Установим требуемые пакеты

 wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm &&
 wget http://rpms.famillecollet.com/enterprise/remi-release-6.rpm &&
 rpm -Uvh remi-release-6*.rpm epel-release-6*.rpm
 yum install fail2ban
 yum install phyton iptables

Fail2ban содержит правила и фильтры для Asterisk по умолчанию

/etc/fail2ban/filter.d/asterisk.conf

# Fail2Ban filter for asterisk authentication failures
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = asterisk

__pid_re = (?:\[\d+\])

# All Asterisk log messages begin like this:
log_prefix= (?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])? \S+:\d*( in \w+:)?

failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not su$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension not found in context 'default'\.$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s (?:handle_request_subscribe: )?Sending fake auth rejection for (device|user) \d*<sip:[^@]+@<HOST>>;tag=\w+\S*$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d*",SessionID="$
            ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )Ext\. s: "Rejecting unknown SIP connection from <HOST>"$

ignoreregex =


# Author: Xavier Devlamynck / Daniel Black
#
# General log format - main/logger.c:ast_log
# Address format - ast_sockaddr_stringify
#
# First regex: channels/chan_sip.c
#
# main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in syslog

Регулярное выражение (RegEx) fail2ban, Asterisk 12 или 13, для сообщений от драйвера chan_pjsip

 ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Request from '.*' failed for '<HOST>(:[0-9]{1,5})?' (.*) - (No matching endpoint found)$

/etc/fail2ban/jail.conf

[asterisk]

enabled  = true
filter   = asterisk
action   = iptables-multiport[name=asterisk-tcp, port="5060,5061", protocol=tcp]
           iptables-multiport[name=asterisk-udp, port="5060,5061", protocol=udp]
           sendmail-whois[name=Asterisk, dest=root@localhost, sender=fail2ban@localhost]
logpath  = /var/log/asterisk/messages
maxretry = 3
bantime = 259200

Или jail.local

[asterisk-iptables]
enabled  = true
filter   = asterisk
action   = iptables-allports[name=SIP, protocol=all]
           sendmail[name=SIP, dest=root@localhost, sender=root@localhost]
logpath  = /var/log/asterisk/messages
maxretry = 5
bantime = 1800

 

Добавим в файл jail.conf

/etc/fail2ban/jail.conf

[asterisk-iptables]

enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
           sendmail-whois[name=ASTERISK, dest=root, sender=fail2ban@asterisk]
logpath  = /var/log/asterisk/messages
maxretry = 3
bantime = 259200

 

Создадим отдельный лог для fail2ban

/etc/asterisk/logger_logfiles_custom.conf

  messages => notice,warning,error
  # asterisk -rx "logger rotate"

Cтартуем

 /etc/init.d/fail2ban start
 /etc/init.d/iptables start

если все в порядке

 chkconfig iptables on
 chkconfig fail2ban on

Посылаем некорректные запросы на авторизацию

 sipsak  -U  -s sip:s@192.168.0.1:5060
 sipsak  -U  -s sip:s@192.168.0.1:5060
 sipsak  -U  -s sip:s@192.168.0.1:5060

Смотрим iptables

 iptables -L
 Chain fail2ban-ASTERISK (1 references)
 target     prot opt source               destination  
 DROP       all  --  192.168.0.22         anywhere
 RETURN     all  --  anywhere             anywhere

Смотрим статус fail2ban

 fail2ban-client status asterisk-iptables
Status for the jail: asterisk-iptables
|- filter
|  |- File list:	/var/log/asterisk/secure 
|  |- Currently failed:	0
|  `- Total failed:	3
`- action
   |- Currently banned:	1
   |  `- IP list:	192.168.0.22
   `- Total banned:	1

удалить правило из iptables

 iptables -D fail2ban-ASTERISK 1

дополнительно

Блокировка пакетов средствами IPtables по названию сканера

iptables -I INPUT -p udp --dport 5060 -m string --string "friendly-scanner" --algo bm -j DROP
iptables -I INPUT -p udp --dport 5060 -m string --string "sip-scan" --algo bm -j DROP
iptables -I INPUT -p udp --dport 5060 -m string --string "sundayddr" --algo bm -j DROP
iptables -I INPUT -p udp --dport 5060 -m string --string "iWar" --algo bm -j DROP
iptables -I INPUT -p udp --dport 5060 -m string --string "sipsak" --algo bm -j DROP
iptables -I INPUT -p udp --dport 5060 -m string --string "sipvicious" --algo bm -j DROP