Fail2Ban Not Blocking For Asterisk11

Hello,

I am creating this post so that the guys at Schmooze can be a ware that a regex entry similar to the one mentioned below will need to be added to /etc/fail2ban/filters.d/asterisk.conf to ensure everyone with Asterisk11 can remain protected.

We have new systems running on Asterisk 11 that receive messages similar to the one below:

[2013-07-06 05:11:06] NOTICE[4106][C-0000001f] chan_sip.c: Failed to authenticate device 555sip:[email protected];tag=e9a98a30
[2013-07-06 05:11:08] NOTICE[4106][C-00000020] chan_sip.c: Failed to authenticate device 555sip:[email protected];tag=eebd8857
[2013-07-06 05:11:12] NOTICE[4106][C-00000021] chan_sip.c: Failed to authenticate device 555sip:[email protected].bb.ccc.dd;tag=243f3815
[2013-07-06 07:19:42] NOTICE[4106][C-00000022] chan_sip.c: Failed to authenticate device 5555sip:[email protected];tag=a049427e
[2013-07-06 07:19:45] NOTICE[4106][C-00000023] chan_sip.c: Failed to authenticate device 5555sip:[email protected];tag=c3c7f81b
[2013-07-06 07:19:48] NOTICE[4106][C-00000024] chan_sip.c: Failed to authenticate device 5555sip:[email protected];tag=6be78a0b
[2013-07-06 07:19:49] NOTICE[4106][C-00000025] chan_sip.c: Failed to authenticate device 5555sip:[email protected];tag=1979ada5

The extensions 555 or 5555 are not our actual extensions. I found that in Fail2Ban config file for asterisk at /etc/fail2ban/filter.d/asterisk.conf that there is no regex entry looking for a line similar to the one above. I found this very well written blog at

http://www.coochey.net/?p=61

that detailed exactly my issue. I added the regex he mentioned to our already configured asterisk.conf file and ensured it was still looking to /var/log/asterisk/fail2ban for fail2ban to function.

I restarted fail2ban and I’ll report if I see any further issues with this regex in place.

This will need to be added to anyone using Asterisk11 to ensure fail2ban will function properly.

You can always open a ticket at issues.freepbx.org if you want the development team to take a look.

Perhaps the dev team could look at fail2ban as currently distributed (8.2.11), it already includes that regex :wink:

Guys

The latest sysadmin RPM and module takes into account the new security settings for Asterisk 11 and auto detect the asterisk version and what filer to use when you do a amportal restart. So make sure you are running the latest version of the Distro and then do a amportal restart and it will setup fail1ban based on current running version of asterisk.