Re: [asterisk-users] Blacklist failed attempts
If this is a home system, try the free edition of SecAst (www.telium.ca/?secast <http://www.telium.ca/?secast> ). If allows you to set thresholds for the number of attempts, and specify the period in which they occur. The Free edition of SecAst is a drop-in replacement for fail2ban (but with a lot more intelligence included for free). If this is for a business / you are looking for a commercial product recommendation then post on the commercial list :) From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Atux Atux Sent: Thursday, March 1, 2018 8:03 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: [asterisk-users] Blacklist failed attempts Hi. I would like to protect my system from failed attempts. I would like to ask if there is a way to do a blacklist for certain amount of time consecutive attempts from the same IP. For example if we have an IP that gets a wrong passwd an it had tried more than 3 times the last 5 minutes, blacklist it for an hour. I have tried to implement it through fail2ban, but it doe snot seem to work for my asterisk implementation. Is there any other way? -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Blacklist failed attempts
On Thu, 2018-03-01 at 15:02 +0200, Atux Atux wrote:
> I have tried to implement it through fail2ban, but it doe snot seem
> to work for my asterisk implementation.
I'm happy with Fail2Ban protecting my Asterisk 13. Here is my
configuration:
in /etc/asterisk/logger.conf:
messages => security,notice,warning,error
in /etc/asterisk/sip.conf:
allowguest=yes
context=unauthenticated
in /etc/asterisk/extensions.conf:
[unauthenticated]
;; Incomming calls from unauthenticated caller -> Fail2Ban
exten => _X.,1,Log(WARNING,fail2ban='${CHANNEL(peerip)}')
exten => _X.,2,Set(CDR(UserField)=SIP PEER IP: ${CHANNEL(peerip)})
exten => _X.,3,HangUp()
exten => _+X.,1,Log(WARNING,fail2ban='${CHANNEL(peerip)}')
exten => _+X.,2,Set(CDR(UserField)=SIP PEER IP: ${CHANNEL(peerip)})
exten => _+X.,3,HangUp()
in /etc/fail2ban/jail.conf:
[asterisk]
filter = asterisk
action = iptables-allports[name=ASTERISK]
logpath = /var/log/asterisk/messages
maxretry = 1
findtime = 86400
bantime = 518400
enabled = true
in /etc/fail2ban/filter.d
# Fail2Ban configuration file
#
#
# $Revision: 250 $
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them
from
# common.local
#before = common.conf
[Definition]
#_daemon = asterisk
# Option: failregex
# Notes.: regex to match the password failures messages in the
logfile. The
# host must be matched by a group named "host". The tag
"" can
# be used for standard IP/hostname matching and is only an
alias for
# (?:::f{4,6}:)?(?P\S+)
# Values: TEXT
#
failregex = NOTICE.* .*: Registration from '.*' failed for
':.*' - Wrong password
NOTICE.* .*: Call from '.*' \((:[0-9]{1,5})?\) to
extension '.*' rejected because extension not found in context
'unauthenticated'
NOTICE.* chan_sip.c: Call from '.*' \((:[0-
9]{1,5})?\) to extension '.*' rejected because extension not found in
context 'unauthenticated'
NOTICE.* .*: Registration from '.*' failed for
':.*' - Username/auth name mismatch
NOTICE.* .*: Registration from '.*' failed for
':.*' - No matching peer found
NOTICE.* .*: Registration from '.*' failed for
':.*' - Not a local domain
NOTICE.* .*: Registration from '.*' failed for
':.*' - Peer is not supposed to register
NOTICE.* .*: Registration from '.*' failed for
':.*' - Device does not match ACL
NOTICE.* .*: Registration from '.*' failed for
':.*' - Device not configured to use this transport type
NOTICE.* .*: No registration for peer '.*' \(from
\)
NOTICE.* .*: Host failed MD5 authentication for
'.*' \(.*\)
NOTICE.* .*: Host denied access to register peer
'.*'
NOTICE.* .*: Host did not provide proper
plaintext password for '.*'
NOTICE.* .*: Registration of '.*' rejected: '.*' from:
''
NOTICE.* .*: Peer '.*' is not dynamic (from )
NOTICE.* .*: Host denied access to register peer
'.*'
SECURITY.* .*:
SecurityEvent="InvalidAccountID".*,Severity="Error",Service="SIP".*,Rem
oteAddress="IPV[46]/(UDP|TCP|TLS)//[0-9]+"
SECURITY.* .*:
SecurityEvent="FailedACL".*,Severity="Error",Service="SIP".*,RemoteAddr
ess="IPV[46]/(UDP|TCP|TLS)//[0-9]+"
SECURITY.* .*:
SecurityEvent="InvalidPassword".*,Severity="Error",Service="SIP".*,Remo
teAddress="IPV[46]/(UDP|TCP|TLS)//[0-9]+"
SECURITY.* .*:
SecurityEvent="ChallengeResponseFailed".*,Severity="Error",Service="SIP
".*,RemoteAddress="IPV[46]/(UDP|TCP|TLS)//[0-9]+"
VERBOSE.* logger.c: -- .*IP/-.* Playing 'ss-
noservice' \(language '.*'\)
SECURITY.* .*:
SecurityEvent="ChallengeSent".*,Severity="Informational",Service="SIP".
*,AccountID="sip:.*@93.94.247.123".*,RemoteAddress="IPV[46]/(UDP|TCP|TL
S)//[0-9]+
WARNING.* .*: fail2ban=''
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
Check out the new Asterisk community forum at: https://community.asterisk.org/
New to Asterisk? Start here:
https://wiki.asterisk.org/wiki/display/AST/Getting+Started
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Blacklist failed attempts
Hi
You could do somethink like this in Perl:
#!/usr/bin/perl -w
use strict;
use warnings;
my (@failhost);
my %currblocked;
my %addblocked;
my $action;
open (MYINPUTFILE, "/var/log/asterisk/messages") or die "\n", $!, "Does log
file file exist\?\n\n";
while () {
my ($line) = $_;
chomp($line);
if ($line =~ m/\' failed for \'(.*?):\d+\' - No matching peer found/) {
push(@failhost,$1);
}
if ($line =~ m/\' failed for \'(.*?):\d+\' - Wrong password/) {
push(@failhost,$1);
}
}
my $blockedhosts = `/sbin/iptables -n -L asterisk`;
while ($blockedhosts =~ /(.*)/g) {
my ($line2) = $1;
chomp($line2);
if ($line2 =~ m/(\d+\.\d+\.\d+\.\d+)(\s+)/) {
$currblocked{ $1 } = 'blocked';
}
}
if (@failhost) {
&count_unique(@failhost);
while (my ($ip, $count) = each(%addblocked)) {
if (exists $currblocked{ $ip }) {
} else {
$action = `/sbin/iptables -I asterisk -s $ip -j REJECT`;
print "$ip blocked. $count attempts.\n";
}
}
} else {
#print "no failed registrations.\n";
}
sub count_unique {
my @array = @_;
my %count;
map { $count{$_}++ } @array;
map {($addblocked{ $_ } = ${count{$_}})} sort keys(%count);
}
Mind, this would NOT block attempts via IPv6. So I have stopped using that
script, also reading the file over and over again is not very performant.
I have not opted to using my MirkroTik Firewall to block failed attempts,
similar rules can also be make with iptables:
In the Mangle Ruleset:
1;;; SIP Check Unauth
chain=forward action=add-dst-to-address-list protocol=udp
src-address-list=SIP-Servers address-list=sip-auth-fail
address-list-timeout=10m
out-interface=IMP-PPPOE src-port=5060 content=SIP/2.0 401 Unauthorized
log=no log-prefix=""
2;;; tcp sip check auth fail
chain=forward action=add-dst-to-address-list protocol=tcp
src-address-list=SIP-Servers address-list=sip-auth-fail
address-list-timeout=10m
out-interface=IMP-PPPOE src-port=5060 content=SIP/2.0 401 Unauthorized
log=no log-prefix=""
And then you just block all source address from sip-auth-fail in your
forwarding table. This works for IPv6 and IPv4.
(Als yes, depending on the speed of your link, this also could be ressource
intensive on your firewall, as it does full packet inspection.
Mit freundlichen Grüssen
-Benoît Panizzon-
--
I m p r o W a r e A G-Leiter Commerce Kunden
__
Zurlindenstrasse 29 Tel +41 61 826 93 00
CH-4133 PrattelnFax +41 61 826 93 01
Schweiz Web http://www.imp.ch
__
--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
Check out the new Asterisk community forum at: https://community.asterisk.org/
New to Asterisk? Start here:
https://wiki.asterisk.org/wiki/display/AST/Getting+Started
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Blacklist failed attempts
On Thursday 01 March 2018 at 14:02:37, Atux Atux wrote: > Hi. I would like to protect my system from failed attempts. I would like to > ask if there is a way to do a blacklist for certain amount of time > consecutive attempts from the same IP. fail2ban > For example if we have an IP that gets a wrong passwd an it had tried more > than 3 times the last 5 minutes, blacklist it for an hour. Good plan. > I have tried to implement it through fail2ban, What have you tried? Show us the configuration. > but it does not seem to work for my asterisk implementation. Which version of Asterisk are you using and how have you set up fail2ban? > Is there any other way? There may be other ways, but fail2ban really is the right tool for this job. Antony. -- I conclude that there are two ways of constructing a software design: One way is to make it so simple that there are _obviously_ no deficiencies, and the other way is to make it so complicated that there are no _obvious_ deficiencies. - C A R Hoare Please reply to the list; please *don't* CC me. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] Blacklist failed attempts
Hi. I would like to protect my system from failed attempts. I would like to ask if there is a way to do a blacklist for certain amount of time consecutive attempts from the same IP. For example if we have an IP that gets a wrong passwd an it had tried more than 3 times the last 5 minutes, blacklist it for an hour. I have tried to implement it through fail2ban, but it doe snot seem to work for my asterisk implementation. Is there any other way? -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
