Hey, just another config draft from me. In that article we will enable fail2ban jail for asterisk on UDP/5060 via iptables.
In /etc/sysconfig/iptables we should allow UDP/5060 for all (if you want to enable only for your subnet why you need fail2ban? Just allow 192.168.1.0/24 and don’t read that article).
# sip -A INPUT -p udp -m udp --dport 5060 -j ACCEPT # rtp -A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
Next we will install fail2ban via yum install fail2ban. And lets make our sample config in jail.local (not .conf!) Also notice that I disable sendmail (no banaction send mail. A lot of notifications..)
[DEFAULT] # Ban hosts for one hour: bantime = 3600 # Override /etc/fail2ban/jail.d/00-firewalld.conf: banaction = iptables-multiport ignoreip = 127.0.0.1/8 192.168.1.0/24 YOURIP#1 YOURIP#2 destemail = yourmail@superadmin.com sendername = servermail@superserver.com mta = ssmtp [asterisk] enabled = true bantime = 86400 port = 5060 action = %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] logpath = /var/log/asterisk/security maxretry = 2
Also we shoud edit asterisk filter rule because from repo filter will try to look full log instead of security only. Make backup of file and edit /etc/fail2ban/filter.d/asterisk.conf
# Fail2Ban filter for asterisk authentication failures
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = asterisk
__pid_re = (?:\[\d+\])
iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4}
# All Asterisk log messages begin like this:
log_prefix= (?:NOTICE|SECURITY|WARNING)%(__pid_re)s:?(?:\[C-[\da-f]*\])? [^:]+:\d*(?:(?: in)? \w+:)?
failregex = ^%(__prefix_line)s%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
^%(__prefix_line)s%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '[^']*' rejected because extension not found in context
^%(__prefix_line)s%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$
^%(__prefix_line)s%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$
^%(__prefix_line)s%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
^%(__prefix_line)s%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$
^%(__prefix_line)s%(log_prefix)s hacking attempt detected '<HOST>'$
^%(__prefix_line)s%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="(\d*|<unknown>)",SessionID=".+",LocalAddress="IPV[46]/(UDP|TCP|WS)/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UDP|TCP|WS)/<HOST>/\d+"(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",ExpectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$
^%(__prefix_line)s%(log_prefix)s "Rejecting unknown SIP connection from <HOST>"$
^%(__prefix_line)s%(log_prefix)s Request (?:'[^']*' )?from '[^']*' failed for '<HOST>(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching endpoint found|Not match Endpoint(?: Contact)? ACL|(?:Failed|Error) to authenticate)\s*$
ignoreregex =
# Author: Xavier Devlamynck / Daniel Black
#
# General log format - main/logger.c:ast_log
# Address format - ast_sockaddr_stringify
#
# First regex: channels/chan_sip.c
#
# main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in syslog
Next lets edit our /etc/asterisk/logger.conf file:
[general] dateformat=%F %T [logfiles] security => security,notice
After all restart our services:
systemctl restart asterisk systemctl restart iptables systemctl restart fail2ban
Check that fail2ban is working and ban: fail2ban-client status asterisk. Wait until it caught couple of IPs and than enable services autoload and disable firewalld service which fail2ban enable as dependence:
systemctl enable iptables && systmectl enable fail2ban && systemctl disable firewalld