Basri My
It is my first install and luckily with some Googling I managed to get it working. It’s running on Ubuntu 14.04, Freepbx 14.0.3.12 and asterisk 13.21. Here is some info on the configuration, assuming you had managed to get fail2ban installed and freepbx/asterisk running for now.
1. Configure /etc/fail2ban/jail.local
for asterisk:
[asterisk-tcp]
enabled = true
filter = asterisk-tcp
port = 5060,5061
protocol = tcp
logpath = /var/log/asterisk/full
[asterisk-udp]
enabled = true
filter = asterisk-udp
port = 5060,5061
protocol = udp
logpath = /var/log/asterisk/full
for freepbx:
[pbx-gui]
enabled = true
filter = freepbx
action = iptables-allports[name=SIP, protocol=all]
logpath = /var/log/asterisk/freepbx_security.log
Notice filter asterisk-tcp, asterisk-udp and freepbx, the name of the filter files should be the same.
Create /etc/fail2ban/filter.d/asterisk-tcp.conf and /etc/fail2ban/filter.d/asterisk-udp.conf with this content:
# Fail2Ban configuration file
#
#
# $Revision: 251 $
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
#_daemon = asterisk
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P
# Values: TEXT
#
# Asterisk 1.8 uses Host:Port format which is reflected here
failregex = NOTICE.* .*: Registration from '.*' failed for '
NOTICE.* .*: Registration from '.*' failed for '
NOTICE.* .*: Registration from '.*' failed for '
NOTICE.* .*: Registration from '.*' failed for '
NOTICE.* .*: Registration from '.*' failed for '
NOTICE.* .*: Registration from '.*' failed for '
NOTICE.* .*: Registration from '.*' failed for '
NOTICE.* .*: Registration from '.*' failed for '
NOTICE.* .*: Registration from '\".*\".*' failed for '
NOTICE.* .*: Registration from '\".*\".*' failed for '
NOTICE.*
NOTICE.* .*: No registration for peer '.*' \(from
NOTICE.* .*: Host
NOTICE.* .*: Failed to authenticate user .*@
NOTICE.* .*:
NOTICE.* .*:
VERBOSE.*SIP/
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
Then create /etc/fail2ban/filter.d/freepbx.conf
[INCLUDES]
before = common.conf
[Definition]
failregex = Authentication failure for \S* from
ignoreregex =
Then we need to reload the filter fail2ban;
fail2ban-client reload
We can check the status with this:
fail2ban-client status
Or specific for certain filter such as:
fail2ban-client status asterisk-tcp
We can check whether our filter is working with command such as:
fail2ban-regex --full-traceback -v /var/log/asterisk/freepbx_security.log /etc/fail2ban/filter.d/freepbx.conf
Notice that they are just path to log file specified in /etc/fail2ban/jail.local and filter file.
These are the links that I was referring to:
Link 1
Link 2
Link 3
Link 4
Link 5
Link 6
Some commands we might need;
And this fix is for getting a permanent ban:-
https://arno0x0x.wordpress.com/2015/12/30/fail2ban-permanent-persistent-bans/
It involves changing bantime value in jail.local, then modify action.d/iptables-multiport.conf by adding few actions:-
for actionstart
cat /etc/fail2ban/persistent.bans | awk '/^fail2ban-
for actionban
echo "fail2ban-
