Search

Saturday, August 14, 2010

Fight again brute force attacks using iptables and fail2ban

BACKGROUND
As a VOIP provider, we inevitably expose our SIP servers to brute force attempts and scans.  Here are some simple steps to scan the asterisk log using fail2ban and update iptables rules so as to reject registrations from suspicious ip addresses.
 
In the first place, download and install Fail2ban from www.fail2ban.org.  Fail2ban scans log files like /var/log/asterisk/full, /var/log/pwdfail, etc and rejects ip that makes too many unsuccessful attempts by updating the iptables firewall rules.
 
Install and configure Fail2ban
If you are using fedora, then install Fail2ban is simple:
 
yum install fail2ban
 
After successful installation, you should see the Fail2ban files in /etc/fail2ban.
 
Then we need to create a configuration for Fail2ban so that it understands attacks on Asterisk. 
 
Go to /etc/fail2ban/fillter.d and create a file named asterisk.conf with below contents.
 
# Fail2Ban configuration file
#
#
# $Revision: 250 $
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf


[Definition]

#_daemon = asterisk

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#

failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL
            NOTICE.* <HOST> failed to authenticate as '.*'$
            NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
            NOTICE.* .*: Failed to authenticate user .*@<HOST>.*

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
This file basically tells Fail2ban the patterns of brute force attempts.  Unsuccessful registrations are logged in /var/log/asterisk/ as 'NOTICE.*.*:Registration from' and the logfile provides the source information for Fail2ban to find suspicious ip. 
Next, we  need to put below section in /etc/fail/jail.conf:
 
[asterisk-iptables]

enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
           sendmail-whois[name=ASTERISK,
dest=you@mail.com, sender=fail2ban@your-server-under-protection.com]
logpath  = /var/log/asterisk/full
maxretry = 5
bantime = 259200

This configuration places a ban period of 3 days and notifies you via
you@mail.com if brute force attempts are detected.
 
Setup exclusion in Fail2ban
It is also important to specify certain ip (like internal ip) for exclusion in the jail.conf's [DEFAULT] section.  For example,
 
[DEFAULT]
 
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1 192.168.0.0/24
 
Configure Asterisk logging
On the asterisk side, we have to a) modify /etc/asterisk/logger.conf to use a datetime pattern recognized by Fail2ban and b) generate the required asterisk log file to match what is specified in "logpath  = /var/log/asterisk/full" in jail.conf
[general]
; Customize the display of debug message time stamps
; this example is the ISO 8601 date format (yyyy-mm-dd HH:MM:SS)
; see strftime(3) Linux manual for format specifiers
dateformat=%F %T
;
[logfiles]
;
; Format is "filename" and then "levels" of debugging to be included:
;    debug
;    notice
;    warning
;    error
;    verbose
;    dtmf
;
; Special filename "console" represents the system console
;
; We highly recommend that you DO NOT turn on debug mode if you are simply
; running a production system.  Debug mode turns on a LOT of extra messages,
; most of which you are unlikely to understand without an understanding of
; the underlying code.  Do NOT report debug messages as code issues, unless
; you have a specific issue that you are attempting to debug.  They are
; messages for just that -- debugging -- and do not rise to the level of
; something that merit your attention as an Asterisk administrator.  Debug
; messages are also very verbose and can and do fill up logfiles quickly;
; this is another reason not to have debug mode on a production system unless
; you are in the process of debugging a specific issue.
;
;debug => debug
console => notice,warning,error
;console => notice,warning,error,debug
;messages => notice,warning,error
full => notice,warning,error,debug,verbose
To make the logger.conf effective, we have to type 'logger reload' in asterisk CLI.
 
Start and get protected
Now, we can turn on everything.
service iptables restart
service fail2ban start
 
Typing 'iptables -L -v', we should see something like below:
 pkts bytes target     prot opt in     out     source               destination
82337 8101K fail2ban-ASTERISK  all  --  any    any     anywhere             anywhere
 6436  426K fail2ban-SSH  tcp  --  any    any     anywhere             anywhere            tcp dpt:ssh
98669 9494K ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere
  183 10980 ACCEPT     all  --  lo     any     anywhere             anywhere
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:ssh
 2727  419K REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited
 
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited
 
Chain OUTPUT (policy ACCEPT 103K packets, 9748K bytes)
 pkts bytes target     prot opt in     out     source               destination
 
Chain fail2ban-ASTERISK (1 references)
 pkts bytes target     prot opt in     out     source               destination
82337 8101K RETURN     all  --  any    any     anywhere             anywhere
 
Chain fail2ban-SSH (1 references)
 pkts bytes target     prot opt in     out     source               destination
 6436  426K RETURN     all  --  any    any     anywhere             anywhere
It is also a good idea to make iptables and fail2ban start upon reboot.
 
chkconfig iptables on
chkconfig fail2ban on
 
# chkconfig --list iptables
iptables        0:off   1:off   2:on    3:on    4:on    5:on    6:off
# chkconfig --list fail2ban
fail2ban        0:off   1:off   2:on    3:on    4:on    5:on    6:off
 

No comments:

Post a Comment