Blocking Asterisk hacking/scanning attempts with fail2ban

Warning – if you follow these instructions fail2ban will, by default, be protecting you against other scans such as ssh attempts. This means though that if you get your IP blocked you will not be able to connect to your server from that IP. Ensure that you whitelist your IP by following the instructions at the end of the post.

Over the past few weeks we have seen a big jump in the scanning of VOIP servers. All of these scans are brute force scanning attempts that first scan for valid extension numbers and then to brute force guess the extension password by repeatedly trying different passwords.

Unfortunately Asterisk doesn’t have anything built-in to prevent these types of scans but it is very good at logging these attempts in the Asterisk logs. This means we can use a free utility called fail2ban and the linux iptables firewall to block IP addresses that make repeated failed login attempts.

Fail2ban is already included in PBX-in-a-Flash but we can also use it with other Asterisk distributions.


Most of the information in this post was taken from here, so please visit for more information.

Here is a quick guide for getting fail2ban blocking Asterisk brute force scanning on a 32 bit CentOS server. You must have iptables installed already.

First we are going to install the rpmforge repository and use the fail2ban package from there –

rpm -Uhv http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
sed -i 's/enabled = 0/enabled = 1/' /etc/yum.repos.d/rpmforge.repo
yum install -y fail2ban jwhois

Now disable the rpmforge repo do that it doesn’t interfere with any of the CentOS/Asterisk packages –

sed -i 's/enabled = 1/enabled = 0/' /etc/yum.repos.d/rpmforge.repo

Next we are going to create the fail2ban configuration file for Asterisk. This tells fail2ban what text to monitor the logs for –

cat >> /etc/fail2ban/filter.d/asterisk.conf <<-EOF
# Fail2Ban configuration file
#
#
# $Revision: 250 $
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf

[Definition]

#_daemon = asterisk

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#

failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Peer is not supposed to register
            NOTICE.* <HOST> failed to authenticate as '.*'$
            NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
            NOTICE.* .*: Failed to authenticate user .*@<HOST>.*

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
EOF

Next we are going to add some lines to the jail.conf file that tells fail2ban what log files to monitor and what action to take when the required text is detected. This includes sending an alert e-mail so you may want to change ‘root’ to your e-mail address. It also includes the length of time the IP address is blocked for in seconds. Here we have it set to 3 days, you may want to modify this –

cat >> /etc/fail2ban/jail.conf <<-EOF
[asterisk-iptables]

enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
           sendmail-whois[name=ASTERISK, dest=root, [email protected]]
logpath  = /var/log/asterisk/full
maxretry = 5
bantime = 259200
EOF

Fail2ban needs the date in the Asterisk log files written in a specific format. To do this we can add a line to the ‘General’ section of the Asterisk logger configuration file. If you already have a ‘General’ section in there you will just want to add the line manually rather than running the command below –

cat >> /etc/asterisk/logger.conf <<-EOF
[general]
dateformat=%F %T
EOF
asterisk -rx "logger reload"

Finally we want to fire up fail2ban and set it to start at boot time –

service fail2ban start
chkconfig fail2ban on

One final thing you may want to do is ‘whitelist’ your own IP address/s. You can do this by adding them to the ignoreip line in the jail.conf file. Here’s a couple of lines to do it automatically, just change the IP address here for your own IP address –

sed -i 's/ignoreip = /ignoreip = 123.123.123.123 /' /etc/fail2ban/jail.conf
service fail2ban restart
rpm -Uhv http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm

23 thoughts on “Blocking Asterisk hacking/scanning attempts with fail2ban

  1. Lee

    Hey Matt,

    Great tutorial, very easy to follow and works.

    Have setup on all my servers now.

    Thanks again for all your help and support over the years.

    Lee

  2. Jay

    I installed fail2ban on my system and was surprised how well it worked. when going through the logs, I noticed that it wasn’t blocking everything. I noticed that if the “Registration from” section of the asterisk log contained a quotation mark (“), the entry would not be blocked. I was able to fix this by adding the following line to asterisk.conf listed above.

    NOTICE.* .*: Registration from '".*".*' failed for '<HOST>' - No matching peer found

    You may have to add more than one of these modified lines, depending on the way system is trying to be hacked. (i.e. Wrong Password, Username/auth name mismatch, etc…)

    Hope this helps!

    .J.

  3. matt Post author

    Hi Jay,

    Thanks for the update/feedback.

    What version of Asterisk are you using? I know there are some changes for the logging in v1.8.

    Thanks, Matt

  4. ruben23

    Hi Matt,

    HOw do i verify the logs or the status that attacked are being denied or being banned..? i have an attacked on my asterisk server recently see this —> http://i55.tinypic.com/2pp08eb.jpg hope you cna help me how to block this automatically and some other in the future also, im using ubuntu server. Thanks in advance.

  5. matt Post author

    There are a couple of tests you can run with fail2ban-regex to feed in the expression and scan a log file to make sure it’s getting picked up. See here for more info – http://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Testing

    I’d also suggest actually blocking your IP (maybe by trying to connect with an invalid extension/secrect) just to test that the iptables rules are taking effect. Don’t forget to make sure you can log in from a different address to unblock yourself first!

  6. Tim Osman

    Before getting too excited about using fail2ban google “Fail2ban: False sense of security”

  7. Ozjohnd

    Hey Mate, thank god for guy’s like you who don’t mind helping us dummies.
    This worked for me, after trying a few manual instructions that didn’t seem to work. Thanks again. John

  8. Elliot

    Hi Matt, the firewall included in the latest Elastix, do have any idea how effective it is?
    i have installed fail2ban but cant get my sip accounts registered outside my network

  9. Winanjaya

    Hi, I am running Asterisk 1.8.7 .. could anybody please advise, what should I change for fail2ban running correctly?

    many thanks in advance

  10. Ruban

    http://www.fail2ban.org/wiki/index.php/Talk:Asterisk

    New REGEX for Asterisk 1.8

    Asterisk 1.8 includes the port number in the log entry so it broke the existing regex for detecting the host IP.

    Here is a sample of the new logs for a bad password login attempt
    Nov 4 18:30:40 localhost asterisk[32229]: NOTICE[32257]: chan_sip.c:23417 in handle_request_register: Registration from ‘XXXXXXXXXXXXXXXXX’ failed for ‘192.168.200.100:36998’ – Wrong password

    Notice the port is listed with the offending IP separated by a colon.

    Here are new regex’s that work by not including the colon port number in the variable that gets passed to iptables. Edit your asterisk filter in the /etc/fail2ban/filters.d/ directory accordingly.

    Registration from ‘.*’ failed for ‘(:[0-9]{1,5})?’ – Wrong password
    Registration from ‘.*’ failed for ‘(:[0-9]{1,5})?’ – No matching peer found
    Registration from ‘.*’ failed for ‘(:[0-9]{1,5})?’ – Username/auth name mismatch
    Registration from ‘.*’ failed for ‘(:[0-9]{1,5})?’ – Device does not match ACL
    Registration from ‘.*’ failed for ‘(:[0-9]{1,5})?’ – Peer is not supposed to register

  11. matt Post author

    Hi Ruban,

    Good point, thanks for the info. I should do another post with settings for 1.8.

    Matt

  12. Nirav

    How to make asterisk registration monitor application which can see the registration request for configurable amount and if we have found some unknown request up to that configurable time then block that IP permanently in iptables and make one script to enable/disable IP blocking in firewall as well.automatically get ip address and stop this ip to iptables.

  13. matt Post author

    Hi, I’m not too sure I follow what you are trying to do. Fail2mon monitors the logs for certain events (like Registration failed) and can then be configured to block the IP either temporarily or permanently. Fail2ban uses iptables to block the address.

  14. Krystyna

    I’m still finding traces of scanning attemps on my servers it seems. Every day I get about 10 – 1000 calls from “100”. I check logs, see if there a back door, and can’t see anything. What would be the solution to this problem in this case? I have followed both your fail2ban and iptables tutorials on both of these servers. Where have I gone wrong???

  15. matt Post author

    These are likely just scanners attempting to place calls through your system. I’m assuming the calls are not actually processed?

    To stop them appearing you could block access to port 5060 (SIP) and only whitelist IPs you need. That does assume those IPs are fixed though …

  16. Krystyna

    No, the callers aren’t actually processed. Could this be linked to a problem where I have clients who are getting calls from extension 1000 and “asterisk” at all hours of the morning?

  17. Klaus

    I think fail2ban does a good job in terms of what it is designed to do..but it’s not a real Asterisk firewall! Have a look at:
    http://www.voip-info.org/wiki/view/Asterisk+security

    There are a range of products from the very basic (like fail2ban) to sophisticated firewalls which interface with Asterisk’s AMI, with the network card, geofencing, etc.

Comments are closed.