Get help with installing, upgrading and running a PBX such as Asterisk.
User avatar
By @UKVoIPForums
Posts Likes Avatar Topics
#5833
What is Fail2Ban
Fail2ban is a log-parsing application that monitors system logs for symptoms of an automated attack on your server. When an attempted compromise is located, using the defined parameters, Fail2ban will add a new rule to iptables to block the IP address of the attacker, either for a set amount of time or permanently. Fail2ban can also alert you through email that an attack is occurring.

Install Fail2ban
You can Install Fail2ban by running the following command:
apt-get install fail2ban

Configure Fail2ban
Fail2ban reads .conf configuration files first, then .local files override any settings. Because of this, all changes to the configuration are generally done in .local files, leaving the .conf files untouched. Create your own .local configuration file by running the following command:
nano /etc/fail2ban/jail.local

Copy and paste the following into your jail.local file:
Code: Select all
[asterisk]
enabled = true
port = 5060,5061
action = iptables-allports[name=SIP, protocol=all]
logpath = /var/log/asterisk/security
findtime = 600
bantime = 600
maxretry = 3

[freepbx]
enabled = true
filter = freepbx
action = iptables-allports[name=SIP, protocol=all]
logpath = /var/log/asterisk/freepbx_security.log
maxretry = 3
findtime = 600
bantime = 600

[sshd]
enabled = true
port = 22
action = iptables-allports[name=SIP, protocol=all]
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
findtime = 600
bantime = 600
Save the file by pressing "CTR O" followed by "Enter".
Exit nano by pressing "CTR X".

Two more config files are required, one for "Freepbx" and the other for "Asterisk". Create the first (Freepbx) configuration file by running the following command:
nano /etc/fail2ban/filter.d/freepbx.conf

Copy and paste the following into your freepbx.conf file:
Code: Select all
[INCLUDES]
before = common.conf

[Definition]
datepattern = ^\[%%Y-%%b-%%d %%H:%%M:%%S\]

failregex = \[freepbx_security\.NOTICE\]: Authentication failure for .* from <HOST>
Save the file by pressing "CTR O" followed by "Enter".
Exit nano by pressing "CTR X".

So just like before, create the second (Asterisk) configuration file by running the following command:
nano /etc/fail2ban/filter.d/asterisk.conf

Copy and paste the following into your asterisk.conf file:
Code: Select all
[INCLUDES]
before = common.conf

[Definition]
_daemon = asterisk
__pid_re = (?:\s*\[\d+\])
iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4}

log_prefix= (?:NOTICE|SECURITY|WARNING)%(__pid_re)s:?(?:\[C-[\da-f]*\])? [^:]+:\d*(?:(?: in)? \w+:)?
prefregex = ^%(__prefix_line)s%(log_prefix)s <F-CONTENT>.+</F-CONTENT>$
failregex = ^Registration from '[^']*' failed for '<HOST>(:\d+)?' - (?:Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device doe$
            ^Call from '[^']*' \(<HOST>:\d+\) to extension '[^']*' rejected because extension not found in context
            ^(?:Host )?<HOST> (?:failed (?:to authenticate\b|MD5 authentication\b)|tried to authenticate with nonexistent user\b)
            ^No registration for peer '[^']*' \(from <HOST>\)$
            ^hacking attempt detected '<HOST>'$
            ^SecurityEvent="(?:FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)"(?:(?:,(?!RemoteAddress=)\w+="[^"]*")*|.*?),RemoteAddress="IPV[46]/$
            ^"Rejecting unknown SIP connection from <HOST>"$
            ^Request (?:'[^']*' )?from '(?:[^']*|.*?)' failed for '<HOST>(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching endpoint found|Not match Endpoint(?: Contact)$

ignoreregex =

datepattern = {^LN-BEG}
Save the file by pressing "CTR O" followed by "Enter".
Exit nano by pressing "CTR X".

Now log in to your FreePBX administration control panel and navigate to:
  • Settings > Log File Settings
Click on the "Log Files" tab and create a new log named "security", like so:
Image

Don't forget to click on "Submit" and "Apply Changes"!

Finally reboot your system by running the following command:
reboot

Now if anyone attempts to brute-force your server on SIP, WEB, SSH their ip address will be banned for 10 min or 600 seconds after 3 failed attempts.
0

Hi @nasarz the PJSIP trunk settings for a Sipgate B…

Anyway, first things first. You need to get your TFTP…

I have no first hand experience with these devices but …

Openstage 40 not updating FW

I don't think the issue you're having is caused by the …

Sign up for VIP membership