Asterisk iptables block bruteforce attacks howto with fail2ban


yum -y install fail2ban

vi /etc/fail2ban/jail.conf

[asterisk-tcp]

enabled  = true
filter   = asterisk
action   = iptables-multiport[name=asterisk-tcp, port="5060,5061", protocol=tcp]
           sendmail-whois[name=Asterisk, dest=you@example.com, sender=fail2ban@example.com]
logpath  = /var/log/asterisk/messages
maxretry = 10

[asterisk-udp]

enabled  = true
filter   = asterisk
action   = iptables-multiport[name=asterisk-udp, port="5060,5061", protocol=udp]
           sendmail-whois[name=Asterisk, dest=you@example.com, sender=fail2ban@example.com]
logpath  = /var/log/asterisk/messages
maxretry = 10

vi /etc/fail2ban/filter.d/asterisk.conf

# Fail2Ban configuration file
#
# Author: Xavier Devlamynck
#
# $Revision$
#


[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?PS+)
# Values:  TEXT
#
failregex = NOTICE%(__pid_re)s .*: Registration from '.*' failed for '' - Wrong password$
            NOTICE%(__pid_re)s .*: Registration from '.*' failed for '' - No matching peer found$
            NOTICE%(__pid_re)s .*: Registration from '.*' failed for '' - Username/auth name mismatch$
            NOTICE%(__pid_re)s .*: Registration from '.*' failed for '' - Device does not match ACL$
            NOTICE%(__pid_re)s .*: Registration from '.*' failed for '' - Peer is not supposed to register$
            NOTICE%(__pid_re)s .*: Registration from '.*' failed for '' - ACL error (permit/deny)$
            NOTICE%(__pid_re)s failed to authenticate as '.*'$
            NOTICE%(__pid_re)s .*: No registration for peer '.*' (from )$
            NOTICE%(__pid_re)s .*: Host failed MD5 authentication for '.*' (.*)$
            NOTICE%(__pid_re)s .*: Failed to authenticate user .*@.*$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
~                                                                                                                                                                                                                                           
~                                                                                                                                                                                                                                           
~                                                                                                                                                                                                                                           
~                                             

chkconfig fail2ban on
service fail2ban start

cat /var/log/fail2ban.log
2013-11-25 09:17:43,789 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.7
2013-11-25 09:17:43,791 fail2ban.jail   : INFO   Creating new jail 'asterisk-udp'
2013-11-25 09:17:43,828 fail2ban.jail   : INFO   Jail 'asterisk-udp' uses Gamin
2013-11-25 09:17:43,944 fail2ban.jail   : INFO   Initiated 'gamin' backend
2013-11-25 09:17:43,985 fail2ban.filter : INFO   Added logfile = /var/log/asterisk/messages
2013-11-25 09:17:43,987 fail2ban.filter : INFO   Set maxRetry = 10
2013-11-25 09:17:43,989 fail2ban.filter : INFO   Set findtime = 600
2013-11-25 09:17:43,991 fail2ban.actions: INFO   Set banTime = 600
2013-11-25 09:17:44,067 fail2ban.jail   : INFO   Creating new jail 'asterisk-tcp'
2013-11-25 09:17:44,068 fail2ban.jail   : INFO   Jail 'asterisk-tcp' uses Gamin
2013-11-25 09:17:44,070 fail2ban.jail   : INFO   Initiated 'gamin' backend
2013-11-25 09:17:44,072 fail2ban.filter : INFO   Added logfile = /var/log/asterisk/messages
2013-11-25 09:17:44,074 fail2ban.filter : INFO   Set maxRetry = 10
2013-11-25 09:17:44,077 fail2ban.filter : INFO   Set findtime = 600
2013-11-25 09:17:44,078 fail2ban.actions: INFO   Set banTime = 600
2013-11-25 09:17:44,129 fail2ban.jail   : INFO   Jail 'asterisk-udp' started
2013-11-25 09:17:44,136 fail2ban.jail   : INFO   Jail 'asterisk-tcp' started
                                                                                                                                                                                             
~                                             


Tags:

asterisk, iptables, bruteforce, attacks, howto, ban, yum, install, vi, etc, conf, tcp, enabled, filter, multiport, quot, protocol, sendmail, whois, dest, sender, logpath, var, maxretry, udp, configuration, author, xavier, devlamynck, revision, includes, prefixes, customizations, definition, failregex, regex, password, failures, logfile, matched, ip, hostname, matching, alias, ps, text, __pid_re, registration, peer, username, auth, mismatch, acl, register, permit, authenticate, md, authentication, user, ignoreregex, ignored, chkconfig, server, info, logging, creating, gamin, initiated, backend, findtime, bantime,

Latest Articles

  • ImageMagick Convert PDF Not Authorized
  • ImageMagick Converted PDF to JPEG some files have a black background solution
  • Linux Mint Mate Customize the Lock screen messages and hide username and real name
  • Ubuntu/Gnome/Mint/Centos How To Take a partial screenshot
  • ssh how to verify your host key / avoid MIM attacks
  • Cisco IP Phone CP-8845 8800/8900 Series How To Reset To Factory Settings Instructions
  • ls how to list ONLY directories
  • How to encrypt your SSH private key file id_rsa
  • Linux Mint 18 Disable User Name List from showing on Login Screen
  • Firefox Cannot Hit Enter Key In Address Bar and Location History Not Working
  • Cisco Unified Communications Manager / CUCM IP 8.6,10,12 Install Error Solution
  • Ubuntu Debian Mint Linux SSHD OpenSSH Server Not Starting After Reboot Solution
  • nmap how to scan for all ports and not just the 1000 most common ports
  • Windows 7,8,10 and Server 2008, 2012, 2016, 2019 Read Only Attribute Won't Go Away
  • bind / named how to make a wildcard record and retain defined A records
  • Cisco Unified Communications Manager 12 Install Errors on Proxmox/KVM
  • Local Vs Universally Administered MAC Address NIC Refuses to come up
  • Cisco Unified Communications Manager 12 CUCM 12 - How To Enable Video Calling
  • Windows 7, 8, 10, Windows Server 2008, 2012, 2016, 2019 How To AC97 Audio Drivers and Other Unsigned Drivers
  • Cisco Unified Communications Manager / CUCM IP Telephony Definitions