Установим требуемые пакеты
wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm && wget http://rpms.famillecollet.com/enterprise/remi-release-6.rpm && rpm -Uvh remi-release-6*.rpm epel-release-6*.rpm
yum install fail2ban
yum install phyton iptables
Fail2ban содержит правила и фильтры для Asterisk по умолчанию
/etc/fail2ban/filter.d/asterisk.conf
# Fail2Ban filter for asterisk authentication failures # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = asterisk __pid_re = (?:\[\d+\]) # All Asterisk log messages begin like this: log_prefix= (?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])? \S+:\d*( in \w+:)? failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not su$ ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension not found in context 'default'\.$ ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$ ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$ ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$ ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$ ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s (?:handle_request_subscribe: )?Sending fake auth rejection for (device|user) \d*<sip:[^@]+@<HOST>>;tag=\w+\S*$ ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d*",SessionID="$ ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )Ext\. s: "Rejecting unknown SIP connection from <HOST>"$ ignoreregex = # Author: Xavier Devlamynck / Daniel Black # # General log format - main/logger.c:ast_log # Address format - ast_sockaddr_stringify # # First regex: channels/chan_sip.c # # main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in syslog
Регулярное выражение (RegEx) fail2ban, Asterisk 12 или 13, для сообщений от драйвера chan_pjsip
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Request from '.*' failed for '<HOST>(:[0-9]{1,5})?' (.*) - (No matching endpoint found)$
/etc/fail2ban/jail.conf
[asterisk] enabled = true filter = asterisk action = iptables-multiport[name=asterisk-tcp, port="5060,5061", protocol=tcp] iptables-multiport[name=asterisk-udp, port="5060,5061", protocol=udp] sendmail-whois[name=Asterisk, dest=root@localhost, sender=fail2ban@localhost] logpath = /var/log/asterisk/messages maxretry = 3 bantime = 259200
Или jail.local
[asterisk-iptables] enabled = true filter = asterisk action = iptables-allports[name=SIP, protocol=all] sendmail[name=SIP, dest=root@localhost, sender=root@localhost] logpath = /var/log/asterisk/messages maxretry = 5 bantime = 1800
Добавим в файл jail.conf
/etc/fail2ban/jail.conf
[asterisk-iptables] enabled = true filter = asterisk action = iptables-allports[name=ASTERISK, protocol=all] sendmail-whois[name=ASTERISK, dest=root, sender=fail2ban@asterisk] logpath = /var/log/asterisk/messages maxretry = 3 bantime = 259200
Создадим отдельный лог для fail2ban
/etc/asterisk/logger_logfiles_custom.conf
messages => notice,warning,error
# asterisk -rx "logger rotate"
Cтартуем
/etc/init.d/fail2ban start /etc/init.d/iptables start
если все в порядке
chkconfig iptables on chkconfig fail2ban on
Посылаем некорректные запросы на авторизацию
sipsak -U -s sip:s@192.168.0.1:5060 sipsak -U -s sip:s@192.168.0.1:5060 sipsak -U -s sip:s@192.168.0.1:5060
Смотрим iptables
iptables -L
Chain fail2ban-ASTERISK (1 references) target prot opt source destination DROP all -- 192.168.0.22 anywhere RETURN all -- anywhere anywhere
Смотрим статус fail2ban
fail2ban-client status asterisk-iptables
Status for the jail: asterisk-iptables |- filter | |- File list: /var/log/asterisk/secure | |- Currently failed: 0 | `- Total failed: 3 `- action |- Currently banned: 1 | `- IP list: 192.168.0.22 `- Total banned: 1
удалить правило из iptables
iptables -D fail2ban-ASTERISK 1
дополнительно
Блокировка пакетов средствами IPtables по названию сканера
iptables -I INPUT -p udp --dport 5060 -m string --string "friendly-scanner" --algo bm -j DROP iptables -I INPUT -p udp --dport 5060 -m string --string "sip-scan" --algo bm -j DROP iptables -I INPUT -p udp --dport 5060 -m string --string "sundayddr" --algo bm -j DROP iptables -I INPUT -p udp --dport 5060 -m string --string "iWar" --algo bm -j DROP iptables -I INPUT -p udp --dport 5060 -m string --string "sipsak" --algo bm -j DROP iptables -I INPUT -p udp --dport 5060 -m string --string "sipvicious" --algo bm -j DROP