Intrusion detection not working?

So I installed / enabled intrusion detection, but it doesn’t appear to be working?

Ban Time: 86400
Max Retry: 2
Find Time: 6000

However :

[2014-06-17 20:57:35] NOTICE[1614] chan_sip.c: Registration from ‘“358” sip:[email protected]:5060’ failed for ‘198.15.108.242:5091’ - Wrong password
[2014-06-17 21:06:02] NOTICE[1614] chan_sip.c: Registration from ‘“359” sip:[email protected]:5060’ failed for ‘198.15.108.242:5089’ - Wrong password
[2014-06-17 21:14:38] NOTICE[1614] chan_sip.c: Registration from ‘“360” sip:[email protected]:5060’ failed for ‘198.15.108.242:5063’ - Wrong password
[2014-06-17 21:23:02] NOTICE[1614] chan_sip.c: Registration from ‘“361” sip:[email protected]:5060’ failed for ‘198.15.108.242:5072’ - Wrong password

They aren’t being banned.

Any suggestions on what to look for / check?

Thanks.

What does your whitelist look like

Munging the last two octets…

127.0.0.1
67.170.x.x
50.184.x.x/15

Do you have entries like this in /etc/fail2ban/jail.conf

> [asterisk-iptables]
> enabled = true
> filter = asterisk
> action = iptables-allports[name=ASTERISK, protocol=all]
> sendmail-whois[name=ASTERISK, [email protected], [email protected]]
> logpath = /var/log/asterisk/messages
> maxretry = 5
> bantime = 300
> ignoreip = 10.169.20.37

like this in /etc/fail2ban/filter.d/asterisk.conf

> failregex = NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '<HOST>(:[0-9]+)?' - Wrong password$
>             NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '<HOST>(:[0-9]+)?' - No matching peer found$
>             NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '<HOST>(:[0-9]+)?' - Username/auth name mismatch$
>             NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '<HOST>(:[0-9]+)?' - Device does not match ACL$
>             NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '<HOST>(:[0-9]+)?' - Peer is not supposed to register$
>             NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '<HOST>(:[0-9]+)?' - ACL error \(permit/deny\)$
>             NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '<HOST>(:[0-9]+)?' - Not a local domain$
>             NOTICE%(__pid_re)s\[[^:]+\] [^:]+: Call from '[^']*' \(<HOST>:[0-9]+\) to extension '[0-9]+' rejected because extension not found in context 'default'.$
>             NOTICE%(__pid_re)s [^:]+: Host <HOST> failed to authenticate as '[^']*'$
>             NOTICE%(__pid_re)s [^:]+: No registration for peer '[^']*' \(from <HOST>\)$
>             NOTICE%(__pid_re)s [^:]+: Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
>             NOTICE%(__pid_re)s [^:]+: Failed to authenticate user [^@]+@<HOST>\S*$
>             SECURITY%(__pid_re)s [^:]+: SecurityEvent="InvalidAccountID",EventTV="[0-9-]+",Severity="[a-zA-Z]+",Service="[a-zA-Z]+",EventVersion="[0-9]+",AccountID="[0-9]+",SessionID="0x[0-9a-f]+",LocalAddress="IPV[46]/(UD|TC)P/

In OS cli run command

> service fail2ban status

Is output like this?

>Fail2ban (pid 1774) is running...
> Status
> |- Number of jail:      3
> `- Jail list:           mysqld-iptables, asterisk-iptables, ssh-iptables

Thanks for the reply… I assume I need to do service fail2ban status as sudo? Without it I get a different result…

Here’s the copy / paste for what I have:

[asterisk-iptables]

enabled = true
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
sendmail-whois[name=ASTERISK, dest=me@mydomain, sender=fail2ban@pbx]
logpath = /var/log/asterisk/messages
maxretry = 40
bantime = 86400

failregex = NOTICE.* .: Registration from '.’ failed for ‘’ - Wrong password
NOTICE.* .: Registration from '.’ failed for ‘’ - No matching peer found
NOTICE.* .: Registration from '.’ failed for ‘’ - Username/auth name mismatch
NOTICE.* .: Registration from '.’ failed for ‘’ - Device does not match ACL
NOTICE.* failed to authenticate as ‘.’$
NOTICE.
.: No registration for peer '.’ (from )
NOTICE.* .: Host failed MD5 authentication for '.’ (.)
NOTICE.
.: Failed to authenticate user .@.*

[me@server ~]$ service fail2ban status
Fail2ban (pid 19487) is running…
ERROR Unable to contact server. Is it running?
[me@server ~]$ sudo service fail2ban status
[sudo] password for me:
Fail2ban (pid 19487) is running…
Status
|- Number of jail: 5
`- Jail list: apache-badbots, apache-tcpwrapper, ssh-iptables, asterisk-iptables, vsftpd-iptables

Perhaps it looks like I’m missing some lines from /etc/fail2ban/filter.d/asterisk.conf ?

Actuallly…

failregex = NOTICE.* .: Registration from '.’ failed for ‘’ - Wrong password

should match
[2014-06-18 17:08:21] NOTICE[1614] chan_sip.c: Registration from ‘“494” sip:[email protected]:5060’ failed for ‘198.15.70.2:5075’ - Wrong password

right? Or is looking for LITERALLY and not ?

You have a very old version of fail2ban it would work for asterisk 1.8 but only after 40 or so attacks and then good old me@mydomain would get an email.

As ever you should always start off with your how you installed FreePBX, asterisk and your OS, because fail2ban only works if you set it up properly.

Hi,

So the OS, freepbx and asterisk were installed by my VPS host company. They have a number of PBX customers, so I’m assuming they have something packaged up already. As to how I installed fail2ban… I believe I used the module package and possibly yum install fail2ban?

What’s the best way to upgrade fail2ban?

Thanks.

Ah the old ass-u-me thing :smile:

The “best way” doesn’t exist, there are many ways but it all depends on what you have already. First off , let’s see the issue of (from your shell):-

whoami
uname -a
python -V

. . .

and also:-

asterisk -V
amportal a ma list

. . . .

whoami - (I do have sudo if that’s what you’re getting at).

uname -a
Linux vps.mydomain.com 2.6.32-431.17.1.el6.x86_64 #1 SMP Wed May 7 23:32:49 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

]$ python -V
Python 2.6.6

]$ asterisk -V
Asterisk 11.10.0

$ amportal a ma list

Sorry, you must be root to run this script.

[me@vps ~]$ sudo amportal a ma list
[sudo] password for me:
sudo: amportal: command not found

that’s odd…

Well the “Best” solution will need python 2.7 also pyinotify, less best, gamin, Asterisk 11.10.0 needs updating for security reasons. If you want to roll your sleeves up and get dirty, do those updates and we can continue if you want. If you want to use yum, then maybe go the Schmooze way and use their repos if they work on your Redhat based system.

Lock down SIP ports (5060 etc) in iptables to your trunk provider. If you have remote phones, there are many ways to provide access for such endpoints–port knocking, travelin man 3. Reliance upon fail2ban should be a secondary method, otherwise you could still open yourself up to a DOS attack or a 0 day vulnerability. Hackers are worthless scum, I say don’t even let them know that your PBX is there. You don’t have to agree with me, that’s just my .02

##DANGER THERE BE DRAGONS

I am an avid Python guy and some of my magic simply doesn’t work on vanilla centos because it requires 2.6. There are instruction sets to install 2.7 but know if you mess up you can hose your whole system because 2.7 will break centos internals.

Indeed, just upgrading to python 2.7 will break yum on RH based OS’s, a very bad thing.

You can install 2.7 “locally” and maintain RH’s 4 year old and unsupported and insecure 2.6.6, that’s why you need to roll up your sleeves ;-).

I believe pyinotify which significantly improves over gamin also would take a little care to properly install in RH

So without that then you will need to rely on fail2ban’s outdated and second best choice (0.8.13) , if you manage to get 2.7 then

https://codeload.github.com/fail2ban/fail2ban/tar.gz/0.9.0

and installing it, will get you 95% there, the regexes catch everything except for bad AMI attempts, you could add that , but I suggest that AMI should either only bind to 127.0.0.1 (most folks) or add allow/deny to suit your needs.

The sip vicious attacks seem to be all caught if denying sip guests and anonymous and requiring alwaysauthreject.

Given that I find 0.9 as MUCH more responsive to attacks on my honey traps and it also maintains an sqlite3 database for permanence over restarts and reboots. just enable the jails you want/need and point the asterisk jail at a logfile that has only notice and security, and of course make sure that the emails are flowing.

Security is important, relying on Fail2Ban is not good enough on its own but adds a level of IDS to many services, add a properly configured firewall before it and run fail2ban as an adjunct to your firewall

The easiest and most consistently missed point in SIP attacks is to just not listen to TCP/UDP 5060-5080 for SIP signalling, there are some 63000 other choices that is the easiest way to not “let them know that your PBX is there” .

thanks all - I changed the sip ports my extension uses (I just have one extension) to something random. So now how do I get freepbx to stop listening on any 5060 ? I don’t believe I have another extension using it, but I’ll double check. Still getting attempts on 5060.