» Blocking Asterisk hacking/scanning attempts with fail2ban

Warning – if you follow these instructions fail2ban will, by default, be protecting you against other scans such as ssh attempts. This means though that if you get your IP blocked you will not be able to connect to your server from that IP. Ensure that you whitelist your IP by following the instructions at the end of the post.

Over the past few weeks we have seen a big jump in the scanning of VOIP servers. All of these scans are brute force scanning attempts that first scan for valid extension numbers and then to brute force guess the extension password by repeatedly trying different passwords.

Unfortunately Asterisk doesn’t have anything built-in to prevent these types of scans but it is very good at logging these attempts in the Asterisk logs. This means we can use a free utility called fail2ban and the linux iptables firewall to block IP addresses that make repeated failed login attempts.

Fail2ban is already included in PBX-in-a-Flash but we can also use it with other Asterisk distributions.

Most of the information in this post was taken from here, so please visit for more information.

Here is a quick guide for getting fail2ban blocking Asterisk brute force scanning on a 32 bit CentOS server. You must have iptables installed already.

First we are going to install the rpmforge repository and use the fail2ban package from there –

rpm -Uhv http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm

sed -i ‘s/enabled = 0/enabled = 1/’ /etc/yum.repos.d/rpmforge.repo

yum install -y fail2ban jwhois

Now disable the rpmforge repo do that it doesn’t interfere with any of the CentOS/Asterisk packages –

sed -i ‘s/enabled = 1/enabled = 0/’ /etc/yum.repos.d/rpmforge.repo

Next we are going to create the fail2ban configuration file for Asterisk. This tells fail2ban what text to monitor the logs for –

cat >> /etc/fail2ban/filter.d/asterisk.conf <<-EOF

# Fail2Ban configuration file

#

#

# $Revision: 250 $

#

[INCLUDES]

# Read common prefixes. If any customizations available — read them from

# common.local

#before = common.conf

[Definition]

#_daemon = asterisk

# Option: failregex

# Notes.: regex to match the password failures messages in the logfile. The

# host must be matched by a group named « host ». The tag « <HOST> » can

# be used for standard IP/hostname matching and is only an alias for

# (?:::f{4,6}:)?(?P<host>\S+)

# Values: TEXT

#

failregex = NOTICE.* .*: Registration from ‘.*’ failed for ‘<HOST>’ – Wrong password

NOTICE.* .*: Registration from ‘.*’ failed for ‘<HOST>’ – No matching peer found

NOTICE.* .*: Registration from ‘.*’ failed for ‘<HOST>’ – Username/auth name mismatch

NOTICE.* .*: Registration from ‘.*’ failed for ‘<HOST>’ – Device does not match ACL

NOTICE.* .*: Registration from ‘.*’ failed for ‘<HOST>’ – Peer is not supposed to register

NOTICE.* <HOST> failed to authenticate as ‘.*’$

NOTICE.* .*: No registration for peer ‘.*’ \(from <HOST>\)

NOTICE.* .*: Host <HOST> failed MD5 authentication for ‘.*’ (.*)

NOTICE.* .*: Failed to authenticate user .*@<HOST>.*

# Option: ignoreregex

# Notes.: regex to ignore. If this regex matches, the line is ignored.

# Values: TEXT

#

ignoreregex =

EOF

Next we are going to add some lines to the jail.conf file that tells fail2ban what log files to monitor and what action to take when the required text is detected. This includes sending an alert e-mail so you may want to change ‘root’ to your e-mail address. It also includes the length of time the IP address is blocked for in seconds. Here we have it set to 3 days, you may want to modify this –

cat >> /etc/fail2ban/jail.conf <<-EOF

[asterisk-iptables]

enabled = true

filter = asterisk

action = iptables-allports[name=ASTERISK, protocol=all]

sendmail-whois[name=ASTERISK, dest=root, sender=fail2ban@example.org]

logpath = /var/log/asterisk/full

maxretry = 5

bantime = 259200

EOF

Fail2ban needs the date in the Asterisk log files written in a specific format. To do this we can add a line to the ‘General’ section of the Asterisk logger configuration file. If you already have a ‘General’ section in there you will just want to add the line manually rather than running the command below –

cat >> /etc/asterisk/logger.conf <<-EOF

[general]

dateformat=%F %T

EOF

asterisk -rx « logger reload »

Finally we want to fire up fail2ban and set it to start at boot time –

service fail2ban start

chkconfig fail2ban on

One final thing you may want to do is ‘whitelist’ your own IP address/s. You can do this by adding them to the ignoreip line in the jail.conf file. Here’s a couple of lines to do it automatically, just change the IP address here for your own IP address –

sed -i ‘s/ignoreip = /ignoreip = 123.123.123.123 /’ /etc/fail2ban/jail.conf

service fail2ban restart

rpm -Uhv http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm

via» Blocking Asterisk hacking/scanning attempts with fail2ban.