LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-24-2010, 10:07 AM   #1
MET
LQ Newbie
 
Registered: May 2010
Posts: 9

Rep: Reputation: 0
Fail2Ban failed to ban Attack on Asterisk, Why ?


My externally hosted vserver runs with Debian lenny stable. Fail2ban 0.8.3 (and iptables) have been installed with the package-manager. The intention is to use fail2ban with the messages-file from asterisk using /etc/hosts.deny (without iptables).

While I had the settings in jail.conf for manual testing:

maxretry = 3
findtime = 300
bantime = 600

I received an attack which fail2ban didn't block. Here are the logs from the two programs:

Asterisk:
Code:
[2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"1249349713"<sip:1249349713@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"100"<sip:100@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"101"<sip:101@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"102"<sip:102@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"103"<sip:103@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"104"<sip:104@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
....
[2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9994"<sip:9994@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9995"<sip:9995@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9996"<sip:9996@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9997"<sip:9997@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9998"<sip:9998@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9999"<sip:9999@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
Fail2Ban:
Code:
2010-05-22 16:04:06,632 fail2ban.actions: WARNING [asterisk-iptables] Ban 76.76.96.74
2010-05-22 16:04:09,130 fail2ban.actions.action: ERROR  printf %b "Hi,\n
The IP 76.76.96.74 has just been banned by Fail2Ban after
11 attempts against ASTERISK.\n\n
Here are more information about 76.76.96.74:\n
`whois 76.76.96.74`\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] ASTERISK: banned 76.76.96.74" Me@My.net returned 7f00
2010-05-22 16:04:09,130 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:04:10,133 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:04:11,132 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:04:12,132 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:04:13,132 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:04:14,132 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:04:15,133 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:04:16,133 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:04:17,133 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
...
2010-05-22 16:12:55,309 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:12:56,311 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:12:57,318 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:12:58,321 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:14:07,356 fail2ban.actions: WARNING [asterisk-iptables] Unban 76.76.96.74
There are about 40 attacks per second whereas fail2ban reacts in about one second intervals only by reporting "already banned". Fail2ban actually did add the IP in the File /etc/hosts.deny. But why then hasn't the IP been blocked? Any suggestions/recommendations to get it working are appreciated.

As you can see in the fail2ban.log I actually also have a problem sending the mail, but that is on other subject...

Last edited by MET; 05-24-2010 at 10:21 AM.
 
Old 05-24-2010, 11:00 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,112
Blog Entries: 54

Rep: Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784
Quote:
Originally Posted by MET View Post
Fail2ban actually did add the IP in the File /etc/hosts.deny. But why then hasn't the IP been blocked?
See http://www.linuxquestions.org/questi...4/#post2277412, post #2.


Quote:
Originally Posted by MET View Post
Any suggestions/recommendations to get it working are appreciated.
I second http://www.linuxquestions.org/questi...0/#post1402937, post #3: use iptables. Besides /etc/hosts.deny as a file nor "interface" was never meant for this kind of stuff.
 
Old 05-24-2010, 12:26 PM   #3
MET
LQ Newbie
 
Registered: May 2010
Posts: 9

Original Poster
Rep: Reputation: 0
Thank you, unSpawn, for indicating that this sort of ban has really to be done using iptables. At this point I need some further help. I don't know much about Linux. I only use it on the vserver to run asterisk. When I did set up Debian lenny, I added also with the package-manager fail2ban 0.8.3 and iptables 1.4.2. Unfortunately I couldn't find out how to start iptables. Some instructions indicate
/etc/init.d/iptables start
but my version has no entry there. I found that for my version the iptables-scripts/programs are in the /sbin/ folder but commands like start or reload are not recognised.

I learned that with the following command one can check whether itables is working or not:
Code:
vs8709:~# iptables -L -v
iptables v1.4.2: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
This doesn't seem to be the case.

What do I have to do to get iptables work for fail2ban (only) or rather fail2ban work with iptables? Do I understand it correct that in this particular case it isn't necessary to add some rules for iptables since those are generated by fail2ban?

Last edited by MET; 05-24-2010 at 01:43 PM.
 
Old 05-24-2010, 03:22 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,112
Blog Entries: 54

Rep: Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784
For vserver and iptables see this vserver FAQ entry (basically: no, or rather at the vserver host level). In this list of vserver providers you can find some that will provide iptables functionality if your own provider can not or does not want to.
 
1 members found this post helpful.
Old 05-24-2010, 04:37 PM   #5
MET
LQ Newbie
 
Registered: May 2010
Posts: 9

Original Poster
Rep: Reputation: 0
Thanks, unSpawn, for your short and clarifying answer to a long question ...
 
Old 05-24-2010, 05:00 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,112
Blog Entries: 54

Rep: Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784
You're welcome. We did beat the other fora didn't we? I mean considering you posted this all around ;-p (Mind you, not that I do give a rats ass about beating cross-posted threads.)

Last edited by unSpawn; 05-24-2010 at 05:01 PM.
 
Old 05-24-2010, 05:28 PM   #7
MET
LQ Newbie
 
Registered: May 2010
Posts: 9

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by unSpawn View Post
You're welcome. We did beat the other fora didn't we?
Yes, you did indeed ;-) After 10 days working on it I finally found "somewhere" an answer. I will remember this forum, which I didn't know before ... Thanks again!
 
Old 05-24-2010, 05:57 PM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,112
Blog Entries: 54

Rep: Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784
You're welcome. What are you going to do BTW? Moving provider? Or are you pondering any alternatives I don't know about?
 
Old 05-25-2010, 03:10 AM   #9
MET
LQ Newbie
 
Registered: May 2010
Posts: 9

Original Poster
Rep: Reputation: 0
Your short questions require a longer reply.
The easiest way to block such attacks can be done in the asterisk itself with the following command in sip.conf (see here):
alwaysauthreject=yes
There are apparently hacker tools which claim to be able to by-pass this setting??? Additionally this seems to have the disadvantage of rejecting also P2P calls, like sip:Me@MyDomain, which I would like to allow. That's the reason why I tried so hard to block with fail2ban only attacks (and not each single request). Before I activate this command, I try whether fail2ban would be able to block the attack without specifying a findtime in jail.conf. I don't have much hope, but may be... I'm still waiting for the next attack... Other solutions are, as you mentioned, changing the hoster of the verver; the rent of a vserver allowing root access seems to cost much more than what I'm paying now and what it would be worth. I therefore may also consider to buy my own little server box.

Last edited by MET; 05-25-2010 at 08:15 AM.
 
Old 05-26-2010, 04:35 PM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,112
Blog Entries: 54

Rep: Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784
As far as your "what it would be worth" question: as posted in the first link I mentioned iptables can -j DROP on the first SYN from a denied host but using hosts.deny requires a the connection is made first. So that shows using hosts.deny is not the method you're looking for. Having your own physical machine in colo is not a bad idea.
 
Old 05-27-2010, 04:08 AM   #11
MET
LQ Newbie
 
Registered: May 2010
Posts: 9

Original Poster
Rep: Reputation: 0
Regarding my "what it would be worth": The asterisk is used privately for our family. All of our outgoing calls and all of the international incoming calls go via the asterisk. The normal telephone line is only used as a fallback-system. The total amount at risk on the asterisk and which a hacker could use for telephone calls is may be about 50 USD. The passwords which the hacker should find are very strong. One tried for about two hours to hack it but he could have tried until dooms-day. The problem is therefore that the asterisk can occasionally only be used with some difficulties when trying to make at the same time a phone call. With the number of attacks as they occur at the moment it is really not worth to pay each month over 10 times more for a vserver with root access.
 
  


Reply

Tags
fail2ban


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
CentOS-Asterisk- /var/spool/asterisk/monitor How to decipher who's call is who's? tananthulus Linux - Newbie 2 12-08-2009 04:50 AM
LXer: Installing The Asterisk PBX And The Asterisk Web-Based Provisioning GUI On Linu LXer Syndicated Linux News 0 09-25-2007 02:50 PM
Asterisk X100P: Failed to initialize DAA fatzeus Linux - Hardware 0 01-03-2007 02:09 AM
asterisk configuration to make a call PC - PC through asterisk priya001 Linux - Server 0 11-08-2006 06:06 AM
LXer: VoIPowering Your Office with Asterisk: Shiny New Asterisk 1.4 LXer Syndicated Linux News 0 11-03-2006 06:54 AM


All times are GMT -5. The time now is 11:51 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration