FreePBX 14 Asterisk 13 Fail2ban issue


(Justin Rosetto) #1

Clean install of the recommended FreePBX 14 with Asterisk 13 from the freepbx download. Fail2ban seems to work fine for SSH but anything related to SIP doesn’t get caught. I played around with the regex a little and got it to ban for Rejecting unknown SIP connection from .

/etc/fail2ban/filter.d/asterisk.conf

# Fail2Ban filter for asterisk authentication failures
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = asterisk

__pid_re = (?:\[\d+\])

iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4}

# All Asterisk log messages begin like this:
log_prefix= (?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])? \S+:\d*( in \w+:)?

failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not su$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '[^']*' rejected because extension not found in context
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s hacking attempt detected '<HOST>'$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s <HOST> tried to authenticate with nonexistent user.+$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s <HOST> failed to authenticate as.+$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Request from '[^']*' failed for '<HOST>:\d+' .+ No matching endpoint found$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="(\$
# These WARNINGS do not have a file attribute, as they're generated dynamicly
            ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )[^:]+: Friendly Scanner from <HOST>$
            Ext\. s: "Rejecting unknown SIP connection from <HOST>:(.+)"$

ignoreregex =


# Author: Xavier Devlamynck / Daniel Black
#
# Update: 2016-05-10 by xrobau@gmail.com
# - Detect PJSIP Scans
# - Detect AMI events that may be missed by having SecuritEvents disabled
# - Support WSS
#
# General log format - main/logger.c:ast_log
# Address format - ast_sockaddr_stringify
#
# First regex: channels/chan_sip.c
#
# main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in syslog

/etc/fail2ban/jail.local

[asterisk-iptables]
enabled = true
filter = asterisk
action = iptables-allports[name=SIP, protocol=all]
logpath = /var/log/asterisk/fail2ban

Everything is logging to /var/log/asterisk/fail2ban but the regex is not picking it up.

Does anyone have a regex file that works with FreePBX 14 and Asterisk 13?

Is there something I am missing here?

One example of it not blocking is this

DP/192.168.5.14/5060",RemoteAddress="IPV4/UDP/77.247.108.220/6011",ACLName="registrar_attempt_without_configured_aors"
[2019-10-04 09:53:55] WARNING[17436] res_pjsip_registrar.c: Endpoint 'anonymous' has no configured AORs
[2019-10-04 09:53:55] SECURITY[2415] res_security_log.c: SecurityEvent="FailedACL",EventTV="2019-10-04T09:53:55.938-0400",Severity="Error",Service="PJSIP",EventVersion="1",AccountID="anonymous",SessionID="4205803017",LocalAddress="IPV4/UDP/192.168.5.14/5060",RemoteAddress="IPV4/UDP/77.247.108.220/6011",ACLName="registrar_attempt_without_configured_aors"
[2019-10-04 09:53:55] WARNING[11664] res_pjsip_registrar.c: Endpoint 'anonymous' has no configured AORs
[2019-10-04 09:53:55] SECURITY[2415] res_security_log.c: SecurityEvent="FailedACL",EventTV="2019-10-04T09:53:55.956-0400",Severity="Error",Service="PJSIP",EventVersion="1",AccountID="anonymous",SessionID="1454978471",LocalAddress="IPV4/UDP/192.168.5.14/5060",RemoteAddress="IPV4/UDP/77.247.108.220/6011",ACLName="registrar_attempt_without_configured_aors"
[2019-10-04 09:53:55] WARNING[17436] res_pjsip_registrar.c: Endpoint 'anonymous' has no configured AORs
[2019-10-04 09:53:55] SECURITY[2415] res_security_log.c: SecurityEvent="FailedACL",EventTV="2019-10-04T09:53:55.967-0400",Severity="Error",Service="PJSIP",EventVersion="1",AccountID="anonymous",SessionID="1359014312",LocalAddress="IPV4/UDP/192.168.5.14/5060",RemoteAddress="IPV4/UDP/77.247.108.220/6011",ACLName="registrar_attempt_without_configured_aors"
[2019-10-04 09:53:55] WARNING[11664] res_pjsip_registrar.c: Endpoint 'anonymous' has no configured AORs
[2019-10-04 09:53:55] SECURITY[2415] res_security_log.c: SecurityEvent="FailedACL",EventTV="2019-10-04T09:53:55.977-0400",Severity="Error",Service="PJSIP",EventVersion="1",AccountID="anonymous",SessionID="3550642603",LocalAddress="IPV4/UDP/192.168.5.14/5060",RemoteAddress="IPV4/UDP/77.247.108.220/6011",ACLName="registrar_attempt_without_configured_aors"

(Dave Burgess) #2

It looks like you have anonymous access turned on. That won’t help.


(Justin Rosetto) #3

Should I also disable ‘Allow SIP Guests’?

Is there somewhere else I should be disabling it?


(Dave Burgess) #4

Yes, you should.


(Justin Rosetto) #5

That seems to have taken care of the log. Any ideas as to why the regex wasn’t picking up the entry in the log when it was present?


#6

fail2ban-regex --help


(Justin Rosetto) #7

Ya, I’m aware of that. I’m not the best with writing regex so I was hoping somebody had a working file for Asterisk 13. I tried a few online with no success.


#8

The asterisk jail that comes with Fail2ban .10 works fine for me.


(Justin Rosetto) #9

I am currently on Fail2Ban v0.8.14 that comes with the install and having no luck. Can you give me the full version you are running?


#10

as I said , .10 :wink: You can get it yourself from

https://www.fail2ban.org/


(Justin Rosetto) #11

I see it now. 0.10. Thanks for the help. I’ll give it a shot.