Asterisk 14 Fail2ban Conf Changes

I upgraded from Asterisk 11 to 14 and found it hard to find the info on setting up the fail2ban package.

After installing fail2ban and fail2ban-systemd iptables-services, change the jail.conf to:

enabled  = true
filter   = asterisk
port     = 5060,5061,5062
action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
           %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
logpath  = /var/log/asterisk/full
maxretry = 2
findtime = 21600
bantime = 86400

I also think it is a good idea to set the ignoreip to include any remote connection ip you might be using:
ignoreip =

The filter.d/asterisk.conf needs to be updated for the new log format:

# Fail2Ban configuration file
#before = common.conf
failregex = NOTICE.* .*: Request \'REGISTER\' from '.*' failed for '<HOST>:.*' .* - Wrong password
			NOTICE.* .*: Request \'REGISTER\' from '.*' failed for '<HOST>:.*' .* - No matching endpoint found
            NOTICE.* .*: Request \'REGISTER\' from '.*' failed for '<HOST>:.*' .* - No matching peer found
            NOTICE.* .*: Request \'REGISTER\' from '.*' failed for '<HOST>:.*' .* - No matching peer found
            NOTICE.* .*: Request \'REGISTER\' from '.*' failed for '<HOST>:.*' .* - Username/auth name mismatch
            NOTICE.* .*: Request \'REGISTER\' from '.*' failed for '<HOST>:.*' .* - Device does not match ACL
            NOTICE.* .*: Request \'REGISTER\' from '.*' failed for '<HOST>:.*' .* - Peer is not supposed to register
            NOTICE.* .*: Request \'REGISTER\' from '.*' failed for '<HOST>:.*' .* - ACL error (permit/deny)
            NOTICE.* .*: Request \'REGISTER\' from '.*' failed for '<HOST>:.*' .* - Device does not match ACL
            NOTICE.* .*: Request \'REGISTER\' from '.*' failed for '<HOST>:.*' .* - No matching peer found
            NOTICE.* .*: Request \'REGISTER\' from '.*' failed for '<HOST>:.*' .* - Wrong password
            NOTICE.* <HOST> failed to authenticate as '.*'$
            NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
            NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
            NOTICE.* .*: <HOST> failed to authenticate as '.*'
            NOTICE.* .*: <HOST> tried  to authenticate with nonexistent user '.*'
            VERBOSE.*SIP/<HOST>-.*Received incoming SIP connection from unknown peer
ignoreregex =

For some reason the ipset was configured, but not linked to any action, so type this:

iptables -A INPUT -m set --match-set fail2ban-asterisk-tcp src -j DROP
iptables -A INPUT -m set --match-set fail2ban-asterisk-udp src -j DROP

Not sure why, but my logger.conf was pretty much blank, so you can set it with this:

; Customize the display of debug message time stamps
; this example is the ISO 8601 date format (yyyy-mm-dd HH:MM:SS)
; see strftime(3) Linux manual for format specifiers.  Note that there is
; also a fractional second parameter which may be used in this field.  Use
; %1q for tenths, %2q for hundredths, etc.
dateformat = %F %T

; Write callids to log messages (defaults to yes)
use_callids = yes

; Append the hostname to the name of the log files (defaults to no)
appendhostname = no

; Log queue events to a file (defaults to yes)
queue_log = yes

; Always log queue events to a file, even when a realtime backend is
; present (defaults to no).
queue_log_to_file = no

; Set the queue_log filename (defaults to queue_log)
queue_log_name = queue_log

; When using realtime for the queue log, use GMT for the timestamp
; instead of localtime.  (defaults to no)
queue_log_realtime_use_gmt = no

; Log rotation strategy (defaults to sequential):
; none:  Do not perform any log rotation at all.  You should make
;        very sure to set up some external log rotate mechanism
;        as the asterisk logs can get very large, very quickly.
; sequential:  Rename archived logs in order, such that the newest
;              has the highest sequence number.  When
;              exec_after_rotate is set, ${filename} will specify
;              the new archived logfile.
; rotate:  Rotate all the old files, such that the oldest has the
;          highest sequence number (this is the expected behavior
;          for Unix administrators).  When exec_after_rotate is
;          set, ${filename} will specify the original root filename.
; timestamp:  Rename the logfiles using a timestamp instead of a
;             sequence number when "logger rotate" is executed.
;             When exec_after_rotate is set, ${filename} will
;             specify the new archived logfile.
rotatestrategy = rotate

; Run a system command after rotating the files.  This is mainly
; useful for rotatestrategy=rotate. The example allows the last
; two archive files to remain uncompressed, but after that point,
; they are compressed on disk.
exec_after_rotate=gzip -9 ${filename}.2

; File names can either be relative to the standard Asterisk log directory (see "astlogdir" in
; asterisk.conf), or absolute paths that begin with '/'.
; A few file names have been reserved and are considered special, thus cannot be used and will
; not be considered as a regular file name.  These include the following:
;    syslog - logs to syslog facility
;    console - logs messages to the Asterisk root console.
; For each file name given a comma separated list of logging "level" types should be specified
; and include at least one of the following (in no particular order):
;    debug
;    notice
;    warning
;    error
;    dtmf
;    fax
;    security
;    verbose(<level>)
; The "verbose" value can take an optional integer argument that indicates the maximum level
; of verbosity to log at.  Verbose messages with higher levels than the indicated level will
; not be logged to the file.  If a verbose level is not given, verbose messages are logged
; based upon the current level set for the root console.
; The special character "*" can also be specified and represents all levels, even dynamic
; levels registered by modules after the logger has been initialized.  This means that loading
; and unloading modules that create and remove dynamic logging levels will result in these
; levels being included on filenames that have a level name of "*", without any need to
; perform a "logger reload" or similar operation.
; Note, there is no value in specifying both "*" and specific level types for a file name.
; The "*" level means ALL levels.  The only exception is if you need to specify a specific
; verbose level. e.g, "verbose(3),*".
; It is highly recommended that you DO NOT turn on debug mode when running a production system
; unless you are in the process of debugging a specific issue.  Debug mode outputs a LOT of
; extra messages and information that can and do fill up log files quickly. Most of these
; messages are hard to interpret without an understanding of the underlying code.  Do NOT report
; debug messages as code issues, unless you have a specific issue that you are attempting to debug.
; They are messages for just that -- debugging -- and do not rise to the level of something that
; merit your attention as an Asterisk administrator.  

; output notices, warnings and errors to the console
console => notice,warning,error

; output security messages to the file named "security"
security => security

; output notices, warnings and errors to the the file named "messages"
messages => notice,warning,error

; output notices, warnings, errors, verbose, dtmf, and fax to file name "full"
full => notice,warning,error,verbose,dtmf,fax

; output notices, warning, and errors to the syslog facility
syslog.local0 => notice,warning,error

Last thing is to update the file: /etc/fail2ban/jail.d/00-firewalld.conf. On my CentOS 7 box I had to set:
banaction = iptables-allports

Restart fail2ban.

1 Like