> failregex = NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '<HOST>(:[0-9]+)?' - Wrong password$
> NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '<HOST>(:[0-9]+)?' - No matching peer found$
> NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '<HOST>(:[0-9]+)?' - Username/auth name mismatch$
> NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '<HOST>(:[0-9]+)?' - Device does not match ACL$
> NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '<HOST>(:[0-9]+)?' - Peer is not supposed to register$
> NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '<HOST>(:[0-9]+)?' - ACL error \(permit/deny\)$
> NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '<HOST>(:[0-9]+)?' - Not a local domain$
> NOTICE%(__pid_re)s\[[^:]+\] [^:]+: Call from '[^']*' \(<HOST>:[0-9]+\) to extension '[0-9]+' rejected because extension not found in context 'default'.$
> NOTICE%(__pid_re)s [^:]+: Host <HOST> failed to authenticate as '[^']*'$
> NOTICE%(__pid_re)s [^:]+: No registration for peer '[^']*' \(from <HOST>\)$
> NOTICE%(__pid_re)s [^:]+: Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
> NOTICE%(__pid_re)s [^:]+: Failed to authenticate user [^@]+@<HOST>\S*$
> SECURITY%(__pid_re)s [^:]+: SecurityEvent="InvalidAccountID",EventTV="[0-9-]+",Severity="[a-zA-Z]+",Service="[a-zA-Z]+",EventVersion="[0-9]+",AccountID="[0-9]+",SessionID="0x[0-9a-f]+",LocalAddress="IPV[46]/(UD|TC)P/
In OS cli run command
> service fail2ban status
Is output like this?
>Fail2ban (pid 1774) is running...
> Status
> |- Number of jail: 3
> `- Jail list: mysqld-iptables, asterisk-iptables, ssh-iptables
failregex = NOTICE.* .: Registration from '.’ failed for ‘’ - Wrong password
NOTICE.* .: Registration from '.’ failed for ‘’ - No matching peer found
NOTICE.* .: Registration from '.’ failed for ‘’ - Username/auth name mismatch
NOTICE.* .: Registration from '.’ failed for ‘’ - Device does not match ACL
NOTICE.* failed to authenticate as ‘.’$
NOTICE. .: No registration for peer '.’ (from )
NOTICE.* .: Host failed MD5 authentication for '.’ (.)
NOTICE. .: Failed to authenticate user .@.*
[me@server ~]$ service fail2ban status
Fail2ban (pid 19487) is running…
ERROR Unable to contact server. Is it running?
[me@server ~]$ sudo service fail2ban status
[sudo] password for me:
Fail2ban (pid 19487) is running…
Status
|- Number of jail: 5
`- Jail list: apache-badbots, apache-tcpwrapper, ssh-iptables, asterisk-iptables, vsftpd-iptables
Perhaps it looks like I’m missing some lines from /etc/fail2ban/filter.d/asterisk.conf ?
failregex = NOTICE.* .: Registration from '.’ failed for ‘’ - Wrong password
should match
[2014-06-18 17:08:21] NOTICE[1614] chan_sip.c: Registration from ‘“494” sip:[email protected]:5060’ failed for ‘198.15.70.2:5075’ - Wrong password
You have a very old version of fail2ban it would work for asterisk 1.8 but only after 40 or so attacks and then good old me@mydomain would get an email.
As ever you should always start off with your how you installed FreePBX, asterisk and your OS, because fail2ban only works if you set it up properly.
So the OS, freepbx and asterisk were installed by my VPS host company. They have a number of PBX customers, so I’m assuming they have something packaged up already. As to how I installed fail2ban… I believe I used the module package and possibly yum install fail2ban?
Well the “Best” solution will need python 2.7 also pyinotify, less best, gamin, Asterisk 11.10.0 needs updating for security reasons. If you want to roll your sleeves up and get dirty, do those updates and we can continue if you want. If you want to use yum, then maybe go the Schmooze way and use their repos if they work on your Redhat based system.
Lock down SIP ports (5060 etc) in iptables to your trunk provider. If you have remote phones, there are many ways to provide access for such endpoints–port knocking, travelin man 3. Reliance upon fail2ban should be a secondary method, otherwise you could still open yourself up to a DOS attack or a 0 day vulnerability. Hackers are worthless scum, I say don’t even let them know that your PBX is there. You don’t have to agree with me, that’s just my .02
I am an avid Python guy and some of my magic simply doesn’t work on vanilla centos because it requires 2.6. There are instruction sets to install 2.7 but know if you mess up you can hose your whole system because 2.7 will break centos internals.
and installing it, will get you 95% there, the regexes catch everything except for bad AMI attempts, you could add that , but I suggest that AMI should either only bind to 127.0.0.1 (most folks) or add allow/deny to suit your needs.
The sip vicious attacks seem to be all caught if denying sip guests and anonymous and requiring alwaysauthreject.
Given that I find 0.9 as MUCH more responsive to attacks on my honey traps and it also maintains an sqlite3 database for permanence over restarts and reboots. just enable the jails you want/need and point the asterisk jail at a logfile that has only notice and security, and of course make sure that the emails are flowing.
Security is important, relying on Fail2Ban is not good enough on its own but adds a level of IDS to many services, add a properly configured firewall before it and run fail2ban as an adjunct to your firewall
The easiest and most consistently missed point in SIP attacks is to just not listen to TCP/UDP 5060-5080 for SIP signalling, there are some 63000 other choices that is the easiest way to not “let them know that your PBX is there” .
thanks all - I changed the sip ports my extension uses (I just have one extension) to something random. So now how do I get freepbx to stop listening on any 5060 ? I don’t believe I have another extension using it, but I’ll double check. Still getting attempts on 5060.