Securing Elastix 1.6 using Fail2Ban

Posted on March 28, 2012 by admin

SSH to your VoIP server and login as root , then type the following commands :

# yum -y install jwhois
# cd /usr/src/
# wget http://sourceforge.net/projects/fail2ban/files/fail2ban-stable/fail2ban-0.8.4/fail2ban-0.8.4.tar.bz2/download
# tar -jxf fail2ban-0.8.4.tar.bz2
# cd fail2ban-0.8.4
# python setup.py install
# cp /usr/src/fail2ban-0.8.4/files/redhat-initd /etc/init.d/fail2ban
# chmod 755 /etc/init.d/fail2ban
# cd /etc/fail2ban/filter.d
# touch asterisk.conf

Copy these contents into the new file /etc/fail2ban/filter.d/asterisk.conf :

# /etc/fail2ban/filter.d/asterisk.conf
# Fail2Ban configuration file
#
#
# $Revision: 250 $
#

[INCLUDES]

# Read common prefixes. If any customizations available — read them from
# common.local
#before = common.conf

[Definition]

#_daemon = asterisk

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named “host”. The tag “” can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P\S+)
# Values: TEXT
#

failregex = NOTICE.* .*: Registration from ‘.*’ failed for ‘‘ – Wrong password
NOTICE.* .*: Registration from ‘.*’ failed for ‘‘ – No matching peer found
NOTICE.* .*: Registration from ‘.*’ failed for ‘‘ – Username/auth name mismatch
NOTICE.* .*: Registration from ‘.*’ failed for ‘‘ – Device does not match ACL
NOTICE.* .*: failed to authenticate as ‘.*’$
NOTICE.* .*: No registration for peer ‘.*’ (from )
NOTICE.* .*: Host failed MD5 authentication for ‘.*’ (.*)
NOTICE.* .*: Failed to authenticate user .*@.*

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
#

Modify the [default] ignoreip section and Add the [asterisk-iptables] section to your /etc/fail2ban/jail.conf file :

# /etc/fail2ban/jail.conf

[DEFAULT]
ignoreip = 127.0.0.1 192.168.0.0/16 10.0.0.0/8 172.16.0.0/16

[asterisk-iptables]
enabled = true
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
sendmail-whois[name=ASTERISK, dest=you@company.com, sender=fail2ban@company.com]
logpath = /var/log/asterisk/fail2ban
maxretry = 5
bantime = 600

We’ll backup the logger.conf file to logger.conf.bak and create a new one

# mv /etc/asterisk/logger.conf /etc/asterisk/logger.conf.bak
# touch /etc/asterisk/logger.conf

Copy these contents into the new file /etc/asterisk/logger.conf :

[general]
dateformat=%F %T
[logfiles]
full => notice,warning,error,debug,verbose
fail2ban => notice

Reload logger module in Asterisk :

# asterisk -rx “module reload logger”

Add Fail2ban to the list of startup services :

# chkconfig fail2ban on

Start Fail2ban :

# /etc/init.d/fail2ban start

Check if fail2ban is showing up in iptables :

# iptables -L -v

You should see “fail2ban-ASTERISK” in your iptables output.