Fail2Ban installation

How to install Fail2Ban
===&nbsp SSH to your VoIP server and login as root, then type the following commands=== yum -y install jwhois cd /usr/src/ wget http://sourceforge.net/projects/fail2ban/files/fail2ban-stable/fail2ban-0.8.4/fail2ban-0.8.4.tar.bz2/download tar -jxf fail2ban-0.8.4.tar.bz2 cd fail2ban-0.8.4 python setup.py install cp /usr/src/fail2ban-0.8.4/files/redhat-initd /etc/init.d/fail2ban chmod 755 /etc/init.d/fail2ban cd /etc/fail2ban/filter.d touch asterisk.conf

Copy these contents into the new file vi /etc/fail2ban/filter.d/asterisk.conf :
# # # [INCLUDES] before = common.conf [Definition] # failregex = NOTICE.* .*: Registration from '.*' failed for ':.*' - Wrong password NOTICE.* .*: Registration from '.*' failed for ':.*' - No matching peer found NOTICE.* .*: Registration from '.*' failed for ':.*' - Username/auth name mismatch NOTICE.* .*: Registration from '.*' failed for ':.*' - Device does not match ACL NOTICE.* .*: Registration from '.*' failed for ':.*' - Peer is not supposed to register NOTICE.* .*: Registration from '.*' failed for ':.*' - ACL error (permit/deny) NOTICE.* .*: Registration from '.*' failed for ':.*' - Device does not match ACL NOTICE.* .*: Registration from '\".*\".*' failed for ':.*' - No matching peer found NOTICE.* .*: Registration from '\".*\".*' failed for ':.*' - Wrong password NOTICE.*  failed to authenticate as '.*'$ NOTICE.* .*: No registration for peer '.*' \(from \) NOTICE.* .*: Host  failed MD5 authentication for '.*' (.*) NOTICE.* .*: Failed to authenticate user .*@.* NOTICE.* .*:  failed to authenticate as '.*' NOTICE.* .*:  tried to authenticate with nonexistent user '.*' SECURITY.* .*: SecurityEvent="InvalidAccountID",.*,Severity="Error",Service="SIP",.*,.*,.*,.*,RemoteAddress=".*/.*//.*" SECURITY.* .*: SecurityEvent="ChallengeResponseFailed",.*,Severity="Error",Service="SIP",.*,.*,.*,.*,RemoteAddress=".*/.*/<HOST>/.*",.* SECURITY.* .*: SecurityEvent="InvalidPassword",.*,Severity="Error",Service="SIP",.*,.*,.*,.*,RemoteAddress=".*/.*/<HOST>/.*",.* #
 * 1) Fail2Ban configuration file
 * 2) Fail2Ban configuration file
 * 1) $Revision: 251 $
 * 1) Read common prefixes. If any customizations available -- read them from
 * 2) common.local
 * 1) _daemon = asterisk
 * 1) Option:  failregex
 * 2) Notes.:  regex to match the password failures messages in the logfile. The
 * 3)          host must be matched by a group named "host". The tag "<HOST>" can
 * 4)          be used for standard IP/hostname matching and is only an alias for
 * 5)          (?:::f{4,6}:)?(?P \S+)
 * 6) Values:  TEXT
 * 1) Asterisk 1.8 uses Host:Port format which is reflected here
 * 1) Option:  ignoreregex
 * 2) Notes.:  regex to ignore. If this regex matches, the line is ignored.
 * 3) Values:  TEXT

Modify the [default] ignoreip section and Add the [asterisk-iptables] section to your /etc/fail2ban/jail.conf file : [DEFAULT] ignoreip = 127.0.0.1 192.168.0.0/16 10.0.0.0/8 172.16.0.0/16 [asterisk-iptables] enabled = true filter  = asterisk action  = iptables-allports[name=ASTERISK, protocol=all] sendmail-whois[name=ASTERISK, dest=you@company.com, sender=fail2ban@company.com] logpath = /var/log/asterisk/full maxretry = 5 bantime = 600
 * 1) /etc/fail2ban/jail.conf

We'll backup the logger.conf file to logger.conf.bak and create a new one
mv /etc/asterisk/logger.conf /etc/asterisk/logger.conf.bak touch /etc/asterisk/logger.conf

Copy these contents into the new file nano /etc/asterisk/logger.conf :
; ; Logging Configuration ; ; In this file, you configure logging to files or to ; the syslog system. ; ; For each file, specify what to log. ; ; For console logging, you set options at start of ; Asterisk with -v for verbose and -d for debug ; See 'asterisk -h' for more information. ; ; Directory for log files is configures in asterisk.conf ; option astlogdir ; [general] dateformat=%F %T [logfiles] ; ; Format is "filename" and then "levels" of debugging to be included: ;   debug ;   notice ;   warning ;   error ;   verbose ; ; Special filename "console" represents the system console ; ;debug => debug ; The DTMF log is very handy if you have issues with IVR's ;dtmf => dtmf ;console => notice,warning,error ;console => notice,warning,error,debug ;messages => notice,warning,error full => notice,warning,error,debug,verbose ;syslog keyword : This special keyword logs to syslog facility ; ;syslog.local0 => notice,warning,error ; fail2ban => notice

Reload logger module in Asterisk :
asterisk -rx "module reload logger"

Add Fail2ban to the list of startup services :
chkconfig fail2ban on

Start Fail2ban :
/etc/init.d/fail2ban start ===Check if fail2ban is showing up in iptables : === iptables -L -v ===You should see "fail2ban-ASTERISK" in your iptables output.

Any hackers that try to brute-force your SIP passwords will now be banned after 5 attempts for 600 seconds ( see jail.conf if you want to change these values )

TIP: set -1 to permanent ban

How to test if your security is working correctly.

Download a software SIP client and try to connect to your Elastix box using false credentials. Make sure you don't try this from an IP address that is on the "ignoreip" list ( 192.168.1.0/24 for instance ). If your client gets blocked after 5 attempts and you receive an email saying your IP has been blocked, then you can safely assume that your configuration is working correctly.===

Asterisk security by Country