Asterisk iptables block bruteforce attacks howto with fail2ban


yum -y install fail2ban

vi /etc/fail2ban/jail.conf

[asterisk-tcp]

enabled  = true
filter   = asterisk
action   = iptables-multiport[name=asterisk-tcp, port="5060,5061", protocol=tcp]
           sendmail-whois[name=Asterisk, dest=you@example.com, sender=fail2ban@example.com]
logpath  = /var/log/asterisk/messages
maxretry = 10

[asterisk-udp]

enabled  = true
filter   = asterisk
action   = iptables-multiport[name=asterisk-udp, port="5060,5061", protocol=udp]
           sendmail-whois[name=Asterisk, dest=you@example.com, sender=fail2ban@example.com]
logpath  = /var/log/asterisk/messages
maxretry = 10

vi /etc/fail2ban/filter.d/asterisk.conf

# Fail2Ban configuration file
#
# Author: Xavier Devlamynck
#
# $Revision$
#


[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?PS+)
# Values:  TEXT
#
failregex = NOTICE%(__pid_re)s .*: Registration from '.*' failed for '' - Wrong password$
            NOTICE%(__pid_re)s .*: Registration from '.*' failed for '' - No matching peer found$
            NOTICE%(__pid_re)s .*: Registration from '.*' failed for '' - Username/auth name mismatch$
            NOTICE%(__pid_re)s .*: Registration from '.*' failed for '' - Device does not match ACL$
            NOTICE%(__pid_re)s .*: Registration from '.*' failed for '' - Peer is not supposed to register$
            NOTICE%(__pid_re)s .*: Registration from '.*' failed for '' - ACL error (permit/deny)$
            NOTICE%(__pid_re)s failed to authenticate as '.*'$
            NOTICE%(__pid_re)s .*: No registration for peer '.*' (from )$
            NOTICE%(__pid_re)s .*: Host failed MD5 authentication for '.*' (.*)$
            NOTICE%(__pid_re)s .*: Failed to authenticate user .*@.*$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
~                                                                                                                                                                                                                                           
~                                                                                                                                                                                                                                           
~                                                                                                                                                                                                                                           
~                                             

chkconfig fail2ban on
service fail2ban start

cat /var/log/fail2ban.log
2013-11-25 09:17:43,789 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.7
2013-11-25 09:17:43,791 fail2ban.jail   : INFO   Creating new jail 'asterisk-udp'
2013-11-25 09:17:43,828 fail2ban.jail   : INFO   Jail 'asterisk-udp' uses Gamin
2013-11-25 09:17:43,944 fail2ban.jail   : INFO   Initiated 'gamin' backend
2013-11-25 09:17:43,985 fail2ban.filter : INFO   Added logfile = /var/log/asterisk/messages
2013-11-25 09:17:43,987 fail2ban.filter : INFO   Set maxRetry = 10
2013-11-25 09:17:43,989 fail2ban.filter : INFO   Set findtime = 600
2013-11-25 09:17:43,991 fail2ban.actions: INFO   Set banTime = 600
2013-11-25 09:17:44,067 fail2ban.jail   : INFO   Creating new jail 'asterisk-tcp'
2013-11-25 09:17:44,068 fail2ban.jail   : INFO   Jail 'asterisk-tcp' uses Gamin
2013-11-25 09:17:44,070 fail2ban.jail   : INFO   Initiated 'gamin' backend
2013-11-25 09:17:44,072 fail2ban.filter : INFO   Added logfile = /var/log/asterisk/messages
2013-11-25 09:17:44,074 fail2ban.filter : INFO   Set maxRetry = 10
2013-11-25 09:17:44,077 fail2ban.filter : INFO   Set findtime = 600
2013-11-25 09:17:44,078 fail2ban.actions: INFO   Set banTime = 600
2013-11-25 09:17:44,129 fail2ban.jail   : INFO   Jail 'asterisk-udp' started
2013-11-25 09:17:44,136 fail2ban.jail   : INFO   Jail 'asterisk-tcp' started
                                                                                                                                                                                             
~                                             


Tags:

asterisk, iptables, bruteforce, attacks, howto, ban, yum, install, vi, etc, conf, tcp, enabled, filter, multiport, quot, protocol, sendmail, whois, dest, sender, logpath, var, maxretry, udp, configuration, author, xavier, devlamynck, revision, includes, prefixes, customizations, definition, failregex, regex, password, failures, logfile, matched, ip, hostname, matching, alias, ps, text, __pid_re, registration, peer, username, auth, mismatch, acl, register, permit, authenticate, md, authentication, user, ignoreregex, ignored, chkconfig, server, info, logging, creating, gamin, initiated, backend, findtime, bantime,

Latest Articles

  • Cisco Router Setup Guide and Tutorial Howto With Commands and Examples
  • Linux Bash Script To List All Connected IPs and their network name
  • Cisco Switches How To Get Of Port Line Status Console Messages
  • Cisco DHCP Snooping Relay Setup Information
  • Cisco Switch Setup Guide Command List
  • Cisco 2960 Switch Reset To Factory Defaults
  • How To Boot Cisco CUCM UCSInstall 8.6, 10, 11 and 12 on KVM/Proxmox
  • VBOX VirtualBox How To Import Raw .img Disk File
  • Windows Server 2012, 2016, 2019 How To Install and Missing Disabled Telnet Client
  • proxmox vm networking breaks when you restart your network on the hostnode
  • Linux ln symlink how to update existing symbolic link
  • Ubuntu 18.04 / Linux Mint 19.1 Cannot Type or Login - solution
  • LUKS Hard Drive Encryption on Linux Mint Ubuntu Debian etc how to mount encrypted hard drive
  • How to use nmap locate other machines/computers/servers on your network using nmap
  • Linux Mint 18.2 Create Config File To Start Application Upon Login
  • Dell Wyse Thin Client BIOS Access Key
  • sudoers file in /etc warning about comments/includes!
  • Centos 7 Reallocate logical volume space to another
  • lvm how to reduce volume size
  • letsencrypt certbot error "Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80."