fail2ban for asterisk tutorial

1. 安裝fail2ban
2. /etc/asterisk/logger.conf 設定

   [general]
   dateformat=%F %T

3. /etc/fail2ban/jail.conf 新增

   [asterisk-iptables]
   # if more than 4 attempts are made within 6 hours, ban for 24 hours
   enabled  = true
   filter   = asterisk
   ignoreip = 168.192.0.1
   action   = iptables-allports[name=ASTERISK, protocol=all]
              sendmail[name=ASTERISK, dest=you@yourmail.co.uk, sender=fail2ban@local.local]
   logpath  = /var/log/asterisk/messages*
   maxretry = 4
   findtime = 21600
   bantime = 86400

4. /etc/fail2ban/filter.d/asterisk.conf 新增下表(給Asterisk 1.8 and Asterisk 11使用)

# Fail2Ban configuration file
#
#
# $Revision: 251 $
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf


[Definition]

#_daemon = asterisk

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
# Asterisk 1.8 uses Host:Port format which is reflected here

failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Wrong password
           NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
           NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
           NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Username/auth name mismatch
           NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
           NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Peer is not supposed to register
           NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - ACL error (permit/deny)
           NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
           NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>:.*' - No matching peer found
           NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>:.*' - Wrong password
           NOTICE.* <HOST> failed to authenticate as '.*'$
           NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
           NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
           NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
           NOTICE.* .*: <HOST> failed to authenticate as '.*'
           NOTICE.* .*: <HOST> tried  to authenticate with nonexistent user '.*'
           VERBOSE.*SIP/<HOST>-.*Received incoming SIP connection from unknown peer
 
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

5. service ufw restart (重啟iptables)
6. service fail2ban restart (重啟fail2ban)

註：ufw 為Ubuntu下重啟iptables指令, 其它版本Linux 應該都是用iptables

驗證
1. iptables -L -n (即可看到被iptables drop掉的IP)
2. fail2ban-client status asterisk-iptables (即可看到fail2ban監控狀態)
3. iptables -D fail2ban-ASTERISK -s 42.78.174.92 -j DROP (不小心4次驗證失敗IP被加到iptables, 將IP從iptables解放出來)

參考文件
1. http://www.fail2ban.org/wiki/index.php/Asterisk
2. http://tc.itkee.com/os/detail-28ad.html
3. http://askubuntu.com/questions/161551/how-to-start-stop-iptables-in-ubuntu-12-04
4. http://pulipuli.blogspot.tw/2011/07/centosfail2ban.html#postcata1389669540911_anchor17