Fail2ban – Intrusion attempts against Asterisk
Posted on | July 5, 2012 | Comments Off on Fail2ban – Intrusion attempts against Asterisk
You can find directions for doing this is several places and I debated whether or not I wanted to post this anywhere but in the process of walking through this install for some interns and poking through a number of different log files I noted that the regular expressions being used were a little out of date for some of the current “attack” formatting that we were seeing.
I made some changes to the regex portion that I think will be beneficial in finding and blocking more instances of intrusion attempts. ( as of May 2012)
This is on a CentOS box running 5.8 with the tools needed to compile and run asterisk already installed.
see: http://www.fail2ban.org/wiki/index.php/Main_Page
First install the extra packages for enterprise Linux 5 – i386 “epel”
(of course you can also download a source file from fail2ban.org and go from there – but that is a different post)
[root]# rpm -Uvh http://dl.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm
Retrieving http://dl.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm
warning: /var/tmp/rpm-xfer.U0EYpN: Header V3 DSA signature: NOKEY, key ID 217521f6
Preparing… ########################################### [100%]
1:epel-release ########################################### [100%]
now check to make sure it has added itself to your repositories
[root]# yum repolist
Loaded plugins: fastestmirror, kmod
Loading mirror speeds from cached hostfile
* base: mirrors.cat.pdx.edu
* epel: linux.mirrors.es.net
* extras: centos.mirror.freedomvoice.com
* updates: mirrors.ecvps.com
epel | 3.4 kB 00:00
epel/primary_db | 3.1 MB 00:00
repo id repo name status
addons CentOS-5 – Addons enabled: 0
asterisk-current CentOS-5 – Asterisk – Current enabled: 562
base CentOS-5 – Base enabled: 2,725
digium-current CentOS-5 – Digium – Current enabled: 461
epel Extra Packages for Enterprise Linux 5 – i386 enabled: 5,728
extras CentOS-5 – Extras enabled: 282
updates CentOS-5 – Updates enabled: 510
repolist: 10,268
Now that we have modified the repositories we should be able to yum install fail2ban…lets see
(ok we needed python – which happens to already be installed on this machine – note that it is be updated with this installation)
[root]# yum install fail2ban
Loaded plugins: fastestmirror, kmod
Loading mirror speeds from cached hostfile
* base: centos.mirrors.hoobly.com
* epel: mirror.pnl.gov
* extras: centos.mirror.freedomvoice.com
* updates: mirrors.ecvps.com
Setting up Install Process
Resolving Dependencies
–> Running transaction check
—> Package fail2ban.noarch 0:0.8.4-29.el5 set to be updated
–> Processing Dependency: shorewall for package: fail2ban
–> Processing Dependency: python-inotify for package: fail2ban
–> Running transaction checkcd
—> Package python-inotify.noarch 0:0.9.1-1.el5 set to be updated
–> Processing Dependency: python-ctypes for package: python-inotify
—> Package shorewall.noarch 0:4.0.15-1.el5 set to be updated
–> Processing Dependency: shorewall-perl = 4.0.15-1.el5 for package: shorewall
–> Processing Dependency: shorewall-shell = 4.0.15-1.el5 for package: shorewall
–> Processing Dependency: shorewall-common = 4.0.15-1.el5 for package: shorewall
–> Running transaction check
—> Package python-ctypes.i386 0:1.0.2-3.el5 set to be updated
—> Package shorewall-common.noarch 0:4.0.15-1.el5 set to be updated
—> Package shorewall-perl.noarch 0:4.0.15-1.el5 set to be updated
—> Package shorewall-shell.noarch 0:4.0.15-1.el5 set to be updated
–> Finished Dependency ResolutionDependencies Resolved
============================================================================================
Package Arch Version Repository Size
============================================================================================
Installing:
fail2ban noarch 0.8.4-29.el5 epel 136 k
Installing for dependencies:
python-ctypes i386 1.0.2-3.el5 base 207 k
python-inotify noarch 0.9.1-1.el5 epel 86 k
shorewall noarch 4.0.15-1.el5 epel 9.2 k
shorewall-common noarch 4.0.15-1.el5 epel 232 k
shorewall-perl noarch 4.0.15-1.el5 epel 137 k
shorewall-shell noarch 4.0.15-1.el5 epel 76 kTransaction Summary
============================================================================================
Install 7 Package(s)
Upgrade 0 Package(s)Total download size: 883 k
Is this ok [y/N]: y
Downloading Packages:
(1/7): shorewall-4.0.15-1.el5.noarch.rpm | 9.2 kB 00:00
(2/7): shorewall-shell-4.0.15-1.el5.noarch.rpm | 76 kB 00:00
(3/7): python-inotify-0.9.1-1.el5.noarch.rpm | 86 kB 00:00
(4/7): fail2ban-0.8.4-29.el5.noarch.rpm | 136 kB 00:00
(5/7): shorewall-perl-4.0.15-1.el5.noarch.rpm | 137 kB 00:00
(6/7): python-ctypes-1.0.2-3.el5.i386.rpm | 207 kB 00:00
(7/7): shorewall-common-4.0.15-1.el5.noarch.rpm | 232 kB 00:00
———————————————————————————————————————————
Total 656 kB/s | 883 kB 00:01
warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID 217521f6
epel/gpgkey | 1.7 kB 00:00
Importing GPG key 0x217521F6 “Fedora EPEL <epel@fedoraproject.org>” from /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
Is this ok [y/N]: y
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : shorewall-common 1/7
Installing : python-ctypes 2/7
Installing : python-inotify 3/7
Installing : shorewall-shell 4/7
Installing : shorewall-perl 5/7
Installing : shorewall 6/7
Installing : fail2ban 7/7Installed:
fail2ban.noarch 0:0.8.4-29.el5Dependency Installed:
python-ctypes.i386 0:1.0.2-3.el5 python-inotify.noarch 0:0.9.1-1.el5 shorewall.noarch 0:4.0.15-1.el5 shorewall-common.noarch 0:4.0.15-1.el5
shorewall-perl.noarch 0:4.0.15-1.el5 shorewall-shell.noarch 0:4.0.15-1.el5Complete!
[root]#
Take a look at these urls for slightly different approaches:
http://alnazmin.blogspot.com/2011/05/install-fail2ban-on-centos-55.html
http://www.markinthedark.nl/news/ubuntu-linux-unix/70-configure-fail2ban-for-asterisk-centos-5.html
http://asbadr.wordpress.com/2012/04/23/fail2ban-for-asterisk-on-centos-and-gentoo/
I edited the /etc/fail2ban/filter.d/asterisk.conf file in order to reflect some localizations as well as some additions to the regular expressions used when fail2ban is looking at the log files to match indications of an ‘attack’
[root]# vi /etc/fail2ban/filter.d/asterisk.conf
# Fail2Ban configuration file
#
#
# $Revision: 250 $
#
[INCLUDES]
# Read common prefixes. If any customizations available — read them from
# common.local
#before = common.conf
[Definition]
#_daemon = asterisk
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named “host”. The tag “<HOST>” can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex = NOTICE.* .*: Registration from ‘.*’ failed for ‘<HOST>’ – Wrong password
NOTICE.* .*: Registration from ‘\”.*\”.*’ failed for ‘<HOST>’ – Wrong password
NOTICE.* .*: Registration from ‘.*’ failed for ‘<HOST>’ – No matching peer found
NOTICE.* .*: Registration from ‘.*’ failed for ‘<HOST>\:.*’ – No matching peer found
NOTICE.* .*: Registration from ‘\”.*\”.*’ failed for ‘<HOST>’ – No matching peer found
NOTICE.* .*: Registration from ‘\”.*\”.*’ failed for ‘<HOST>\:.*’ – No matching peer found
NOTICE.* .*: Registration from ‘.*’ failed for ‘<HOST>’ – Username/auth name mismatch
NOTICE.* .*: Registration from ‘.*’ failed for ‘<HOST>’ – Device does not match ACL
NOTICE.* .*: Registration from ‘.*’ failed for ‘<HOST>’ – Peer is not supposed to register
NOTICE.* <HOST> failed to authenticate as ‘.*’$
NOTICE.* .*: No registration for peer ‘.*’ \(from <HOST>\)
NOTICE.* .*: Host <HOST> failed MD5 authentication for ‘.*’ (.*)
NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
Then editing /etc/fail2ban/jail.conf to enter appropriate email addresses, bantimes, etc.
[root]# vi /etc/fail2ban/jail.conf
[asterisk-iptables]
enabled = true
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
sendmail-whois[name=ASTERISK, dest=someemail@2bridgestech.com, sender=fail2ban@ourcustomer.org]
logpath = /var/log/asterisk/full
maxretry = 5
bantime = 259200
Don’t forget to check the email address for reporting ssh notices as well…
Now when I start fail2ban I get :
[root]# service fail2ban start
Starting fail2ban: [ OK ]
Then I want to take a quick look at iptables to see if fail2ban is showing up there.
[root@localhost filter.d]# iptables -L -v
Chain INPUT (policy ACCEPT 438 packets, 33411 bytes)
pkts bytes target prot opt in out source destination
438 33411 fail2ban-ASTERISK all — any any anywhere anywhereChain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destinationChain OUTPUT (policy ACCEPT 217 packets, 24088 bytes)
pkts bytes target prot opt in out source destinationChain fail2ban-ASTERISK (1 references)
pkts bytes target prot opt in out source destination
438 33411 RETURN all — any any anywhere anywhereChain fail2ban-SSH (0 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all — any any anywhere anywhere
[root]#
Now you can test the setup by pushing the log file against the filter we defined
[root]# fail2ban-regex /var/log/asterisk/full /etc/fail2ban/filter.d/asterisk.conf
If you have a huge log file this could take quite a while as well as max out the cpu so be careful. You might want to fine some ‘fail to authenticate’ entries in a log file and copy them into a new file to test against that much smaller file…
Also to take a better look at the configuration files without comments try this command (replace the jail.conf with the file you want to look at) –
The “#” can be changed to whatever comment char you see in the file; this will also remove blank lines from the file
[root]# grep -v ‘^$’ jail.conf | grep -v “#” | more
Hope this helps someone.