Hacking Important, but fail2ban doesn't act; Failed to authenticate device

Distro Discussion & Help
1

Hi Freepbx,

Last 2 months we got very much hacking attempts, but fail2ban does not block the ip, because the ip is not visible in the asterisk logs.
This can be a very serious security problem.

Log file shows:
[2013-09-15 22:00:31] NOTICE[4987][C-00000001] chan_sip.c: Failed to authenticate device 10551sip:[email protected];tag=e006e45f

As you can see, there is no “to” ip address after the "tag="
So fail2ban can not block it.

I found a article for this for solutions:
http://forums.asterisk.org/viewtopic.php?f=1&t=87883
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=706739

Here we can read a solution to add the “to IP” in this log message, so fail2ban can react on it. But it has to be changed in the file ‘chan_sip.c’ and we have to recompile asterisk.

I am sure that a whole lot of users have many hacking attempts with this problem and it will not be blocked.

of course I also set for security:
Allow Anonymous Inbound SIP Calls = no
Allow guest SIP = no

Maybe it is very useful to apply this modification.
I like to know what you think about this, or am I overlooking something here?

Any comments are very welcome.

2

A comment from a link above:
Details: When using alwaysauthreject=yes in sip.conf, then source IP of attacker is not logged when rejecting INVITES from not registered devices trying to authenticate at call beginning (only asterisk server IP itself is logged).

Solution: As Diginum will not solve this issue even this problem concerns a lot of users, I created small patch solving this it, allowing fail2ban correctly handling such brute force attacks.
(see the links in my previous message)

[2013-09-15 22:00:31] NOTICE[4987][C-00000001] chan_sip.c: Failed to authenticate device 10551;tag=e006e45f
has to be
[2013-09-15 22:00:31] NOTICE[4987][C-00000001] chan_sip.c: Failed to authenticate device 10551;tag=e006e45f to ‘94.23.59.135’

I think it is not wise to set ‘alwaysauthreject=no’, but I can try if the IP address s visible than.

3

newer versions of asterisk have significant ant improvements in logging IP address through the “secure” logs

there is an excellent recipe at

http://sourceforge.net/p/raspbx/discussion/tutorials/thread/6288a838/

that covers the bases.

4

Thanx, I will look into this link you provided.
Maybe also a solution:
http://www.coochey.net/?p=61
Also specially for asterisk 11.0.4

5

fail2ban with pertinent logs to examine and effective regexes works fine, do not ignore the mail ssh and apache jails, they are just as effecive and witp other nomal measures will help. never however assume they are rock solid and test often. . .

6

I could be more specific, I use fail2ban behind csf using the csfpre.sh and csfpost.sh scripts, here we have an ‘almost’ enduser friendly gui firewall (with webmin), plus all the benefits of fail2ban. It takes about half an hour to install and get running, turn of webmin when you are done :wink:

7

Dicko, that is very interesting! I will look into CSF. Firewall with friendly GUI is nice. I looked into CSF but stopped with it because fail2ban was secure enough. (I thought)

8

Extra to being a firewall , CSF is also quite effective as an IDS. As “belt and braces”, setting up rootkit hunter adds another zero impact layer of security to your systems.

9

That is very nice, but is it overkill to install CSF in every hosted PBX?

10

Actually not so, they can collaborate with the inbuilt clustering, to preemptively share detected “knuckle draggers”, again reducing exposure and risk.

11

Also I think that freepbx needs an extra option when using asterisk 11.
There seems a new setting ‘security’ that needs to be added for fail2ban to work correct with asterisk 11.

In the file : /etc/asterisk/logger_logfiles_custom.conf needs to be added:
fail2ban2 => security,notice,warning,error

Then fail2ban acts/bans on these attackers ip address like described in:
http://www.coochey.net/?p=61

I will test it now if this is not necessary on asterisk 1.8

12

Yet depending on the “hoster”, and as iptables needs to give direct kernel access to the ip stack, many cloud based instances of anything will be hobnailed.

13

Sorry, I don’t use any commercial modules, so my recipes will need modification to work with them.

14

I see now that this is a freepbx registered ticket:
http://issues.freepbx.org/browse/FPBXDISTRO-10
So I think freepbx knows this already.

15

I agree with Dicko on CSF, I have been running it for a number of years on all my systems and never had issues

16

There is a “similar to fail2ban” way to examine up to ten “log files” within CSF/LFD, and act on any regex extractions from those logs, but duplicating fail2ban would be IMHO reinventing a wheel that is already round, maybe one day for me there . . . :slight_smile:

17

(I have often thought of a community based black-list of Palestinian, chinese student etc. list of script-kiddie IP addresses/networks that can be submitted to and “included” in iptables implementations, maybe one of the FreePBX distros would manage that one day as a value added service. . .)

18

Hi Dicko, this is a super idea.
We all worldwide have problems from the same Palesinian Russion, Chinese, etc ip addresses, so combining them in a public blacklist would be super!!!

I can make some place on the web for such a list, so anyone can retrieve them, and also anyone can send updates (of course after checking it).
Best idea of 2013!!
What will freepbx think of such a list?

19

Hi Guys,

You can use my script for the iptables that works with the fail2ban ids. it contains a large list of known attackers.
Please do not forget to add an execution permission to the file.

You can even add it to the end of the /etc/rc.local file in order to run the script if the server will restart for any reason.

It works perfectly within the Centos environment including the Freepbx Distro itself.

here is the script (attached is the file firewall.sh):

#!/bin/bash #File location /etc/firewall.sh

iptables -F
iptables -X

#If you are running fail2ban system, please uncomment the line beneath that starts with service
fail2ban-client reload

#BLOCKED KNOWN ATTACKERS
iptables -A INPUT -p all -s 112.220.100.226/32 -j DROP
iptables -A INPUT -p all -s 213.229.107.27/32 -j DROP
iptables -A INPUT -p all -s 180.211.97.82/32 -j DROP
iptables -A INPUT -p all -s 110.164.192.26/32 -j DROP
iptables -A INPUT -p all -s 180.151.96.176/32 -j DROP
iptables -A INPUT -p all -s 2.97.121.235/32 -j DROP
iptables -A INPUT -p all -s 222.186.29.69/32 -j DROP
iptables -A INPUT -p all -s 108.59.5.146/32 -j DROP
iptables -A INPUT -p all -s 46.165.196.148/32 -j DROP
iptables -A INPUT -p all -s 46.105.119.150/32 -j DROP
iptables -A INPUT -p all -s 112.220.65.195/32 -j DROP
iptables -A INPUT -p all -s 61.132.255.107/32 -j DROP
iptables -A INPUT -p all -s 94.75.215.26/32 -j DROP
iptables -A INPUT -p all -s 70.86.175.178/32 -j DROP
iptables -A INPUT -p all -s 209.243.14.56/32 -j DROP
iptables -A INPUT -p all -s 85.25.145.176/32 -j DROP
iptables -A INPUT -p all -s 58.62.173.159/32 -j DROP
iptables -A INPUT -p all -s 1.0.0.0/32 -j DROP
iptables -A INPUT -p all -s 96.44.189.178/32 -j DROP
iptables -A INPUT -p all -s 69.61.235.174/32 -j DROP
iptables -A INPUT -p all -s 125.32.98.130/32 -j DROP
iptables -A INPUT -p all -s 173.224.214.18/32 -j DROP
iptables -A INPUT -p all -s 124.160.227.3/32 -j DROP
iptables -A INPUT -p all -s 50.30.33.90/32 -j DROP
iptables -A INPUT -p all -s 174.137.170.180/32 -j DROP
iptables -A INPUT -p all -s 182.72.155.110/32 -j DROP
iptables -A INPUT -p all -s 110.155.72.182/32 -j DROP
iptables -A INPUT -p all -s 188.75.195.213/32 -j DROP
iptables -A INPUT -p all -s 30.121.8.96/32 -j DROP
iptables -A INPUT -p all -s 64.15.138.23/32 -j DROP
iptables -A INPUT -p all -s 201.65.24.234/32 -j DROP
iptables -A INPUT -p all -s 141.80.164.34/32 -j DROP
iptables -A INPUT -p all -s 60.211.179.37/32 -j DROP
iptables -A INPUT -p all -s 85.25.201.69/32 -j DROP
iptables -A INPUT -p all -s 109.230.220.168/32 -j DROP
iptables -A INPUT -p all -s 176.31.123.59/32 -j DROP
iptables -A INPUT -p all -s 37.75.215.127/32 -j DROP
iptables -A INPUT -p all -s 8.33.7.55/32 -j DROP
iptables -A INPUT -p all -s 94.23.36.186/32 -j DROP
iptables -A INPUT -p all -s 37.59.50.57/32 -j DROP
iptables -A INPUT -p all -s 192.157.207.10/32 -j DROP
iptables -A INPUT -p all -s 138.91.174.13/32 -j DROP
iptables -A INPUT -p all -s 137.135.243.142/32 -j DROP
iptables -A INPUT -p all -s 82.205.0.74/32 -j DROP
iptables -A INPUT -p all -s 87.98.164.207/32 -j DROP
iptables -A INPUT -p all -s 82.205.29.124/32 -j DROP
iptables -A INPUT -p all -s 81.218.117.29/32 -j DROP
iptables -A INPUT -p all -s 37.8.54.54/32 -j DROP
iptables -A INPUT -p all -s 192.157.201.76/32 -j DROP
iptables -A INPUT -p all -s 192.237.148.128/32 -j DROP
iptables -A INPUT -p all -s 108.59.12.8/32 -j DROP
iptables -A INPUT -p all -s 91.121.136.136/32 -j DROP
iptables -A INPUT -p all -s 37.8.34.119/32 -j DROP
iptables -A INPUT -p all -s 82.205.1.149/32 -j DROP
iptables -A INPUT -p all -s 37.8.23.101/32 -j DROP
iptables -A INPUT -p all -s 37.8.41.104/32 -j DROP
iptables -A INPUT -p all -s 37.8.14.32/32 -j DROP
iptables -A INPUT -p all -s 188.138.41.34/32 -j DROP
iptables -A INPUT -p all -s 188.138.33.215/32 -j DROP
iptables -A INPUT -p all -s 162.13.47.73/32 -j DROP
iptables -A INPUT -p all -s 82.205.23.184/32 -j DROP
iptables -A INPUT -p all -s 188.138.90.172/32 -j DROP
iptables -A INPUT -p all -s 192.187.97.58/32 -j DROP
iptables -A INPUT -p all -s 192.187.97.50/32 -j DROP
iptables -A INPUT -p all -s 164.177.188.117/32 -j DROP
iptables -A INPUT -p all -s 37.8.35.74/32 -j DROP
iptables -A INPUT -p all -s 37.8.30.6/32 -j DROP
iptables -A INPUT -p all -s 82.205.9.34/32 -j DROP
iptables -A INPUT -p all -s 69.197.151.178/32 -j DROP
iptables -A INPUT -p all -s 37.8.16.209/32 -j DROP
iptables -A INPUT -p all -s 37.8.61.151/32 -j DROP
iptables -A INPUT -p all -s 37.8.36.139/32 -j DROP
iptables -A INPUT -p all -s 204.12.243.82/32 -j DROP
iptables -A INPUT -p all -s 87.98.245.174/32 -j DROP
iptables -A INPUT -p all -s 37.187.9.82/32 -j DROP
iptables -A INPUT -p all -s 192.187.99.202/32 -j DROP
iptables -A INPUT -p all -s 82.205.20.104/32 -j DROP
iptables -A INPUT -p all -s 37.8.59.82/32 -j DROP
iptables -A INPUT -p all -s 37.8.89.197/32 -j DROP
iptables -A INPUT -p all -s 37.8.33.122/32 -j DROP
iptables -A INPUT -p all -s 82.205.27.234/32 -j DROP
iptables -A INPUT -p all -s 37.8.51.27/32 -j DROP
iptables -A INPUT -p all -s 37.8.57.122/32 -j DROP
iptables -A INPUT -p all -s 37.8.16.36/32 -j DROP
iptables -A INPUT -p all -s 80.86.88.130/32 -j DROP
iptables -A INPUT -p all -s 85.25.154.103/32 -j DROP
iptables -A INPUT -p all -s 37.8.5.68/32 -j DROP
iptables -A INPUT -p all -s 204.12.242.186/32 -j DROP
iptables -A INPUT -p all -s 198.27.68.179/32 -j DROP
iptables -A INPUT -p all -s 144.76.156.235/32 -j DROP

#ALLOWED PORTS
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 4445 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 5060 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 5061 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 9000 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 4520 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 4569 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 5060 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 123 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 69 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 53 -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -p all -s localhost -i eth0 -j DROP
iptables -A INPUT -j REJECT
iptables -A FORWARD -j REJECT

#SAVE IPTABLES RULES
iptables-save > /etc/sysconfig/iptables

#End message
echo " [End iptables rules setting]"

Thank you,

20

Hi,
Could you test the solution proposed in http://issues.freepbx.org/browse/FPBXDISTRO-10 ?
We need some feedbacks before the new fail2ban settings could be implemented as a standard in FreePBXDistro.
Thanlk you,
Leonid