[SOLVED] Fail2Ban failed to ban Attack on Asterisk, Why ?

MET · 05-24-2010, 10:07 AM

My externally hosted vserver runs with Debian lenny stable. Fail2ban 0.8.3 (and iptables) have been installed with the package-manager. The intention is to use fail2ban with the messages-file from asterisk using /etc/hosts.deny (without iptables).

While I had the settings in jail.conf for manual testing:

maxretry = 3
findtime = 300
bantime = 600

I received an attack which fail2ban didn't block. Here are the logs from the two programs:

Asterisk:

Code:

[2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"1249349713"<sip:1249349713@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"100"<sip:100@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"101"<sip:101@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"102"<sip:102@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"103"<sip:103@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"104"<sip:104@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
....
[2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9994"<sip:9994@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9995"<sip:9995@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9996"<sip:9996@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9997"<sip:9997@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9998"<sip:9998@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9999"<sip:9999@12.34.56.78>' failed for '76.76.96.74' - No matching peer found

Fail2Ban:

Code:

2010-05-22 16:04:06,632 fail2ban.actions: WARNING [asterisk-iptables] Ban 76.76.96.74
2010-05-22 16:04:09,130 fail2ban.actions.action: ERROR  printf %b "Hi,\n
The IP 76.76.96.74 has just been banned by Fail2Ban after
11 attempts against ASTERISK.\n\n
Here are more information about 76.76.96.74:\n
`whois 76.76.96.74`\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] ASTERISK: banned 76.76.96.74" Me@My.net returned 7f00
2010-05-22 16:04:09,130 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:04:10,133 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:04:11,132 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:04:12,132 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:04:13,132 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:04:14,132 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:04:15,133 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:04:16,133 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:04:17,133 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
...
2010-05-22 16:12:55,309 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:12:56,311 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:12:57,318 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:12:58,321 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:14:07,356 fail2ban.actions: WARNING [asterisk-iptables] Unban 76.76.96.74

There are about 40 attacks per second whereas fail2ban reacts in about one second intervals only by reporting "already banned". Fail2ban actually did add the IP in the File /etc/hosts.deny. But why then hasn't the IP been blocked? Any suggestions/recommendations to get it working are appreciated.

As you can see in the fail2ban.log I actually also have a problem sending the mail, but that is on other subject...

unSpawn · 05-24-2010, 11:00 AM

Quote:

Originally Posted by MET

Fail2ban actually did add the IP in the File /etc/hosts.deny. But why then hasn't the IP been blocked?

See http://www.linuxquestions.org/questi...4/#post2277412, post #2.

Quote:

Originally Posted by MET

Any suggestions/recommendations to get it working are appreciated.

I second http://www.linuxquestions.org/questi...0/#post1402937, post #3: use iptables. Besides /etc/hosts.deny as a file nor "interface" was never meant for this kind of stuff.

MET · 05-24-2010, 12:26 PM

Thank you, unSpawn, for indicating that this sort of ban has really to be done using iptables. At this point I need some further help. I don't know much about Linux. I only use it on the vserver to run asterisk. When I did set up Debian lenny, I added also with the package-manager fail2ban 0.8.3 and iptables 1.4.2. Unfortunately I couldn't find out how to start iptables. Some instructions indicate
/etc/init.d/iptables start
but my version has no entry there. I found that for my version the iptables-scripts/programs are in the /sbin/ folder but commands like start or reload are not recognised.

I learned that with the following command one can check whether itables is working or not:

Code:

vs8709:~# iptables -L -v
iptables v1.4.2: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.

This doesn't seem to be the case.

What do I have to do to get iptables work for fail2ban (only) or rather fail2ban work with iptables? Do I understand it correct that in this particular case it isn't necessary to add some rules for iptables since those are generated by fail2ban?

unSpawn · 05-24-2010, 03:22 PM

For vserver and iptables see this vserver FAQ entry (basically: no, or rather at the vserver host level). In this list of vserver providers you can find some that will provide iptables functionality if your own provider can not or does not want to.

MET · 05-24-2010, 04:37 PM

Thanks, unSpawn, for your short and clarifying answer to a long question ...

unSpawn · 05-24-2010, 05:00 PM

You're welcome. We did beat the other fora didn't we? I mean considering you posted this all around ;-p (Mind you, not that I do give a rats ass about beating cross-posted threads.)

MET · 05-24-2010, 05:28 PM

Quote:

Originally Posted by unSpawn

You're welcome. We did beat the other fora didn't we?

Yes, you did indeed ;-) After 10 days working on it I finally found "somewhere" an answer. I will remember this forum, which I didn't know before ... Thanks again!

unSpawn · 05-24-2010, 05:57 PM

You're welcome. What are you going to do BTW? Moving provider? Or are you pondering any alternatives I don't know about?

MET · 05-25-2010, 03:10 AM

Your short questions require a longer reply.
The easiest way to block such attacks can be done in the asterisk itself with the following command in sip.conf (see here):
alwaysauthreject=yes
There are apparently hacker tools which claim to be able to by-pass this setting??? Additionally this seems to have the disadvantage of rejecting also P2P calls, like sip:Me@MyDomain, which I would like to allow. That's the reason why I tried so hard to block with fail2ban only attacks (and not each single request). Before I activate this command, I try whether fail2ban would be able to block the attack without specifying a findtime in jail.conf. I don't have much hope, but may be... I'm still waiting for the next attack... Other solutions are, as you mentioned, changing the hoster of the verver; the rent of a vserver allowing root access seems to cost much more than what I'm paying now and what it would be worth. I therefore may also consider to buy my own little server box.

unSpawn · 05-26-2010, 04:35 PM

As far as your "what it would be worth" question: as posted in the first link I mentioned iptables can -j DROP on the first SYN from a denied host but using hosts.deny requires a the connection is made first. So that shows using hosts.deny is not the method you're looking for. Having your own physical machine in colo is not a bad idea.

MET · 05-27-2010, 04:08 AM

Regarding my "what it would be worth": The asterisk is used privately for our family. All of our outgoing calls and all of the international incoming calls go via the asterisk. The normal telephone line is only used as a fallback-system. The total amount at risk on the asterisk and which a hacker could use for telephone calls is may be about 50 USD. The passwords which the hacker should find are very strong. One tried for about two hours to hack it but he could have tried until dooms-day. The problem is therefore that the asterisk can occasionally only be used with some difficulties when trying to make at the same time a phone call. With the number of attacks as they occur at the moment it is really not worth to pay each month over 10 times more for a vserver with root access.