Fail2ban source for updated scripts?

Continuing the discussion from How to stop SipVicous against Spoofing Server IP:

Is there a good resource where one can continually get updated Fail2ban scripts designed for Asterisk?

Your best bet may be:
http://www.fail2ban.org/wiki/index.php/Asterisk

Note that only covers Asterisk you may also want:
http://www.fail2ban.org/wiki/index.php/Apache

Always useful to know what your tools are doing and to know how they are doing it. You may want to read up on creating your own regexes.

Yeah these I am familiar with and thank you, I wasn’t sure if these are kept updated. There are always new ways these hackers are coming in. Lately they are spoofing their registrations from the server IP, and for some reason anonymous sip setting is being tricked by this.

Perhaps surprisingly, you should have your firewall block sip connections apparently originating from your external IP, Think about it :wink:

It does. In the packet as you know you have the source address, this is the actual address it’s coming from and it’s what firewalls look for for blocking. Iptables I believe also works the same way.

So here we do put a block on anything matching our own IP.

The problem is that the hacker puts in the header and states it’s our IP.

Think of it like spoofing an email. With your own smtp you can send an email from any email address, however if someone were to open the details the source would be revealed.

So here firewalls which inspect packets and decide to accept or reject look at source and so it’s never actually seeing our source address.

So the issue here is with anonymous SIP setting, it apparently is sufficient looking at the header alone and not the source address.

So that’s why I was thinking perhaps fail2ban or someone knowing something that filters the header would do the trick.

Keep in mind our server needs to allow registrations from all over since our users are often traveling and internationally as well. We of course block a ton of countries and regions we don’t trust. I hope this clears things up. I can try and a grab a pic from Wireshark to show you guys

You can add a regex to fail2ban to specifically ban sip requests that are from your own IP, copy the line

^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d*",SessionID="0x[\da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UD|TC)P/<HOST>/\d+"(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$

and paste it replacing the remote address <host> with your own external ip address something like xxx\.xxx.\xxx.\xxx but that often be in conflict with your ignoreip if you use a range of your public IP’s . In general it is safe to NOT ignore your public IP for the same reason as the firewall rule.

So then your saying not to use this, is that right? The other thing is what is it banning then at this point? I am guessing this is looking at the header and then bans the source IP?

I looked at an example, basically the source address they cannot fake, and this is what firewall will look for and filter upon. The problem is that they are then spoofing our public IP and placing it in the “FROM” address.

It would be nice if Block Anonymous SIP would not be so easily fooled by looking at FROM rather than the SOURCE address. But given this isnt helping, the question here is that Fail2Ban i believe looks at the source IP, so is there any sort of script which basically says that it will ban the source IP if the FROM field in the header is our public IP.

In otherwords I am not saying block my public, but instead block the source address which is spoofing my public IP in the “FROM” header field.

Its not fail2ban that fails its the regexes are not inclusive, fail2ban looks at the regexes you have defined, the regexes parse the lines, hence you will need to provide loglines of what you want to ban.