[SOLVED] Fail2Ban failed to ban Attack on Asterisk, Why ?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
My externally hosted vserver runs with Debian lenny stable. Fail2ban 0.8.3 (and iptables) have been installed with the package-manager. The intention is to use fail2ban with the messages-file from asterisk using /etc/hosts.deny (without iptables).
While I had the settings in jail.conf for manual testing:
maxretry = 3
findtime = 300
bantime = 600
I received an attack which fail2ban didn't block. Here are the logs from the two programs:
Asterisk:
Code:
[2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"1249349713"<sip:1249349713@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"100"<sip:100@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"101"<sip:101@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"102"<sip:102@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"103"<sip:103@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"104"<sip:104@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
....
[2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9994"<sip:9994@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9995"<sip:9995@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9996"<sip:9996@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9997"<sip:9997@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9998"<sip:9998@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9999"<sip:9999@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
There are about 40 attacks per second whereas fail2ban reacts in about one second intervals only by reporting "already banned". Fail2ban actually did add the IP in the File /etc/hosts.deny. But why then hasn't the IP been blocked? Any suggestions/recommendations to get it working are appreciated.
As you can see in the fail2ban.log I actually also have a problem sending the mail, but that is on other subject...
Thank you, unSpawn, for indicating that this sort of ban has really to be done using iptables. At this point I need some further help. I don't know much about Linux. I only use it on the vserver to run asterisk. When I did set up Debian lenny, I added also with the package-manager fail2ban 0.8.3 and iptables 1.4.2. Unfortunately I couldn't find out how to start iptables. Some instructions indicate
/etc/init.d/iptables start
but my version has no entry there. I found that for my version the iptables-scripts/programs are in the /sbin/ folder but commands like start or reload are not recognised.
I learned that with the following command one can check whether itables is working or not:
Code:
vs8709:~# iptables -L -v
iptables v1.4.2: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
This doesn't seem to be the case.
What do I have to do to get iptables work for fail2ban (only) or rather fail2ban work with iptables? Do I understand it correct that in this particular case it isn't necessary to add some rules for iptables since those are generated by fail2ban?
For vserver and iptables see this vserver FAQ entry (basically: no, or rather at the vserver host level). In this list of vserver providers you can find some that will provide iptables functionality if your own provider can not or does not want to.
You're welcome. We did beat the other fora didn't we? I mean considering you posted this all around ;-p (Mind you, not that I do give a rats ass about beating cross-posted threads.)
You're welcome. We did beat the other fora didn't we?
Yes, you did indeed ;-) After 10 days working on it I finally found "somewhere" an answer. I will remember this forum, which I didn't know before ... Thanks again!
Your short questions require a longer reply.
The easiest way to block such attacks can be done in the asterisk itself with the following command in sip.conf (see here):
alwaysauthreject=yes
There are apparently hacker tools which claim to be able to by-pass this setting??? Additionally this seems to have the disadvantage of rejecting also P2P calls, like sip:Me@MyDomain, which I would like to allow. That's the reason why I tried so hard to block with fail2ban only attacks (and not each single request). Before I activate this command, I try whether fail2ban would be able to block the attack without specifying a findtime in jail.conf. I don't have much hope, but may be... I'm still waiting for the next attack... Other solutions are, as you mentioned, changing the hoster of the verver; the rent of a vserver allowing root access seems to cost much more than what I'm paying now and what it would be worth. I therefore may also consider to buy my own little server box.
As far as your "what it would be worth" question: as posted in the first link I mentioned iptables can -j DROP on the first SYN from a denied host but using hosts.deny requires a the connection is made first. So that shows using hosts.deny is not the method you're looking for. Having your own physical machine in colo is not a bad idea.
Regarding my "what it would be worth": The asterisk is used privately for our family. All of our outgoing calls and all of the international incoming calls go via the asterisk. The normal telephone line is only used as a fallback-system. The total amount at risk on the asterisk and which a hacker could use for telephone calls is may be about 50 USD. The passwords which the hacker should find are very strong. One tried for about two hours to hack it but he could have tried until dooms-day. The problem is therefore that the asterisk can occasionally only be used with some difficulties when trying to make at the same time a phone call. With the number of attacks as they occur at the moment it is really not worth to pay each month over 10 times more for a vserver with root access.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.