All SysAdminMan servers come with fail2ban and denyhosts installed. These are two software packages that do similar things so can be confusing.
Here are the differences –
monitors Asterisk logs for failed ‘Register’ attempts and blocks the IP using IPTables. This means if you get yourself blocked it will appear as though the server has gone down
monitors /var/log/secure for failed SSH attempts and just blocks the IP for SSH access. You will get connection refused just for SSH if you get yourself blocked
It’s possible to whitelist your own IPs so that they don’t get accidentally blocked by following the instructions below.
You should replace 126.96.36.199 with your own IP –
sed -i "s/ignoreip = /ignoreip = $ignoreip /" /etc/fail2ban/jail.conf
service fail2ban restart
echo "sshd: $ignoreip" >> /etc/hosts.allow
service denyhosts restart
Warning – if you follow these instructions fail2ban will, by default, be protecting you against other scans such as ssh attempts. This means though that if you get your IP blocked you will not be able to connect to your server from that IP. Ensure that you whitelist your IP by following the instructions at the end of the post.
Over the past few weeks we have seen a big jump in the scanning of VOIP servers. All of these scans are brute force scanning attempts that first scan for valid extension numbers and then to brute force guess the extension password by repeatedly trying different passwords.
Unfortunately Asterisk doesn’t have anything built-in to prevent these types of scans but it is very good at logging these attempts in the Asterisk logs. This means we can use a free utility called fail2ban and the linux iptables firewall to block IP addresses that make repeated failed login attempts.
Fail2ban is already included in PBX-in-a-Flash but we can also use it with other Asterisk distributions.