Hi all.
I’m running asterisk 11.18.0 on raspbx.
I’m up-to-date for all modules…
uname -a
Linux raspbx 3.18.6+ #753 PREEMPT Sun Feb 8 14:47:22 GMT 2015 armv6l GNU/Linux
asterisk -V
Asterisk 11.18.0
python -V
Python 2.7.9
Fail2ban v08.13
amportal a ma list
no repos specified, using: [commercial,unsupported,extended,standard] from last GUI settings
Module Version Status
------------------- ----------------- -------------------
announcement 2.11.0.4 Enabled
asteriskinfo 12.0.2 Enabled
backup 12.0.19 Enabled
builtin Enabled
callrecording 12.0.4 Enabled
cdr 12.0.23 Enabled
conferences 12.0.19 Enabled
core 12.0.39 Enabled
customappsreg 12.0.3.2 Enabled
dashboard 12.0.32 Enabled
dictate 2.11.0.3 Enabled
featurecodeadmin 12.0.2 Enabled
framework 12.0.76.2 Enabled
fw_ari 12.0.8 Enabled
iaxsettings 2.11.0.3 Enabled
infoservices 12.0.3.2 Enabled
ivr 2.11.0.11 Enabled
logfiles 12.0.6 Enabled
motif 12.0.4 Enabled
music 12.0.1 Enabled
queues 12.0.20 Enabled
recordings 12.0.8 Enabled
ringgroups 12.0.3.2 Enabled
sipsettings 12.0.16 Enabled
timeconditions 12.0.8 Enabled
voicemail 12.0.43 Enabled
apt-get upgarde --> Nothing to upgrade
My pbx is on my local network, and needs to connect to local or remote devices.
Public UDP 5060 port is redirected to the PBX local IP address.
I have disabled GUEST connections…
I can connect to SIP phones and establish calls.
Fail2ban is correctly banning IP for ssh attempts, but not for bad registration in my asterisk…
In /var/log/asterisk/security_log, I get many connections with wrong password like this one.
[2015-10-20 18:09:01] NOTICE[1458] chan_sip.c: Registration from '"107" <sip:[email protected]:5060>' failed for '88.150.240.13:5102' - Wrong password
[2015-10-20 18:09:01] SECURITY[1416] res_security_log.c: SecurityEvent="InvalidPassword",EventTV="1445357341-60451",Severity="Error",Service="SIP",EventVersion="2",AccountID="107",SessionID="0xb64b77ec",LocalAddress="IPV4/UDP/82.232.137.26/5060",RemoteAddress="IPV4/UDP/88.150.240.13/5102",Challenge="31d9463f",ReceivedChallenge="31d9463f",ReceivedHash="42eb3a317fa51c45d6429ee3b251e04d"
[2015-10-20 18:09:03] SECURITY[1416] res_security_log.c: SecurityEvent="SuccessfulAuth",EventTV="1445357343-404085",Severity="Informational",Service="AMI",EventVersion="1",AccountID="admin",SessionID="0x211ab74",LocalAddress="IPV4/TCP/0.0.0.0/5038",RemoteAddress="IPV4/TCP/127.0.0.1/52063",UsingPassword="0",SessionTV="1445357343-404046"
[2015-10-20 18:09:03] NOTICE[4783] pbx_spool.c: Call completed to Local/s@tc-maint
[2015-10-20 18:09:03] SECURITY[1416] res_security_log.c: SecurityEvent="ChallengeSent",EventTV="1445357343-974428",Severity="Informational",Service="SIP",EventVersion="1",AccountID="210",SessionID="0xb6401054",LocalAddress="IPV4/UDP/82.232.137.26/5060",RemoteAddress="IPV4/UDP/88.150.240.13/5061",Challenge="62e848d3"
[2015-10-20 18:09:04] NOTICE[1458] chan_sip.c: Registration from '"210" <sip:[email protected]:5060>' failed for '88.150.240.13:5061' - Wrong password
[2015-10-20 18:09:04] SECURITY[1416] res_security_log.c: SecurityEvent="InvalidPassword",EventTV="1445357344-68129",Severity="Error",Service="SIP",EventVersion="2",AccountID="210",SessionID="0xb6401054",LocalAddress="IPV4/UDP/82.232.137.26/5060",RemoteAddress="IPV4/UDP/88.150.240.13/5061",Challenge="62e848d3",ReceivedChallenge="62e848d3",ReceivedHash="fd6975e7a467fbf53ef469a99aea267c"
[2015-10-20 18:09:04] SECURITY[1416] res_security_log.c: SecurityEvent="ChallengeSent",EventTV="1445357344-455486",Severity="Informational",Service="SIP",EventVersion="1",AccountID="709",SessionID="0xb64656f4",LocalAddress="IPV4/UDP/82.232.137.26/5060",RemoteAddress="IPV4/UDP/88.150.240.13/5085",Challenge="16b78cee"
[2015-10-20 18:09:04] NOTICE[1458] chan_sip.c: Registration from '"709" <sip:[email protected]:5060>' failed for '88.150.240.13:5085' - Wrong password
[2015-10-20 18:09:04] SECURITY[1416] res_security_log.c: SecurityEvent="InvalidPassword",EventTV="1445357344-545712",Severity="Error",Service="SIP",EventVersion="2",AccountID="709",SessionID="0xb64656f4",LocalAddress="IPV4/UDP/82.232.137.26/5060",RemoteAddress="IPV4/UDP/88.150.240.13/5085",Challenge="16b78cee",ReceivedChallenge="16b78cee",ReceivedHash="70838f2b2a366bdc7e626c754a992af5"
[2015-10-20 18:09:04] SECURITY[1416] res_security_log.c: SecurityEvent="ChallengeSent",EventTV="1445357344-671314",Severity="Informational",Service="SIP",EventVersion="1",AccountID="309",SessionID="0xb649d6ac",LocalAddress="IPV4/UDP/82.232.137.26/5060",RemoteAddress="IPV4/UDP/88.150.240.13/5105",Challenge="40e365d4"
[2015-10-20 18:09:04] NOTICE[1458] chan_sip.c: Registration from '"309" <sip:[email protected]:5060>' failed for '88.150.240.13:5105' - Wrong password
[2015-10-20 18:09:04] SECURITY[1416] res_security_log.c: SecurityEvent="InvalidPassword",EventTV="1445357344-766110",Severity="Error",Service="SIP",EventVersion="2",AccountID="309",SessionID="0xb649d6ac",LocalAddress="IPV4/UDP/82.232.137.26/5060",RemoteAddress="IPV4/UDP/88.150.240.13/5105",Challenge="40e365d4",ReceivedChallenge="40e365d4",ReceivedHash="60761ff752fe68547e9db4237cfb5465"
[2015-10-20 18:09:06] SECURITY[1416] res_security_log.c: SecurityEvent="ChallengeSent",EventTV="1445357346-687938",Severity="Informational",Service="SIP",EventVersion="1",AccountID="109",SessionID="0xb64c8534",LocalAddress="IPV4/UDP/82.232.137.26/5060",RemoteAddress="IPV4/UDP/88.150.240.13/5093",Challenge="49f47490"d
My fail2ban settings are :
/etc/fail2ban/jail.local
[asterisk-iptables]
enabled = true
filter = asterisk
action = iptables-allports[name=sip, protocol=all]
# sendmail[name=Asterisk, dest=root, sender=root]
logpath = /var/log/asterisk/security_log
maxretry = 3
findtime = 1800
bantime = 1800
/etc/fail2ban/filter.d/asterisk.conf
# Fail2Ban configuration file
#
#
# $Revision: 251 $
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
#_daemon = asterisk
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
# Asterisk 1.8 uses Host:Port format which is reflected here
failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Wrong password
NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Username/auth name mismatch
NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Peer is not supposed to register
NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - ACL error (permit/deny)
NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>:.*' - No matching peer found
NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>:.*' - Wrong password
NOTICE.* <HOST> failed to authenticate as '.*'$
NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
NOTICE.* .*: <HOST> failed to authenticate as '.*'
NOTICE.* .*: <HOST> tried to authenticate with nonexistent user '.*'
SECURITY.* .*: SecurityEvent="InvalidAccountID",.*,Severity="Error",Service="SIP",.*,.*,.*,.*,RemoteAddress=".*/.*/<HOST>/.*"
SECURITY.* .*: SecurityEvent="ChallengeResponseFailed",.*,Severity="Error",Service="SIP",.*,.*,.*,.*,RemoteAddress=".*/.*/<HOST>/.*",.*
SECURITY.* .*: SecurityEvent="InvalidPassword",.*,Severity="Error",Service="SIP",.*,.*,.*,.*,RemoteAddress=".*/.*/<HOST>/.*",.*
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
fail2ban-client status
Status
|- Number of jail: 4
`- Jail list: asterisk-tcp, asterisk-iptables, ssh, asterisk-udp
fail2ban-regex /var/log/asterisk/security_log /etc/fail2ban/filter.d/asterisk.conf
Running tests
=============
Use failregex file : /etc/fail2ban/filter.d/asterisk.conf
Use log file : /var/log/asterisk/security_log
Results
=======
Failregex: 4562 total
|- #) [# of hits] regular expression
| 1) [1521] NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Wrong password
| 9) [1521] NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>:.*' - Wrong password
| 18) [1520] SECURITY.* .*: SecurityEvent="InvalidPassword",.*,Severity="Error",Service="SIP",.*,.*,.*,.*,RemoteAddress=".*/.*/<HOST>/.*",.*
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [5426] Year-Month-Day Hour:Minute:Second
`-
Lines: 5519 lines, 0 ignored, 3041 matched, 2478 missed
Missed line(s): too many to print. Use --print-all-missed to print all 2478 lines
I’m disapointed… I need help because I do not understand why fail2ban do not ban IP for wrong password intrusion.
I have read so many documents, and made so much tests…
Thanks,
Laurent.