fail2ban for elastix 2.2

Joined
Feb 14, 2011
Messages
77
Points
0
hello guys! thank you for all your helping and now i want to help others. i've recently installed the new stable version of elastix with asterisk 1.8. i've always used fail2ban as my security tool, but my old regex configuration didn't worked with asterisk 1.8, because in the /var/log/asterisk/full messages, asterisk bind the port number too with the ip address. there is a configuration file in fail2ban.org but it didn't work "for me". so here is what you need to do to bann the atackers.
in the new elastix fail2ban is already installed
note: before implementing fail2ban be sure that you have an iptables rules that confirming your requirements
Step 1.
touch /etc/fail2ban/filter.d/asterisk.conf
edit the "asterisk.conf" file, i'm using vim text editor for it

Code:
[Definition]

#_daemon = asterisk

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#

failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Wrong password
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Username/auth name mismatch
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
            NOTICE.* <HOST> failed to authenticate as '.*'$
            NOTICE.* .*: No registration for peer '.*' (from <HOST>)
            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
            VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing 'ss-noservice' (language '.*')

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
as you can see i've edited the '<HOST>:.*' which includes the port number after the source IP address!

Step 2.
vim /etc/fail2ban/jail.conf

[general]

ignoreip = 127.0.0.1 youripaddress (don't ban yourself)

[asterisk-iptables]

enabled = true
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
sendmail-whois[name=ASTERISK, dest=root, [email=sender=fail2ban@example.org]sender=fail2ban@example.org[/email]]
logpath = /var/log/asterisk/full
maxretry = 3
bantime = 600

Step 3.
chkconfig fail2ban on
/etc/init.d/fail2ban start

Step 4.
check if your fail2ban is running

iptables -L -v

you should see something like this

Chain fail2ban-ASTERISK (1 references)
pkts bytes target prot opt in out source destination
2013K 377M RETURN all -- any any anywhere anywhere

that's it! now try to register on your elastix with the false credentials, also remeber test it from the ip which is not in ignoreip list. if everything goes well after 3 attempts you'll be baned for 3600 seconds!
i hope this was informative for you :)
 
Joined
Sep 17, 2008
Messages
124
Points
0
Hi yurmetal,

this is a fantastic tutorial and easy to follow. I used to have fail2ban installed in the old Elastix version and so tried again to have it in the new Elastix 2.2.0. I carefully followed your instructions below and hoping it will work like a charm but unfortunately, i have this error below upon attempting to start the fail2ban.


[root@voip filter.d]# /etc/init.d/fail2ban start
Starting fail2ban: Traceback (most recent call last):
File "/usr/bin/fail2ban-client", line 401, in ?
if client.start(sys.argv):
File "/usr/bin/fail2ban-client", line 370, in start
return self.__processCommand(args)
File "/usr/bin/fail2ban-client", line 180, in __processCommand
ret = self.__readConfig()
File "/usr/bin/fail2ban-client", line 375, in __readConfig
ret = self.__configurator.getOptions()
File "/usr/share/fail2ban/client/configurator.py", line 65, in getOptions
return self.__jails.getOptions(jail)
File "/usr/share/fail2ban/client/jailsreader.py", line 64, in getOptions
ret = jail.getOptions()
File "/usr/share/fail2ban/client/jailreader.py", line 75, in getOptions
ret = self.__filter.read()
File "/usr/share/fail2ban/client/filterreader.py", line 53, in read
return ConfigReader.read(self, "filter.d/" + self.__file)
File "/usr/share/fail2ban/client/configreader.py", line 59, in read
SafeConfigParserWithIncludes.read(self, [bConf, bLocal])
File "/usr/share/fail2ban/client/configparserinc.py", line 105, in read
fileNamesFull += SafeConfigParserWithIncludes.getIncludes(filename)
File "/usr/share/fail2ban/client/configparserinc.py", line 76, in getIncludes
parser.read(resource)
File "/usr/lib/python2.4/ConfigParser.py", line 267, in read
self._read(fp, filename)
File "/usr/lib/python2.4/ConfigParser.py", line 490, in _read
raise e
ConfigParser.ParsingError: File contains parsing errors: /etc/fail2ban/filter.d/asterisk.conf
[line 17]: "NOTICE.* <HOST> failed to authenticate as '.*'$\n"
[FAILED]

Since I am not well good in scripting, i don't know how to understand the errors shown here. Will you please guide me what causing this errors are?

Your time and support is very much appreciated.


Thanks,
Jessie
 
Joined
Feb 14, 2011
Messages
77
Points
0
hmm i'm not sure but i see an error in your asterisk.conf file on line 17
NOTICE.* <HOST> failed to authenticate as '.*'$\n
this one, check your configuration file please i don't like the "\n" in the end of the script if it is in your file, than delete it. If this wouldn't help you try to reinstall fail2ban by yum reinstall fail2ban, or install it from source (if you don't know how i'll show you :) )
but for the start try to check your asterisk.conf syntax
 
Joined
Dec 3, 2007
Messages
8,069
Points
88
Hi all.

Please, use the code balise instead to put your curent code without balise for avoid to have some smiley or else.
Code:
[Definition]

#_daemon = asterisk

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}?(?P<host>\S+)
# Values: TEXT
#
...
etc...
 
Joined
Sep 17, 2008
Messages
124
Points
0
Hi yurmetal,

Thank you very much to you and to denardf also for reminding about balise code. I already rearrange the codes and now i'm not getting any error.

Thanks again!

Jessie
 
Joined
Oct 6, 2010
Messages
15
Points
0
thnx for the tutor but unfortunately not working with me. I did every step as you said it just sends me email that fail2ban started and iptables -L -v returns Chain fail2ban-ASTERISK (1 references)
but it is not banning anyone i tried it from an outside ip to register for 3 times wrongly and also tried to access the webpage login with 3 wrong logins but no ban at all!!! should i edit anything in the asterisk.conf or just paste it as it is given in the tutor or should i edit anything in my firewall.. please help
 
Joined
Jan 25, 2008
Messages
33
Points
0
Yurmetal.

Great job about fail2ban.

Elastix has many modules, crm, a2billing, phpmyadmin, etc.
We could show other examples of filter.d/ and jail.conf.
 

rlm

Joined
Aug 15, 2012
Messages
3
Points
0
Hi all,

I am trying to get Fail2ban working as someone is constantly hacking my system.

I am running v2.3 Elastix and have gone through the tutorial line by line, however I can't get it to start. The following error comes back:

Starting fail2ban: Traceback (most recent call last):
File "/usr/bin/fail2ban-client", line 401, in ?
if client.start(sys.argv):
File "/usr/bin/fail2ban-client", line 370, in start
return self.__processCommand(args)
File "/usr/bin/fail2ban-client", line 180, in __processCommand
ret = self.__readConfig()
File "/usr/bin/fail2ban-client", line 375, in __readConfig
ret = self.__configurator.getOptions()
File "/usr/share/fail2ban/client/configurator.py", line 65, in getOptions
return self.__jails.getOptions(jail)
File "/usr/share/fail2ban/client/jailsreader.py", line 64, in getOptions
ret = jail.getOptions()
File "/usr/share/fail2ban/client/jailreader.py", line 75, in getOptions
ret = self.__filter.read()
File "/usr/share/fail2ban/client/filterreader.py", line 53, in read
return ConfigReader.read(self, "filter.d/" + self.__file)
File "/usr/share/fail2ban/client/configreader.py", line 59, in read
SafeConfigParserWithIncludes.read(self, [bConf, bLocal])
File "/usr/share/fail2ban/client/configparserinc.py", line 105, in read
fileNamesFull += SafeConfigParserWithIncludes.getIncludes(filename)
File "/usr/share/fail2ban/client/configparserinc.py", line 76, in getIncludes
parser.read(resource)
File "/usr/lib64/python2.4/ConfigParser.py", line 267, in read
self._read(fp, filename)
File "/usr/lib64/python2.4/ConfigParser.py", line 490, in _read
raise e
ConfigParser.ParsingError: File contains parsing errors: /etc/fail2ban/filter.d/asterisk.conf
[line 6]: ' # Notes.: regex to match the password failures messages in the logfile. The\n'
[line 7]: ' # host must be matched by a group named "host". The tag "<HOST>" can\n'
[line 8]: ' # be used for standard IP/hostname matching and is only an alias for\n'
[line 9]: ' # (?:::f{4,6}?(?P<host>\\S+)\n'
[line 10]: ' # Values: TEXT\n'
[FAILED]



Can anyone help please??

Thanks in advance.

My asterisk.conf:

[Definition]

#_daemon = asterisk

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}?(?P<host>\S+)
# Values: TEXT

failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Wrong password
NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Username/auth name mismatch
NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
NOTICE.*.*: <HOST> failed to authenticate as '.*'$
NOTICE.* .*: No registration for peer '.*' (from <HOST>)
NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing 'ss-noservice' (language '.*')

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
 
Joined
May 16, 2007
Messages
113
Points
0
Thanks for your tutorial yurmetal

It's working well. Fail2ban banishs the the IP address.

I receive mail when fail2ban start, but I do not find where to put my mail address when an IP address is banished.

Do you have an idea ?

Brice
 
Joined
May 16, 2007
Messages
113
Points
0
No idea where to put email to be inform when the system banish an IP address?
 

Members online

No members online now.

Latest posts

Forum statistics

Threads
30,994
Messages
131,110
Members
17,716
Latest member
Orbit114
Top