The last two sections discussed attacks involving scanning for valid usernames and brute-forcing passwords. Fail2ban is an application that can watch your Asterisk logs and update firewall rules to block the source of an attack in response to too many failed authentication attempts.
Tip #5: Use Fail2ban when exposing Voice over IP services on untrusted networks to automatically update the firewall rules to block the sources of attacks.
Fail2ban is available as a package in many distributions. Alternatively, you can install it from source by downloading it from the Fail2ban website. To install it on Ubuntu, use the following command:
$sudo apt-get install fail2ban
To install Fail2ban on CentOS, you must have the EPEL repository enabled. For more information on the EPEL repository, see Third-Party Repositories. Once the repository is enabled, Fail2ban can be installed by running the following command:
$sudo yum install fail2ban
The installation of Fail2ban from a package will include an
init script to ensure that it
runs when the machine boots up. If you install from source, make sure
that you take the necessary steps to ensure that Fail2ban is always running.
For Fail2ban to be able to do anything useful after it detects an attack, you must also have iptables installed. To install it on Ubuntu, use the following command:
$sudo apt-get install iptables
To install iptables on CentOS, use this command:
$sudo yum install iptables
You can verify that iptables has been installed by running the iptables command. The -L option requests that the current firewall rules be displayed. In this case, there are no rules configured:
$sudo iptables -LChain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
It is interesting and useful to allow Fail2ban to email the system administrator when it bans an IP address. For this to work, an MTA must be installed. If you are not sure which one to use, the one used during testing for writing this chapter was Postfix. To install Postfix on Ubuntu, use the following command. You may be asked to answer a couple of questions by the installer:
$
sudo apt-get install postfix
To install Postfix on CentOS, use this command:
$sudo yum install postfix
To test the installation of your MTA, you can send a quick email using mutt. To install it, use the same installation commands as given for installing Postfix, but substitute mutt for the package name. Then run the following commands to test the MTA:
$echo "Just testing." > email.txt$mutt -s "Testing" youraddress@shifteight.org < email.txt
The first file that must be set up is the Asterisk logging configuration file. Here
are the contents of /etc/asterisk/logger.conf on a working
system. Ensure that you at least have dateformat and messages set, as those are required for
Fail2ban:
[general] dateformat = %F %T [logfiles] console => notice,warning,error,debug messages => notice,warning,error
The next configuration file that must be
created is the one that teaches Fail2ban what to watch out for in
Asterisk log files. Place the
following contents in a new file called /etc/fail2ban/filter.d/asterisk.conf:
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf
[Definition]
#_daemon = asterisk
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
# *** All lines below should start with NOTICE
# Some lines have been wrapped due to space requirements for
# the book. All new lines should start with NOTICE.
#
failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>'
- Wrong password
NOTICE.* .*: Registration from '.*' failed for '<HOST>'
- No matching peer found
NOTICE.* .*: Registration from '.*' failed for '<HOST>'
- Username/auth name mismatch
NOTICE.* .*: Registration from '.*' failed for '<HOST>'
- Device does not match ACL
NOTICE.* <HOST> failed to authenticate as '.*'$
NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
Next, you must enable the new Asterisk
filter that you just created. To do so, append the following contents to
/etc/fail2ban/jail.conf. You will
need to modify the dest and sender options to specify the appropriate
email addresses for the To and
From headers:
[asterisk-iptables]
enabled = true
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
sendmail-whois[name=ASTERISK, dest=me@shifteight.org,
sender=fail2ban@shifteight.org]
logpath = /var/log/asterisk/messages
maxretry = 5
bantime = 259200
Finally, there are a couple of options in
the [DEFAULT] section of /etc/fail2ban/jail.conf that should be updated. The ignoreip option specifies a list of IP addresses that should never be
blocked. It is a good idea to list your IP address(es) here so that you
never accidentally block yourself if you make a mistake while trying to
set up a phone, for example.[178] You should consider adding other IP addresses as well,
such as that of your SIP provider. The whitelisting of good IP addresses
protects you against abuse of your Fail2ban configuration. A clever
attacker could cause a denial of service by crafting a series of packets
that will result in Fail2ban blocking the IP address of their
choice.
The destemail option should be set, as well. This address will be used for
emails not specific to the Asterisk filter such as the email
Fail2ban sends out when it
first starts up. Here’s how you configure these options:
[DEFAULT] # Multiple addresses can be specified, separated by a space. ignoreip = 127.0.0.1 10.1.1.1 destemail = youraddress@shifteight.org
[178] Leif learned this one the hard way. He thought his PBX was down, while Russell and Jim had no problems connecting to the conference bridge. It turned out that Fail2ban had banned him from his own PBX.