Simple way to protect asterisk from being hacked… FAIL2BAN…..

Posted on by Phil

Introduction

This guide will detail how to install fail2ban on a centos 32bit system with asterisk installed.

It is intended to allow you to add an extra level of protection from your asterisk PBX from being hacked.

Fail2ban will guard against most services such as SSH and SMTP however this guide will concentrate on protecting asterisk

The Installation and configuration

1) Install fail2ban “yum install -y fail2ban”
2) create a “asterisk.conf” file in “/etc/fail2ban/filter.d/” that contacts the below

# Fail2Ban configuration file
#
#
# $Revision: 250 $
#

[INCLUDES]

# Read common prefixes. If any customizations available — read them from
# common.local
#before = common.conf

[Definition]

#_daemon = asterisk

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named “host”. The tag “<HOST>” can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#

failregex = NOTICE.* .*: Registration from ‘.*’ failed for ‘<HOST>’ – Wrong password
NOTICE.* .*: Registration from ‘.*’ failed for ‘<HOST>’ – No matching peer found
NOTICE.* .*: Registration from ‘.*’ failed for ‘<HOST>’ – Username/auth name mismatch
NOTICE.* .*: Registration from ‘.*’ failed for ‘<HOST>’ – Device does not match ACL
NOTICE.* .*: Registration from ‘.*’ failed for ‘<HOST>’ – Peer is not supposed to register
NOTICE.* <HOST> failed to authenticate as ‘.*’$
NOTICE.* .*: No registration for peer ‘.*’ \(from <HOST>\)
NOTICE.* .*: Host <HOST> failed MD5 authentication for ‘.*’ (.*)
NOTICE.* .*: Failed to authenticate user .*@<HOST>.*

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

3) edit the /etc/fail2ban/fail.conf file and at the bottum of the file add

[asterisk-iptables]

enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
sendmail-whois[name=ASTERISK, dest=root, sender=fail2ban@example.org]
logpath  = /var/log/asterisk/full
maxretry = 5
bantime = 259200

4) next edit “/etc/asterisk/logger.conf” and add the below to the edit of the file

[general]
dateformat=%F %T

5) restart fail2ban & asterisk

asterisk -rx “logger reload”
service fail2ban start

Set fail2ban to start up on machine start up

chkconfig fail2ban on

Please note that you can set

maxretry = 5
bantime = 259200

to any number you like the above will ban an IP address that has failed to log in more than 5 times for 3 days.

Enjoy.