Get help with installing, upgrading and running a PBX such as Asterisk.
User avatar
By @UKVoIPForums
Posts Likes Avatar Topics
#5833
What is Fail2Ban
Fail2ban is a log-parsing application that monitors system logs for symptoms of an automated attack on your server. When an attempted compromise is located, using the defined parameters, Fail2ban will add a new rule to iptables to block the IP address of the attacker, either for a set amount of time or permanently. Fail2ban can also alert you through email that an attack is occurring.

Install Fail2ban
You can Install Fail2ban by running the following command:
sudo apt-get install fail2ban

Configure Fail2ban
Fail2ban reads .conf configuration files first, then .local files override any settings contained within the original .conf files. Because of this, all changes to the configuration are generally done in .local files, leaving the .conf files untouched. Create your own .local configuration file by running the following command:
sudo nano /etc/fail2ban/jail.local

Copy and paste the following into your jail.local file:
Code: Select all
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not                          
# ban a host which matches an address in this list. Several addresses can be                             
# defined using space separator.
                                                                         
ignoreip = 127.0.0.1/8 ::1

[asterisk]
enabled   = true
filter    = asterisk
action    = iptables-asterisk[name=asterisk]
logpath   = /var/log/asterisk/security_log
bantime   = 31536000
findtime  = 86400
maxretry  = 3

[sshd]
enabled   = true
port      = ssh
filter    = sshd
logpath   = /var/log/auth.log
banaction = iptables-allports
bantime   = 31536000
findtime  = 86400
maxretry  = 3

[freepbx]
enabled   = true
port      = http,https
filter    = freepbx
logpath   = /var/log/asterisk/freepbx_security.log
bantime   = 31536000
findtime  = 86400
maxretry  = 3
Save the file by pressing "CTR O" followed by "Enter".
Exit nano by pressing "CTR X".

Five more configuration files are required, one for "Freepbx" and the rest are for "Asterisk". Lets create the first (Freepbx) configuration file by running the following command:
sudo nano /etc/fail2ban/filter.d/freepbx.conf

Copy and paste the following into your freepbx.conf file:
Code: Select all
[INCLUDES]
before = common.conf

[Definition]
datepattern = ^\[%%Y-%%b-%%d %%H:%%M:%%S\]

failregex = \[freepbx_security\.NOTICE\]: Authentication failure for .* from <HOST>
Save the file by pressing "CTR O" followed by "Enter".
Exit nano by pressing "CTR X".

So just like before, lets create the second (Asterisk) configuration file by running the following command:
sudo nano /etc/fail2ban/filter.d/asterisk.conf

Copy and paste the following into your asterisk.conf file:
Code: Select all
# Fail2Ban configuration file
#
#
# $Revision: 251 $
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

#_daemon = asterisk

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
# Asterisk 1.8 uses Host:Port format which is reflected here

failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Wrong password
        NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
        NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Username/auth name mismatch
        NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
        NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Peer is not supposed to register
        NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - ACL error (permit/deny)
        NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
        NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>:.*' - No matching peer found
        NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>:.*' - Wrong password
        NOTICE.* <HOST> failed to authenticate as '.*'$
        NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
        NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
        NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
        NOTICE.* .*: <HOST> failed to authenticate as '.*'
        NOTICE.* .*: <HOST> tried  to authenticate with nonexistent user '.*'
        SECURITY.* .*: SecurityEvent="ChallengeSent",.*,.*,Service="(PJ)?SIP",.*,AccountID="<unknown>",.*,.*,RemoteAddress=".*/.*/<HOST>/.*",Challenge=""
        SECURITY.* .*: SecurityEvent="InvalidAccountID",.*,Severity="Error",Service="(PJ)?SIP",.*,.*,.*,.*,RemoteAddress=".*/.*/<HOST>/.*"
        SECURITY.* .*: SecurityEvent="ChallengeResponseFailed",.*,Severity="Error",Service="(PJ)?SIP",.*,.*,.*,.*,RemoteAddress=".*/.*/<HOST>/.*",.*
        SECURITY.* .*: SecurityEvent="InvalidPassword",.*,Severity="Error",Service="(PJ)?SIP",.*,.*,.*,.*,RemoteAddress=".*/.*/<HOST>/.*",.*

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
Save the file by pressing "CTR O" followed by "Enter".
Exit nano by pressing "CTR X".

Lets create the third (Asterisk) configuration file by running the following command:
sudo nano /etc/fail2ban/action.d/iptables-asterisk.conf

Copy and paste the following into your iptables-asterisk.conf file:
Code: Select all
# Fail2Ban configuration file
#
# Author: Razvan Turtureanu
#
# $Revision$
#

[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = iptables -N fail2ban-<name>
          iptables -A fail2ban-<name> -j RETURN
          iptables -I <chain> -p tcp --dport 5061 -j fail2ban-<name>
          iptables -I <chain> -p udp --dport 5060 -j fail2ban-<name>
          iptables -I <chain> -p tcp --dport 5060 -j fail2ban-<name>

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = iptables -D <chain> -p tcp --dport 5061 -j fail2ban-<name>
         iptables -D <chain> -p udp --dport 5060 -j fail2ban-<name>
         iptables -D <chain> -p tcp --dport 5060 -j fail2ban-<name>
         iptables -F fail2ban-<name>
         iptables -X fail2ban-<name>

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP

[Init]

# Defaut name of the chain
#
name = default

# Option:  chain
# Notes    specifies the iptables chain to which the fail2ban rules should be
#          added
# Values:  STRING  Default: INPUT
chain = INPUT
Save the file by pressing "CTR O" followed by "Enter".
Exit nano by pressing "CTR X".

lets create the fourth (Asterisk) configuration file by running the following command:
sudo nano /etc/asterisk/logger_logfiles_custom.conf

Copy and paste the following into your logger_logfiles_custom.conf file:
Code: Select all
security_log => SECURITY,NOTICE
Save the file by pressing "CTR O" followed by "Enter".
Exit nano by pressing "CTR X".

Finally lets create the fifth (Asterisk) configuration file by running the following command:
sudo nano /etc/logrotate.d/asterisk_security

Copy and paste the following into your asterisk_security file:
Code: Select all
/var/log/asterisk/security_log {
daily
missingok
rotate 2
size 2000k
sharedscripts
su asterisk asterisk
postrotate
/usr/sbin/asterisk -rx 'logger reload' > /dev/null 2> /dev/null
endscript
}
Save the file by pressing "CTR O" followed by "Enter".
Exit nano by pressing "CTR X".

Now reboot your system by running the following command:
sudo reboot

Thats it! Now, if anyone attempts to brute-force your server (SIP, Web, SSH), their ip address will be banned for 1 day (86400 seconds) after 3 failed attempts.

----------------------------------------

As a courtesy I have added some useful information and popular Fail2ban commands below.

File permissions and owner/group information:
/etc/fail2ban/jail.local = rw-r--r-- root root
/etc/fail2ban/filter.d/freepbx.conf = rw-r--r-- root root
/etc/fail2ban/filter.d/asterisk.conf = rw-r--r-- root root
/etc/fail2ban/action.d/iptables-asterisk.conf = rw-r--r-- root root
/etc/asterisk/logger_logfiles_custom.conf = rw-rw-r-- asterisk asterisk
/etc/logrotate.d/asterisk_security = rw-r--r-- root root

Basic Fail2ban commands:
Start Fail2ban = sudo service fail2ban start
Stop Fail2ban = sudo service fail2ban stop
Restart Fail2ban = sudo service fail2ban restart

Get the current status of an individual jail:
FreePBX status = sudo fail2ban-client status freepbx
Asterisk status = sudo fail2ban-client status asterisk
SSHD status = sudo fail2ban-client status sshd

Ban/Unban IP addresses:
Ban IP = sudo fail2ban-client set *YOURJAILNAMEHERE banip IPADDRESSHERE
Unban IP = sudo fail2ban-client set *YOURJAILNAMEHERE unbanip IPADDRESSHERE

*Replace YOURJAILNAMEHERE with freepbx, asterisk or sshd.
*Replace IPADDRESSHERE with the IP address that you want to ban/unban.
0

Hi Bill, I can definitely advise and help set this up …

Newbie help!

Hello Richard, A good solution for you would be yay.c…

Before you go any further have a read of this: https://…

A few years has passed since my original post and thing…

Sign up for VIP membership