Asterisk iptables block bruteforce attacks howto with fail2ban
yum -y install fail2ban
vi /etc/fail2ban/jail.conf
[asterisk-tcp]
enabled = true
filter = asterisk
action = iptables-multiport[name=asterisk-tcp, port="5060,5061", protocol=tcp]
sendmail-whois[name=Asterisk, dest=you@example.com, sender=fail2ban@example.com]
logpath = /var/log/asterisk/messages
maxretry = 10
[asterisk-udp]
enabled = true
filter = asterisk
action = iptables-multiport[name=asterisk-udp, port="5060,5061", protocol=udp]
sendmail-whois[name=Asterisk, dest=you@example.com, sender=fail2ban@example.com]
logpath = /var/log/asterisk/messages
maxretry = 10
vi /etc/fail2ban/filter.d/asterisk.conf
# Fail2Ban configuration file
#
# Author: Xavier Devlamynck
#
# $Revision$
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P
# Values: TEXT
#
failregex = NOTICE%(__pid_re)s .*: Registration from '.*' failed for '
NOTICE%(__pid_re)s .*: Registration from '.*' failed for '
NOTICE%(__pid_re)s .*: Registration from '.*' failed for '
NOTICE%(__pid_re)s .*: Registration from '.*' failed for '
NOTICE%(__pid_re)s .*: Registration from '.*' failed for '
NOTICE%(__pid_re)s .*: Registration from '.*' failed for '
NOTICE%(__pid_re)s
NOTICE%(__pid_re)s .*: No registration for peer '.*' (from
NOTICE%(__pid_re)s .*: Host
NOTICE%(__pid_re)s .*: Failed to authenticate user .*@
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
~
~
~
~
chkconfig fail2ban on
service fail2ban start
cat /var/log/fail2ban.log
2013-11-25 09:17:43,789 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.7
2013-11-25 09:17:43,791 fail2ban.jail : INFO Creating new jail 'asterisk-udp'
2013-11-25 09:17:43,828 fail2ban.jail : INFO Jail 'asterisk-udp' uses Gamin
2013-11-25 09:17:43,944 fail2ban.jail : INFO Initiated 'gamin' backend
2013-11-25 09:17:43,985 fail2ban.filter : INFO Added logfile = /var/log/asterisk/messages
2013-11-25 09:17:43,987 fail2ban.filter : INFO Set maxRetry = 10
2013-11-25 09:17:43,989 fail2ban.filter : INFO Set findtime = 600
2013-11-25 09:17:43,991 fail2ban.actions: INFO Set banTime = 600
2013-11-25 09:17:44,067 fail2ban.jail : INFO Creating new jail 'asterisk-tcp'
2013-11-25 09:17:44,068 fail2ban.jail : INFO Jail 'asterisk-tcp' uses Gamin
2013-11-25 09:17:44,070 fail2ban.jail : INFO Initiated 'gamin' backend
2013-11-25 09:17:44,072 fail2ban.filter : INFO Added logfile = /var/log/asterisk/messages
2013-11-25 09:17:44,074 fail2ban.filter : INFO Set maxRetry = 10
2013-11-25 09:17:44,077 fail2ban.filter : INFO Set findtime = 600
2013-11-25 09:17:44,078 fail2ban.actions: INFO Set banTime = 600
2013-11-25 09:17:44,129 fail2ban.jail : INFO Jail 'asterisk-udp' started
2013-11-25 09:17:44,136 fail2ban.jail : INFO Jail 'asterisk-tcp' started
~
Tags:
asterisk, iptables, bruteforce, attacks, howto, ban, yum, install, vi, etc, conf, tcp, enabled, filter, multiport, quot, protocol, sendmail, whois, dest, sender, logpath, var, maxretry, udp, configuration, author, xavier, devlamynck, revision, includes, prefixes, customizations, definition, failregex, regex, password, failures, logfile, matched, ip, hostname, matching, alias, ps, text, __pid_re, registration, peer, username, auth, mismatch, acl, register, permit, authenticate, md, authentication, user, ignoreregex, ignored, chkconfig, server, info, logging, creating, gamin, initiated, backend, findtime, bantime,