The World of VoIP, Asterisk and Linux

Fail2Ban from www.fail2ban.org is a great tool to block unwanted IP addresses from accessing your server. It works along with iptables, and checks the log files for predefined patterns, and on finding a matching pattern blocks the IP address which is responsible to generate that pattern.

Every asterisk installation must have this tool installed to secure it against unwanted SIP registration attempts, which is the most common type of attack on asterisks servers. This one security measure alone is enough to make your asterisk server secure. Here I’ll describe how to do it. These instructions I have primarily taken from voip-info.org (http://ilovetovoip.com/QQ).

After installing fail2ban, create a file called asterisk.conf in the fail2ban filters folder:

touch /etc/fail2ban/filter.d/asterisk.conf

Now add the following in this file:

# Fail2Ban configuration file
#
#
# $Revision: 250 $
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf

[Definition]

#_daemon = asterisk

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#

failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL
            NOTICE.* <HOST> failed to authenticate as '.*'$
            NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
            NOTICE.* .*: Failed to authenticate user .*@<HOST>.*

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#

ignoreregex =

In the above lines you can see that fail2ban will look for the pharases: “Wrong password”, “No matching peer found”, “Username/auth name mismatch” and “Device does not match ACL”.

Next add the following lines in /etc/fail2ban/jail.conf

[asterisk-iptables]

enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
           sendmail-whois[name=ASTERISK, dest=root, sender=fail2ban@example.org]
logpath  = /var/log/asterisk/full
maxretry = 5
bantime = 259200

This filter will ban the bad IPs for three days, i.e. 259200 seconds.

DON’T BAN YOURSELF

Make sure you don’t ban your own IP address. For this purpose edit /etc/fail2ban/jail.conf and add your IP address in the ignoreip list under the [DEFAULT] section.

Asterisk Logging Date and Time Format

We must change how Asterisk does its time stamp for logging. The default format does not work with Fail2Ban because the pattern Fail2Ban uses that would match this format has a beginning of line character (^), and Asterisk puts its date/time inside of []. However the other formats that Fail2Ban supports do not have this character and can be used with Asterisk

To change this format open /etc/asterisk/logger.conf and add the following line under [general] section (You may have to create this before the [logfiles] section). This causes the date and time to be formatted as Year-Month-Day Hour:Minute:Second, [2008-10-01 13:40:04] is an example.

[general]
dateformat=%F %T

Then reload the logger module for Asterisk, at the command line enter the following command:

asterisk -rx "logger reload"

If for some reason you do not want to change the date/time format for your normal asterisk logs (maybe you already have scripts that use it or something and do not want to edit them) you can do the following instead

In /etc/asterisk/logger.conf add the following line under the [logfiles] section for Asterisk to log NOTICE level events to the syslog (/var/log/messages) as well as its normal log file. These entries in syslog will have a Date/Time stamp that is usable by Fail2Ban.

syslog.local0 => notice

Be sure to reload the logger module for Asterisk, check above of the command to do so. If you chose this option you will also have to change the /etc/fail2ban/jail.conf setting under the [asterisk-iptables] section for the logpath option to the following:

logpath  = /var/log/messages

TURNING IT ON

Now it is time to put fail2ban to work. There are a couple steps we need to do first.

Turn IPTABLES on

By default iptables allows all traffic. So if we turn it on it will not block any traffic until Fail2Ban creates deny rules for attackers. You should create your own firewall rules and setup for iptables, but that is beyond the scope of this guide. Just know that Fail2Ban, by default, inserts rules at the top of the chain, so they will override any rules you have configured in iptables. This is good because you may allow all sip traffic in and then the Fail2Ban will block individual hosts, after they have done an attack, before they are allowed by this rule again.

To start iptables type the following as root:

service iptables start

OR

/etc/init.d/iptables start

Turn on Fail2Ban

To start Fail2Ban type the following as root:

service fail2ban start

OR

/etc/init.d/fail2ban start

Check It

If both started properly issue the following command to view your iptables rules:

iptables -L -v

You should see something like the following for the INPUT chain (you will see more if you have other Fail2Ban filters enabled):

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
2104K  414M fail2ban-ASTERISK  all  —  any    any     anywhere             anywhere

If you do not seem something similar to that then you have some troubleshooting to, check out /var/log/fail2ban.log.

Turn it on for good

If all is well up to this point lets make sure that fail2ban and iptables restart with the server by issuing the following commands.

Centos/Redhat:

chkconfig iptables on
chkconfig fail2ban on

Debian/Ubuntu:

update-rc.d iptables defaults
update-rc.d fail2ban defaults

You should now be somewhat protected against SIP scans and brute force attacks!

Other posts related to this topic

• What to do when your asterisk is hacked
  There are various types of malicious hacks on Linux systems. When dealing with Asterisk server, most common one is that of registering a SIP extension from a hacker's machine and use it to make expensive international calls. This is financi...
• Using iptables to secure a Linux based Asterisk installation against hack attempts
  Security of a Asterisk based VoIP server is absolutely necessary when putting it into production. There is an unlimited number of hackers who are all the time looking for insecure Asterisk servers, and once they hack into one, they waste no time...
• Proxmox and Two Subnets on the Same Network Interface, Properly Routed
  This was a little bit tricky, but thanks to the power of the freely available (though hard to find sometimes) knowledge on the Internet, and Google's searches, I just finished this task and thought to write a blog about it. Though the following is fo...
• Setup SNMP on an Asterisk server
  SNMP - Simple Network Monitoring Protocol, as it name suggests, is a protocol used to monitor various properties of network equipment. These properties are identified by something called OIDs (Object Identifiers) which are long numeric strings and id...
• Phone Reminders – Make your life easier
  A phone reminder is a reminder which is sent to you over the phone. It amazingly makes various things in your life more manageable which otherwise would stay mismanaged because you simply forget about them. Life is busy for everyone in this age, an...
• Using IP tables to secure Linux server against common TCP hack attempts
  In today's world, where the term online security has become almost a joke, we should be more and more careful to whatever extent we can secure our systems which are open to the Internet. TCP/IP suite of protocol which runs the whole Internet was not ...
• Getting started with AEL
  AEL stands for Asterisk Extensions Language. It is intended to make writing dialplans easier than the standard syntax used in extensions.conf. The standard syntax is not very user friendly, makes it difficult to write complex dialplans, and makes it ...
• Keep track of number of active calls in Asterisk
  How to keep track of the total number of calls in Asterisk? There is no predefined variable yet which keeps track of this very important piece of information, which is sometimes very critical to make certain decisions in a dialplan. There are vari...
• Scaling an Asterisk installation
  Scaling basically means that if the hardware in your system can't handle any more load, then the system should be able to take additional hardware and share extra load with it. In case of VoIP calls, if you server is capable of handling, lets say 300...
• SIP on Android / VoIP Client
  One of the first apps which I installed on my Milestone/Droid was sipdroid. This app is a softphone and very easy and straight forward to use. To my surprise the voice quality on it was just fine, though it uses ulaw, which consumes the most bandwidt...