Asterisk 11 (FreePBX distribution) fail2ban configuration using the security log.

I’ve been experimenting with Asterisk again, using the FreePBX distro (2.11.0.4).

I have noticed that I get a lot of entries in the Asterisk log that look like this:

[2013-07-06 05:11:06] NOTICE[4106][C-0000001f] chan_sip.c: Failed to authenticate device 555<sip:555@aaa.bb.ccc.dd>;tag=e9a98a30
[2013-07-06 05:11:08] NOTICE[4106][C-00000020] chan_sip.c: Failed to authenticate device 555<sip:555@aaa.bb.ccc.dd>;tag=eebd8857
[2013-07-06 05:11:12] NOTICE[4106][C-00000021] chan_sip.c: Failed to authenticate device 555<sip:555@aaa.bb.ccc.dd>;tag=243f3815
[2013-07-06 07:19:42] NOTICE[4106][C-00000022] chan_sip.c: Failed to authenticate device 5555<sip:5555@aaa.bb.ccc.dd>;tag=a049427e
[2013-07-06 07:19:45] NOTICE[4106][C-00000023] chan_sip.c: Failed to authenticate device 5555<sip:5555@7aaa.bb.ccc.dd>;tag=c3c7f81b
[2013-07-06 07:19:48] NOTICE[4106][C-00000024] chan_sip.c: Failed to authenticate device 5555<sip:5555@aaa.bb.ccc.dd>;tag=6be78a0b
[2013-07-06 07:19:49] NOTICE[4106][C-00000025] chan_sip.c: Failed to authenticate device 5555<sip:5555@aaa.bb.ccc.dd>;tag=1979ada5

Where, of course, aaa.bb.ccc.dd is the address of my SIP server. Unfortunately, while FreePBX contains a fail2ban module, asterisk doesn’t provide enough information in the log file to act upon these messages.

The way I have got around this involves making some custom modifications to the Asterisk configuration.

Firstly, we need to enable Asterisk (v11) security logging feature:

Edit, /etc/asterisk/logger_logfiles_custom.conf and add the following:

fail2ban2       => security,notice,warning,error

This will create an additional log file, called /var/log/asterisk/fail2ban2

Now we need to edit the fail2ban configuration in /etc/fail2ban to process the security logged items. FreePBX configuration is in jail.local, so we will add ours to jail.conf:

[asterisk11-iptables]
 enabled  = true
 filter   = asterisk11
 action   = iptables-allports[name=SIP, protocol=all]
 sendmail-whois[name=SIP, dest=alerts@example.com, sender=pbx@example.com]
 logpath  = /var/log/asterisk/fail2ban2

Finally, we create a simple regex to get the IP address that we want to ban, and put it in the /etc/fail2/ban/filter.d/asterisk11.conf

# Fail2Ban configuration file 
# 
# 
# $Revision: 250 $ 
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from 
# common.local 
#before = common.conf
[Definition]
#_daemon = asterisk
# Option:  failregex 
# Notes.:  regex to match the password failures messages in the logfile. The 
#          host must be matched by a group named "host". The tag "<HOST>" can 
#          be used for standard IP/hostname matching and is only an alias for 
#          (?:::f{4,6}:)?(?P<host>\S+) 
# Values:  TEXT 
# 
failregex = SECURITY.* SecurityEvent=\"InvalidPassword\".*RemoteAddress=\"IPV4/UDP/<HOST>/
#VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing 'ss-noservice' \(language '.*'\)
# Option:  ignoreregex 
# Notes.:  regex to ignore. If this regex matches, the line is ignored. 
# Values:  TEXT 
# ignoreregex =

That’s it, we now intercept messages like this one from the security log, and manage to ban these device attempts:

[2013-07-06 07:19:42] SECURITY[4078] res_security_log.c: SecurityEvent="InvalidPassword",EventTV="1373091582935268",Severity="Error",Service="SIP",EventVersion="2",AccountID="00972597103443",SessionID="0x7fa42c001ac8",LocalAddress="IPV4/UDP/aaa.bb.ccc.dd/5060",RemoteAddress="IPV4/UDP/37.8.1.89/5071",Challenge="61074795",ReceivedChallenge="61074795",ReceivedHash="b469462e8e7de800b54eb50ffe46de86"

Join the Conversation

13 Comments

  1. Hi, thanks for the post.
    All works.
    But every day I have lost a string:
    fail2ban2 => security,notice,warning,error
    and I have it every day to recover.
    What to do?

  2. Hi Ralcom,

    It is important that the file you edit is the one that ends in “_custom.conf”, otherwise you will find that the FreePBX GUI will overwrite your changes.

    So in my case I put that line in /etc/asterisk/logger_logfiles_custom.conf

    You might need to create the file if it doesn’t exist.

    If you edit logger_logfiles_additional.conf by mistake then the GUI will overwrite your changes.

    Hope that helps!

    Giles

  3. I edited my conf files with these instructions, not realising how important syntax was and actually broke my fail2ban installation because I was careless.
    Have managed to sort it out, by way of removing a few spaces here and there, but just a heads-up to others out there to TEST YOUR FAIL2BAN AFTERWARDS with the command /etc/init.d/fail2ban start

    Thanks for the tips, though. Glad to be more secure now.

  4. Your blog is very informative but I am a newbie on FreePBX. I just installed 2.11 latest version and unable to access FreePBX via my external IP however I can access the GUI via my local network Server IP. I can also use Putty and SSH to access the Server via root. I need extensive help in determining if I am banned by Fail2ban and how to unban my IP. Thanks.

    1. Hi,

      By running ‘iptables -L’ you should be able to get a list of the banned IPs in the various Jails

      In order to unban an IP you can use the fail2ban-client, look for the actionunban operation in the manual.

      Googling for the above should return various documents about this.

  5. Great tutorial – I have to admit I found this after pulling out much hair with Asterisk 11. Have you compared this to SecAst (www.generationd.com)? Their free version handles all the rules of fail2ban and more – without having to constantly update regex’s etc.

  6. Hi ;

    First off thank you very much for sharing this information . I’ve got the same problem but after using your scripts as well still there are some people trying to get in the server and the script isn’t blocking them .
    I saw on the asterisk11.conf file that the formatting should be a bit different and I should add ” .+?”.* ” at the end so I did that as well but still no result

    fail2ban is still working and blocking IP’s that have the IP addresses in the warning but not the security lines

    I’m very new to asterisk and fail2ban so any help would be much appreciated .

    Thank you

  7. Today, this method works, fail2ban 0.9.6 & asterisk 13.23, not banning this attack. In my case add in jail.local below [asterisk11-iptables] port = 5060,5062… all sip ports i use

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.