Getting Fail2ban to work off the FreePBX Distro (My Journey)

Distro Discussion & Help
#1

I noticed invalid sip passwords were not leading to the ip address being banned. For testing, I set one of my internal phones to the wrong password. It seemed to generate an incorrect address about once a minute.

The first thing to see is if asterisk is even logging the incorrect login attempt. It is supposed to log them to /var/log/asterisk/fail2ban. I looked there and indeed saw all the invalid attempts. Here’s one of them:

[2015-06-08 10:39:36] SECURITY[3024] res_security_log.c: SecurityEvent=“InvalidPassword”,EventTV=“1433785176-211286”,Severity=“Error”,Service=“SIP”,EventVersion=“2”,AccountID=“508”,SessionID=“0x7f44b001def8”,LocalAddress=“IPV4/UDP/192.168.1.14/5060”,RemoteAddress=“IPV4/UDP/192.168.1.16/5060”,Challenge=“5c8560ff”,ReceivedChallenge=“5c8560ff”,ReceivedHash=“f50a727f0dc3f032d18a50678239a714”

Ok. So the next thing was to see if fail2ban could find it. I ran the following command and saw all the offenders.

fail2ban-regex /var/log/asterisk/fail2ban /etc/fail2ban/filter.d/asterisk.conf

192.168.1.16 (Mon Jun 08 10:23:20 2015)
192.168.1.16 (Mon Jun 08 10:23:35 2015)
192.168.1.16 (Mon Jun 08 10:24:40 2015)
192.168.1.16 (Mon Jun 08 10:24:55 2015)
192.168.1.16 (Mon Jun 08 10:26:00 2015)
192.168.1.16 (Mon Jun 08 10:26:15 2015)
192.168.1.16 (Mon Jun 08 10:27:20 2015)
192.168.1.16 (Mon Jun 08 10:27:35 2015)
192.168.1.16 (Mon Jun 08 10:28:40 2015)
192.168.1.16 (Mon Jun 08 10:28:55 2015)
192.168.1.16 (Mon Jun 08 10:30:00 2015)
192.168.1.16 (Mon Jun 08 10:30:15 2015)
192.168.1.16 (Mon Jun 08 10:31:20 2015)
192.168.1.16 (Mon Jun 08 10:31:35 2015)
192.168.1.16 (Mon Jun 08 10:32:40 2015)
192.168.1.16 (Mon Jun 08 10:32:55 2015)
192.168.1.16 (Mon Jun 08 10:34:00 2015)
192.168.1.16 (Mon Jun 08 10:34:15 2015)
192.168.1.16 (Mon Jun 08 10:35:20 2015)

Next, I changed /etc/fail2ban/jail.local so that the backend = polling instead of auto

Finally, jail.local is made automatically to use the asterisk-security.conf filter while the more current looking asterisk.conf filter does not get used. Instead of modifiying the jail.local file to point at asterisk instead of asterisk-security, I went into the /etc/fail2ban/filter.d/ folder and switched asterisk-security.conf and asterisk.conf so that the more current regex rules are used.

When I looked at my iptables rules (iptables -L), I then saw the offender in the fail2ban-SIP jail.

#2

The current regex straight from Fail2ban’s horses mouth:-

# All Asterisk log messages begin like this:
log_prefix= (?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])? \S+:\d*( in \w+:)?

failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension not found in context 'default'\.$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to authenticate (user|device) [^@][email protected]<HOST>\S*$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s (?:handle_request_subscribe: )?Sending fake auth rejection for (device|user) \d*<sip:[^@][email protected]<HOST>>;tag=\w+\S*$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d*",SessionID="0x[\da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UD|TC)P/<HOST>/\d+"(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$
            ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )Ext\. s: "Rejecting unknown SIP connection from <HOST>"$

ignoreregex =

the fail2ban git repo includes those to add PJSIP if you are “unstable” :wink:

#3

Thank you for that. I’m going to look into that further. I’m checking out fail2ban’s page and it recommends the following needs to be logged:

messages => security, notice,warning,error

When I go into Settings->Log File Settings, I see notice, warning and error is on but security is off for “full”. Should I turn security on? Also, I don’t see where freepbx is configured to make a /var/log/asterisk/fail2ban log file just for fail2ban to scan.

#4

Sorry, you are in General Help, you need to be in Distro, they have there own ideas as to what IntrusionDetection/Fail2ban should be, you can choose either recipe. /full is a very noisy log file so ideally fail2ban should ideally monitor (notify,security,warning) the rest is spurious but as I say I don’t use the “distro” so I get to use the latest version of fail2ban (0.9) and python (2.7) so also pyinotify, (I notice an an amazing difference in response time :slight_smile: )

#5

Ah. Now I understand those tags. Thanks for the explanation.