I’ve got my FreePBX Distro set up, but the Intrusion Detection doesn’t seem to be banning an address which clearly should be banned. It’s detecting the “Wrong Password” attempts and logging them, but the IP address has been trying to brute force a SIP login for hours, and it’s not being banned.
I’m not 100% sure I’m understanding the Fail2Ban setup, but here’s how I see it, and I feel like I might be missing something. First off, here’s the (sanitized) offending login attempt:
[2014-06-16 10:08:21] NOTICE[1884] chan_sip.c: Registration from '"108857" <sip:108857@[my.public.ip.address]:5060>' failed for '[script.kiddie.address]:5130' - Wrong password
I have thousands of these attempts in my logs. The first regex in /etc/fail2ban/filter.d/asterisk.conf is:
NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Wrong password
which should be flagging that log message. However, looking through the config, the file /etc/fail2ban/jail.local contains the following section:
[asterisk-iptables]
enabled = true
filter = asterisk-security
action = iptables-allports[name=SIP, protocol=all]
sendmail[name=SIP, [email protected], sender=]
logpath = /var/log/asterisk/fail2ban
which would appear to be using the /etc/fail2ban/filter.d/asterisk-security.conf. I don’t see an expression in asterisk-security.conf that would catch the logfile message from my would-be attacker. Should the jail.local contain an additional section that references /etc/fail2ban/filters.d/asterisk.conf? It looks like the system-admin GUI is intentionally creating both files.
Admittedly, I could be missing something. I’m not a fail2ban expert. Could it be as simple as putting an include in asterisk-security.conf? Is there some other reference that should be invoking what appears to be a correct regex?
I’m going to try a few things out, but if this is in fact a bug, and I hand-edit the file, it’s likely to be overwritten in the next update. I haven’t put this server into production yet, but I’ve got a lot riding on it, so I’m trying to be thorough.
Thanks in advance for your time and attention!
-Craig