The last two sections discussed attacks involving scanning for valid usernames and brute-forcing passwords. Fail2ban is an application that can watch your Asterisk logs and update firewall rules to block the source of an attack in response to too many failed authentication attempts.

Tip #5: Use Fail2ban when exposing Voice over IP services on untrusted networks to automatically update the firewall rules to block the sources of attacks.


Fail2ban is available as a package in many distributions. Alternatively, you can install it from source by downloading it from the Fail2ban website. To install it on Ubuntu, use the following command:

$ sudo apt-get install fail2ban

To install Fail2ban on CentOS, you must have the EPEL repository enabled. For more information on the EPEL repository, see Third-Party Repositories. Once the repository is enabled, Fail2ban can be installed by running the following command:

$ sudo yum install fail2ban


The installation of Fail2ban from a package will include an init script to ensure that it runs when the machine boots up. If you install from source, make sure that you take the necessary steps to ensure that Fail2ban is always running.


For Fail2ban to be able to do anything useful after it detects an attack, you must also have iptables installed. To install it on Ubuntu, use the following command:

$ sudo apt-get install iptables

To install iptables on CentOS, use this command:

$ sudo yum install iptables

You can verify that iptables has been installed by running the iptables command. The -L option requests that the current firewall rules be displayed. In this case, there are no rules configured:

$ sudo iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

Sending email

It is interesting and useful to allow Fail2ban to email the system administrator when it bans an IP address. For this to work, an MTA must be installed. If you are not sure which one to use, the one used during testing for writing this chapter was Postfix. To install Postfix on Ubuntu, use the following command. You may be asked to answer a couple of questions by the installer:

           sudo apt-get install postfix

To install Postfix on CentOS, use this command:

$ sudo yum install postfix

To test the installation of your MTA, you can send a quick email using mutt. To install it, use the same installation commands as given for installing Postfix, but substitute mutt for the package name. Then run the following commands to test the MTA:

$ echo "Just testing." > email.txt
$ mutt -s "Testing" < email.txt


The first file that must be set up is the Asterisk logging configuration file. Here are the contents of /etc/asterisk/logger.conf on a working system. Ensure that you at least have dateformat and messages set, as those are required for Fail2ban:


dateformat = %F %T


console => notice,warning,error,debug
messages => notice,warning,error

The next configuration file that must be created is the one that teaches Fail2ban what to watch out for in Asterisk log files. Place the following contents in a new file called /etc/fail2ban/filter.d/asterisk.conf:


# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf


#_daemon = asterisk

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT

# *** All lines below should start with NOTICE
#     Some lines have been wrapped due to space requirements for
#     the book. All new lines should start with NOTICE.
failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' 
 - Wrong password
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' 
 - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' 
 - Username/auth name mismatch
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' 
 - Device does not match ACL
            NOTICE.* <HOST> failed to authenticate as '.*'$
            NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
            NOTICE.* .*: Failed to authenticate user .*@<HOST>.*

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
ignoreregex =

Next, you must enable the new Asterisk filter that you just created. To do so, append the following contents to /etc/fail2ban/jail.conf. You will need to modify the dest and sender options to specify the appropriate email addresses for the To and From headers:


enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
logpath  = /var/log/asterisk/messages
maxretry = 5
bantime = 259200

Finally, there are a couple of options in the [DEFAULT] section of /etc/fail2ban/jail.conf that should be updated. The ignoreip option specifies a list of IP addresses that should never be blocked. It is a good idea to list your IP address(es) here so that you never accidentally block yourself if you make a mistake while trying to set up a phone, for example.[178] You should consider adding other IP addresses as well, such as that of your SIP provider. The whitelisting of good IP addresses protects you against abuse of your Fail2ban configuration. A clever attacker could cause a denial of service by crafting a series of packets that will result in Fail2ban blocking the IP address of their choice.

The destemail option should be set, as well. This address will be used for emails not specific to the Asterisk filter such as the email Fail2ban sends out when it first starts up. Here’s how you configure these options:


# Multiple addresses can be specified, separated by a space.
ignoreip =

destemail =

[178] Leif learned this one the hard way. He thought his PBX was down, while Russell and Jim had no problems connecting to the conference bridge. It turned out that Fail2ban had banned him from his own PBX.