{"id":266,"date":"2012-07-05T23:01:48","date_gmt":"2012-07-06T06:01:48","guid":{"rendered":"https:\/\/analogman.org\/?p=266"},"modified":"2012-07-05T23:01:48","modified_gmt":"2012-07-06T06:01:48","slug":"fail2ban-intrusion-attempts-against-asterisk","status":"publish","type":"post","link":"https:\/\/www.analogman.org\/?p=266","title":{"rendered":"Fail2ban – Intrusion attempts against Asterisk"},"content":{"rendered":"

You can find directions for doing this is several places and I debated whether or not I wanted to post this anywhere but in the process of walking through this\u00a0install for some interns and poking through a number of different log files I noted that the regular expressions being used were a little out of date for some of the current “attack” formatting that we were seeing.<\/p>\n

I made some changes to the regex portion that I think will be beneficial in finding and blocking more instances of intrusion attempts. ( as of May 2012)<\/p>\n

This is on a CentOS box running 5.8 with the tools needed to compile and run asterisk already installed.<\/p>\n

see:\u00a0http:\/\/www.fail2ban.org\/wiki\/index.php\/Main_Page<\/a> <\/em><\/strong><\/p>\n

First install the extra packages for enterprise Linux 5 – i386 “epel”<\/p>\n

(of course you can also download a source file from fail2ban.org and go from there – but that is a different post)<\/p>\n

[root]# rpm -Uvh http:\/\/dl.fedoraproject.org\/pub\/epel\/5\/i386\/epel-release-5-4.noarch.rpm<\/strong><\/p>\n

Retrieving http:\/\/dl.fedoraproject.org\/pub\/epel\/5\/i386\/epel-release-5-4.noarch.rpm
\nwarning: \/var\/tmp\/rpm-xfer.U0EYpN: Header V3 DSA signature: NOKEY, key ID 217521f6
\nPreparing… ########################################### [100%]
\n1:epel-release ########################################### [100%]
\nnow check to make sure it has added itself to your repositories
\n[root]# yum repolist
\nLoaded plugins: fastestmirror, kmod
\nLoading mirror speeds from cached hostfile
\n* base: mirrors.cat.pdx.edu
\n* epel: linux.mirrors.es.net
\n* extras: centos.mirror.freedomvoice.com
\n* updates: mirrors.ecvps.com
\nepel | 3.4 kB 00:00
\nepel\/primary_db | 3.1 MB 00:00
\nrepo id repo name status
\naddons CentOS-5 – Addons enabled: 0
\nasterisk-current CentOS-5 – Asterisk – Current enabled: 562
\nbase CentOS-5 – Base enabled: 2,725
\ndigium-current CentOS-5 – Digium – Current enabled: 461
\nepel Extra Packages for Enterprise Linux 5 – i386 enabled: 5,728
\nextras CentOS-5 – Extras enabled: 282
\nupdates CentOS-5 – Updates enabled: 510
\nrepolist: 10,268<\/p><\/blockquote>\n

Now that we have modified the repositories we should be able to yum install fail2ban…lets see
\n(ok we needed python – which happens to already be installed on this machine – note that it is be updated with this installation)<\/p>\n

[root]# yum install fail2ban<\/strong><\/p>\n

Loaded plugins: fastestmirror, kmod
\nLoading mirror speeds from cached hostfile
\n* base: centos.mirrors.hoobly.com
\n* epel: mirror.pnl.gov
\n* extras: centos.mirror.freedomvoice.com
\n* updates: mirrors.ecvps.com
\nSetting up Install Process
\nResolving Dependencies
\n–> Running transaction check
\n—> Package fail2ban.noarch 0:0.8.4-29.el5 set to be updated
\n–> Processing Dependency: shorewall for package: fail2ban
\n–> Processing Dependency: python-inotify for package: fail2ban
\n–> Running transaction checkcd
\n—> Package python-inotify.noarch 0:0.9.1-1.el5 set to be updated
\n–> Processing Dependency: python-ctypes for package: python-inotify
\n—> Package shorewall.noarch 0:4.0.15-1.el5 set to be updated
\n–> Processing Dependency: shorewall-perl = 4.0.15-1.el5 for package: shorewall
\n–> Processing Dependency: shorewall-shell = 4.0.15-1.el5 for package: shorewall
\n–> Processing Dependency: shorewall-common = 4.0.15-1.el5 for package: shorewall
\n–> Running transaction check
\n—> Package python-ctypes.i386 0:1.0.2-3.el5 set to be updated
\n—> Package shorewall-common.noarch 0:4.0.15-1.el5 set to be updated
\n—> Package shorewall-perl.noarch 0:4.0.15-1.el5 set to be updated
\n—> Package shorewall-shell.noarch 0:4.0.15-1.el5 set to be updated
\n–> Finished Dependency Resolution<\/p>\n

Dependencies Resolved<\/p>\n

============================================================================================
\nPackage Arch Version Repository Size
\n============================================================================================
\nInstalling:
\nfail2ban noarch 0.8.4-29.el5 epel 136 k
\nInstalling for dependencies:
\npython-ctypes i386 1.0.2-3.el5 base 207 k
\npython-inotify noarch 0.9.1-1.el5 epel 86 k
\nshorewall noarch 4.0.15-1.el5 epel 9.2 k
\nshorewall-common noarch 4.0.15-1.el5 epel 232 k
\nshorewall-perl noarch 4.0.15-1.el5 epel 137 k
\nshorewall-shell noarch 4.0.15-1.el5 epel 76 k<\/p>\n

Transaction Summary
\n============================================================================================
\nInstall 7 Package(s)
\nUpgrade 0 Package(s)<\/p>\n

Total download size: 883 k<\/p><\/blockquote>\n

Is this ok [y\/N]: y<\/strong><\/p>\n

Downloading Packages:
\n(1\/7): shorewall-4.0.15-1.el5.noarch.rpm | 9.2 kB 00:00
\n(2\/7): shorewall-shell-4.0.15-1.el5.noarch.rpm | 76 kB 00:00
\n(3\/7): python-inotify-0.9.1-1.el5.noarch.rpm | 86 kB 00:00
\n(4\/7): fail2ban-0.8.4-29.el5.noarch.rpm | 136 kB 00:00
\n(5\/7): shorewall-perl-4.0.15-1.el5.noarch.rpm | 137 kB 00:00
\n(6\/7): python-ctypes-1.0.2-3.el5.i386.rpm | 207 kB 00:00
\n(7\/7): shorewall-common-4.0.15-1.el5.noarch.rpm | 232 kB 00:00
\n———————————————————————————————————————————
\nTotal 656 kB\/s | 883 kB 00:01
\nwarning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID 217521f6
\nepel\/gpgkey | 1.7 kB 00:00
\nImporting GPG key 0x217521F6 “Fedora EPEL <epel@fedoraproject.org>” from \/etc\/pki\/rpm-gpg\/RPM-GPG-KEY-EPEL<\/p><\/blockquote>\n

Is this ok [y\/N]: y<\/strong><\/p>\n

Running rpm_check_debug
\nRunning Transaction Test
\nFinished Transaction Test
\nTransaction Test Succeeded
\nRunning Transaction
\nInstalling : shorewall-common 1\/7
\nInstalling : python-ctypes 2\/7
\nInstalling : python-inotify 3\/7
\nInstalling : shorewall-shell 4\/7
\nInstalling : shorewall-perl 5\/7
\nInstalling : shorewall 6\/7
\nInstalling : fail2ban 7\/7<\/p>\n

Installed:
\nfail2ban.noarch 0:0.8.4-29.el5<\/p>\n

Dependency Installed:
\npython-ctypes.i386 0:1.0.2-3.el5 python-inotify.noarch 0:0.9.1-1.el5 shorewall.noarch 0:4.0.15-1.el5 shorewall-common.noarch 0:4.0.15-1.el5
\nshorewall-perl.noarch 0:4.0.15-1.el5 shorewall-shell.noarch 0:4.0.15-1.el5<\/p>\n

Complete!<\/p><\/blockquote>\n

[root]#<\/p>\n

Take a look at these urls for slightly different approaches:<\/p>\n

http:\/\/alnazmin.blogspot.com\/2011\/05\/install-fail2ban-on-centos-55.html<\/a><\/p>\n

http:\/\/www.markinthedark.nl\/news\/ubuntu-linux-unix\/70-configure-fail2ban-for-asterisk-centos-5.html<\/a><\/p>\n

http:\/\/asbadr.wordpress.com\/2012\/04\/23\/fail2ban-for-asterisk-on-centos-and-gentoo\/<\/a><\/p>\n

I edited the \/etc\/fail2ban\/filter.d\/asterisk.conf file in order to reflect some localizations as well as some additions to the\u00a0regular expressions used when fail2ban is looking at the log files to match indications of an ‘attack’<\/p>\n

[root]# vi \/etc\/fail2ban\/filter.d\/asterisk.conf
\n<\/strong>
\n# Fail2Ban configuration file
\n#
\n#
\n# $Revision: 250 $
\n#<\/p>\n

[INCLUDES]<\/p>\n

# Read common prefixes. If any customizations available — read them from
\n# common.local
\n#before = common.conf<\/p>\n

[Definition]<\/p>\n

#_daemon = asterisk<\/p>\n

# Option: failregex
\n# Notes.: regex to match the password failures messages in the logfile. The
\n# host must be matched by a group named “host”. The tag “<HOST>” can
\n# be used for standard IP\/hostname matching and is only an alias for
\n# (?:::f{4,6}:)?(?P<host>\\S+)
\n# Values: TEXT
\n#<\/p>\n

failregex = NOTICE.* .*: Registration from ‘.*’ failed for ‘<HOST>’ – Wrong password
\nNOTICE.* .*: Registration from ‘\\”.*\\”.*’ failed for ‘<HOST>’ – Wrong password
\nNOTICE.* .*: Registration from ‘.*’ failed for ‘<HOST>’ – No matching peer found
\nNOTICE.* .*: Registration from ‘.*’ failed for ‘<HOST>\\:.*’ – No matching peer found
\nNOTICE.* .*: Registration from ‘\\”.*\\”.*’ failed for ‘<HOST>’ – No matching peer found
\nNOTICE.* .*: Registration from ‘\\”.*\\”.*’ failed for ‘<HOST>\\:.*’ – No matching peer found
\nNOTICE.* .*: Registration from ‘.*’ failed for ‘<HOST>’ – Username\/auth name mismatch
\nNOTICE.* .*: Registration from ‘.*’ failed for ‘<HOST>’ – Device does not match ACL
\nNOTICE.* .*: Registration from ‘.*’ failed for ‘<HOST>’ – Peer is not supposed to register
\nNOTICE.* <HOST> failed to authenticate as ‘.*’$
\nNOTICE.* .*: No registration for peer ‘.*’ \\(from <HOST>\\)
\nNOTICE.* .*: Host <HOST> failed MD5 authentication for ‘.*’ (.*)
\nNOTICE.* .*: Failed to authenticate user .*@<HOST>.*
\n# Option: ignoreregex
\n# Notes.: regex to ignore. If this regex matches, the line is ignored.
\n# Values: TEXT
\n#
\nignoreregex =<\/p>\n

Then editing \/etc\/fail2ban\/jail.conf to enter appropriate email addresses, bantimes, etc.
\n[root]# vi \/etc\/fail2ban\/jail.conf<\/strong><\/p>\n

[asterisk-iptables]<\/p>\n

enabled = true
\nfilter = asterisk
\naction = iptables-allports[name=ASTERISK, protocol=all]
\nsendmail-whois[name=ASTERISK, dest=someemail@2bridgestech.com, sender=fail2ban@ourcustomer.org]
\nlogpath = \/var\/log\/asterisk\/full
\nmaxretry = 5
\nbantime = 259200<\/p><\/blockquote>\n

Don’t forget to check the email address for reporting ssh notices as well…<\/p>\n

Now when I start fail2ban I get :<\/p>\n

[root]# service fail2ban start<\/strong><\/p>\n

Starting fail2ban: [ OK ]<\/p>\n

Then I want to take a quick look at iptables to see if fail2ban is showing up there.<\/p>\n

[root@localhost filter.d]# iptables -L -v
\n<\/strong><\/p>\n

Chain INPUT (policy ACCEPT 438 packets, 33411 bytes)
\npkts bytes target prot opt in out source destination
\n438 33411 fail2ban-ASTERISK all — any any anywhere anywhere<\/p>\n

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
\npkts bytes target prot opt in out source destination<\/p>\n

Chain OUTPUT (policy ACCEPT 217 packets, 24088 bytes)
\npkts bytes target prot opt in out source destination<\/p>\n

Chain fail2ban-ASTERISK (1 references)
\npkts bytes target prot opt in out source destination
\n438 33411 RETURN all — any any anywhere anywhere<\/p>\n

Chain fail2ban-SSH (0 references)
\npkts bytes target prot opt in out source destination
\n0 0 RETURN all — any any anywhere anywhere<\/p><\/blockquote>\n

[root]#<\/p>\n

Now you can test the setup by pushing the log file against the filter we defined<\/p>\n

[root]# fail2ban-regex \/var\/log\/asterisk\/full \/etc\/fail2ban\/filter.d\/asterisk.conf<\/strong><\/p>\n

If you have a huge log file this could take quite a while as well as max out the cpu so be careful. You might want to fine some ‘fail to authenticate’ entries in a log file and copy them into a new file to test against that much smaller file…<\/p>\n

Also to take a better look at the configuration files without comments try this command (replace the jail.conf with the file you want to look at) –<\/p>\n

The “#” can be changed to whatever comment char you see in the file; this will also remove \u00a0blank lines from the file<\/p>\n

[root]# grep -v ‘^$’ jail.conf | grep -v “#” | more<\/strong><\/p>\n

Hope this helps someone.<\/p>\n","protected":false},"excerpt":{"rendered":"

You can find directions for doing this is several places and I debated whether or not I wanted to post this anywhere but in the process of walking through this\u00a0install for some interns and poking through a number of different log files I noted that the regular expressions being used were a little out of […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[27,8,10],"tags":[],"class_list":["post-266","post","type-post","status-publish","format-standard","hentry","category-linux","category-mods","category-training"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/www.analogman.org\/index.php?rest_route=\/wp\/v2\/posts\/266","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.analogman.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.analogman.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.analogman.org\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.analogman.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=266"}],"version-history":[{"count":30,"href":"https:\/\/www.analogman.org\/index.php?rest_route=\/wp\/v2\/posts\/266\/revisions"}],"predecessor-version":[{"id":296,"href":"https:\/\/www.analogman.org\/index.php?rest_route=\/wp\/v2\/posts\/266\/revisions\/296"}],"wp:attachment":[{"href":"https:\/\/www.analogman.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=266"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.analogman.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=266"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.analogman.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=266"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}