there any other way?There may be other ways, but fail2ban really is the right tool for this job. Antony. -- I conclude that there are two ways of constructing a software design: One way is to make it so simple that there are _obviously_ no deficiencies, and the other way is to make it so complicated that there are no _obvious_ deficiencies. - C A R Hoare Please reply to the list; please *don't* CC me.
Hi You could do somethink like this in Perl: #!/usr/bin/perl -w use strict; use warnings; my (@failhost); my %currblocked; my %addblocked; my $action; open (MYINPUTFILE, "/var/log/asterisk/messages") or die "\n", $!, "Does log file file exist\?\n\n"; while (<MYINPUTFILE>) { my ($line) = $_; chomp($line); if ($line =~ m/\' failed for \'(.*?):\d+\' - No matching peer found/) { push(@failhost,$1); } if ($line =~ m/\' failed for \'(.*?):\d+\' - Wrong password/) { push(@failhost,$1); } } my $blockedhosts = `/sbin/iptables -n -L asterisk`; while ($blockedhosts =~ /(.*)/g) { my ($line2) = $1; chomp($line2); if ($line2 =~ m/(\d+\.\d+\.\d+\.\d+)(\s+)/) { $currblocked{ $1 } = 'blocked'; } } if (@failhost) { &count_unique(@failhost); while (my ($ip, $count) = each(%addblocked)) { if (exists $currblocked{ $ip }) { } else { $action = `/sbin/iptables -I asterisk -s $ip -j REJECT`; print "$ip blocked. $count attempts.\n"; } } } else { # print "no failed registrations.\n"; } sub count_unique { my @array = @_; my %count; map { $count{$_}++ } @array; map {($addblocked{ $_ } = ${count{$_}})} sort keys(%count); } Mind, this would NOT block attempts via IPv6. So I have stopped using that script, also reading the file over and over again is not very performant. I have not opted to using my MirkroTik Firewall to block failed attempts, similar rules can also be make with iptables: In the Mangle Ruleset: 1 ;;; SIP Check Unauth chain=forward action=add-dst-to-address-list protocol=udp src-address-list=SIP-Servers address-list=sip-auth-fail address-list-timeout=10m out-interface=IMP-PPPOE src-port=5060 content=SIP/2.0 401 Unauthorized log=no log-prefix="" 2 ;;; tcp sip check auth fail chain=forward action=add-dst-to-address-list protocol=tcp src-address-list=SIP-Servers address-list=sip-auth-fail address-list-timeout=10m out-interface=IMP-PPPOE src-port=5060 content=SIP/2.0 401 Unauthorized log=no log-prefix="" And then you just block all source address from sip-auth-fail in your forwarding table. This works for IPv6 and IPv4. (Als yes, depending on the speed of your link, this also could be ressource intensive on your firewall, as it does full packet inspection. Mit freundlichen Gr?ssen -Beno?t Panizzon- -- I m p r o W a r e A G - Leiter Commerce Kunden ______________________________________________________ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 Pratteln Fax +41 61 826 93 01 Schweiz Web http://www.imp.ch ______________________________________________________
On Thu, 2018-03-01 at 15:02 +0200, Atux Atux wrote:> I have tried to implement it through fail2ban, but it doe snot seem > to work for my asterisk implementation.I'm happy with Fail2Ban protecting my Asterisk 13. Here is my configuration: in /etc/asterisk/logger.conf: messages => security,notice,warning,error in /etc/asterisk/sip.conf: allowguest=yes context=unauthenticated in /etc/asterisk/extensions.conf: [unauthenticated] ;; Incomming calls from unauthenticated caller -> Fail2Ban exten => _X.,1,Log(WARNING,fail2ban='${CHANNEL(peerip)}')? exten => _X.,2,Set(CDR(UserField)=SIP PEER IP: ${CHANNEL(peerip)}) exten => _X.,3,HangUp() exten => _+X.,1,Log(WARNING,fail2ban='${CHANNEL(peerip)}')? exten => _+X.,2,Set(CDR(UserField)=SIP PEER IP: ${CHANNEL(peerip)}) exten => _+X.,3,HangUp() in /etc/fail2ban/jail.conf: [asterisk] filter???= asterisk action = iptables-allports[name=ASTERISK] logpath??= /var/log/asterisk/messages maxretry = 1 findtime = 86400 bantime??= 518400 enabled = true in /etc/fail2ban/filter.d # Fail2Ban configuration file # # # $Revision: 250 $ # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local #before = common.conf [Definition] #_daemon = asterisk # Option:??failregex # Notes.:??regex to match the password failures messages in the logfile. The #??????????host must be matched by a group named "host". The tag "<HOST>" can #??????????be used for standard IP/hostname matching and is only an alias for #??????????(?:::f{4,6}:)?(?P<host>\S+) # Values:??TEXT # failregex =? NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Wrong password NOTICE.* .*: Call from '.*' \(<HOST>(:[0-9]{1,5})?\) to extension '.*' rejected because extension not found in context 'unauthenticated' NOTICE.* chan_sip.c: Call from '.*' \(<HOST>(:[0- 9]{1,5})?\) to extension '.*' rejected because extension not found in context 'unauthenticated' ???????? NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Username/auth name mismatch ???????? NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found ???????? NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Not a local domain ???????? NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Peer is not supposed to register ???????? NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL ???????? NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device not configured to use this transport type ???????? NOTICE.* .*: No registration for peer '.*' \(from <HOST>\) ???????? NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' \(.*\) ???????? NOTICE.* .*: Host <HOST> denied access to register peer '.*' ???????? NOTICE.* .*: Host <HOST> did not provide proper plaintext password for '.*' ???????? NOTICE.* .*: Registration of '.*' rejected: '.*' from: '<HOST>' ???????? NOTICE.* .*: Peer '.*' is not dynamic (from <HOST>) ???????? NOTICE.* .*: Host <HOST> denied access to register peer '.*' ???????? SECURITY.* .*: SecurityEvent="InvalidAccountID".*,Severity="Error",Service="SIP".*,Rem oteAddress="IPV[46]/(UDP|TCP|TLS)/<HOST>/[0-9]+" ???????? SECURITY.* .*: SecurityEvent="FailedACL".*,Severity="Error",Service="SIP".*,RemoteAddr ess="IPV[46]/(UDP|TCP|TLS)/<HOST>/[0-9]+" ???????? SECURITY.* .*: SecurityEvent="InvalidPassword".*,Severity="Error",Service="SIP".*,Remo teAddress="IPV[46]/(UDP|TCP|TLS)/<HOST>/[0-9]+" ???????? SECURITY.* .*: SecurityEvent="ChallengeResponseFailed".*,Severity="Error",Service="SIP ".*,RemoteAddress="IPV[46]/(UDP|TCP|TLS)/<HOST>/[0-9]+" VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing 'ss- noservice' \(language '.*'\) SECURITY.* .*: SecurityEvent="ChallengeSent".*,Severity="Informational",Service="SIP". *,AccountID="sip:.*@93.94.247.123".*,RemoteAddress="IPV[46]/(UDP|TCP|TL S)/<HOST>/[0-9]+ WARNING.* .*: fail2ban='<HOST>' # Option:??ignoreregex # Notes.:??regex to ignore. If this regex matches, the line is ignored. # Values:??TEXT # ignoreregex -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20180302/bfb277c7/attachment.html>
If this is a home system, try the free edition of SecAst (www.telium.ca/?secast <http://www.telium.ca/?secast> ). If allows you to set thresholds for the number of attempts, and specify the period in which they occur. The Free edition of SecAst is a drop-in replacement for fail2ban (but with a lot more intelligence included for free). If this is for a business / you are looking for a commercial product recommendation then post on the commercial list :) From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Atux Atux Sent: Thursday, March 1, 2018 8:03 AM To: Asterisk Users Mailing List - Non-Commercial Discussion <asterisk-users at lists.digium.com> Subject: [asterisk-users] Blacklist failed attempts Hi. I would like to protect my system from failed attempts. I would like to ask if there is a way to do a blacklist for certain amount of time consecutive attempts from the same IP. For example if we have an IP that gets a wrong passwd an it had tried more than 3 times the last 5 minutes, blacklist it for an hour. I have tried to implement it through fail2ban, but it doe snot seem to work for my asterisk implementation. Is there any other way? -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20180302/26030049/attachment.html>