I upgraded from Asterisk 11 to 14 and found it hard to find the info on setting up the fail2ban package.
After installing fail2ban and fail2ban-systemd iptables-services, change the jail.conf to:
[asterisk]
enabled = true
filter = asterisk
port = 5060,5061,5062
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
logpath = /var/log/asterisk/full
maxretry = 2
findtime = 21600
bantime = 86400
I also think it is a good idea to set the ignoreip to include any remote connection ip you might be using:
ignoreip = 127.0.0.1/8 192.168.1.0/24
The filter.d/asterisk.conf needs to be updated for the new log format:
# Fail2Ban configuration file
[INCLUDES]
#before = common.conf
[Definition]
failregex = NOTICE.* .*: Request \'REGISTER\' from '.*' failed for '<HOST>:.*' .* - Wrong password
NOTICE.* .*: Request \'REGISTER\' from '.*' failed for '<HOST>:.*' .* - No matching endpoint found
NOTICE.* .*: Request \'REGISTER\' from '.*' failed for '<HOST>:.*' .* - No matching peer found
NOTICE.* .*: Request \'REGISTER\' from '.*' failed for '<HOST>:.*' .* - No matching peer found
NOTICE.* .*: Request \'REGISTER\' from '.*' failed for '<HOST>:.*' .* - Username/auth name mismatch
NOTICE.* .*: Request \'REGISTER\' from '.*' failed for '<HOST>:.*' .* - Device does not match ACL
NOTICE.* .*: Request \'REGISTER\' from '.*' failed for '<HOST>:.*' .* - Peer is not supposed to register
NOTICE.* .*: Request \'REGISTER\' from '.*' failed for '<HOST>:.*' .* - ACL error (permit/deny)
NOTICE.* .*: Request \'REGISTER\' from '.*' failed for '<HOST>:.*' .* - Device does not match ACL
NOTICE.* .*: Request \'REGISTER\' from '.*' failed for '<HOST>:.*' .* - No matching peer found
NOTICE.* .*: Request \'REGISTER\' from '.*' failed for '<HOST>:.*' .* - Wrong password
NOTICE.* <HOST> failed to authenticate as '.*'$
NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
NOTICE.* .*: <HOST> failed to authenticate as '.*'
NOTICE.* .*: <HOST> tried to authenticate with nonexistent user '.*'
VERBOSE.*SIP/<HOST>-.*Received incoming SIP connection from unknown peer
ignoreregex =
For some reason the ipset was configured, but not linked to any action, so type this:
iptables -A INPUT -m set --match-set fail2ban-asterisk-tcp src -j DROP
iptables -A INPUT -m set --match-set fail2ban-asterisk-udp src -j DROP
Not sure why, but my logger.conf was pretty much blank, so you can set it with this:
[general]
; Customize the display of debug message time stamps
; this example is the ISO 8601 date format (yyyy-mm-dd HH:MM:SS)
;
; see strftime(3) Linux manual for format specifiers. Note that there is
; also a fractional second parameter which may be used in this field. Use
; %1q for tenths, %2q for hundredths, etc.
;
dateformat = %F %T
; Write callids to log messages (defaults to yes)
use_callids = yes
; Append the hostname to the name of the log files (defaults to no)
appendhostname = no
; Log queue events to a file (defaults to yes)
queue_log = yes
; Always log queue events to a file, even when a realtime backend is
; present (defaults to no).
queue_log_to_file = no
; Set the queue_log filename (defaults to queue_log)
queue_log_name = queue_log
; When using realtime for the queue log, use GMT for the timestamp
; instead of localtime. (defaults to no)
queue_log_realtime_use_gmt = no
; Log rotation strategy (defaults to sequential):
; none: Do not perform any log rotation at all. You should make
; very sure to set up some external log rotate mechanism
; as the asterisk logs can get very large, very quickly.
; sequential: Rename archived logs in order, such that the newest
; has the highest sequence number. When
; exec_after_rotate is set, ${filename} will specify
; the new archived logfile.
; rotate: Rotate all the old files, such that the oldest has the
; highest sequence number (this is the expected behavior
; for Unix administrators). When exec_after_rotate is
; set, ${filename} will specify the original root filename.
; timestamp: Rename the logfiles using a timestamp instead of a
; sequence number when "logger rotate" is executed.
; When exec_after_rotate is set, ${filename} will
; specify the new archived logfile.
rotatestrategy = rotate
; Run a system command after rotating the files. This is mainly
; useful for rotatestrategy=rotate. The example allows the last
; two archive files to remain uncompressed, but after that point,
; they are compressed on disk.
exec_after_rotate=gzip -9 ${filename}.2
[logfiles]
; File names can either be relative to the standard Asterisk log directory (see "astlogdir" in
; asterisk.conf), or absolute paths that begin with '/'.
;
; A few file names have been reserved and are considered special, thus cannot be used and will
; not be considered as a regular file name. These include the following:
;
; syslog - logs to syslog facility
; console - logs messages to the Asterisk root console.
;
; For each file name given a comma separated list of logging "level" types should be specified
; and include at least one of the following (in no particular order):
; debug
; notice
; warning
; error
; dtmf
; fax
; security
; verbose(<level>)
;
; The "verbose" value can take an optional integer argument that indicates the maximum level
; of verbosity to log at. Verbose messages with higher levels than the indicated level will
; not be logged to the file. If a verbose level is not given, verbose messages are logged
; based upon the current level set for the root console.
;
; The special character "*" can also be specified and represents all levels, even dynamic
; levels registered by modules after the logger has been initialized. This means that loading
; and unloading modules that create and remove dynamic logging levels will result in these
; levels being included on filenames that have a level name of "*", without any need to
; perform a "logger reload" or similar operation.
;
; Note, there is no value in specifying both "*" and specific level types for a file name.
; The "*" level means ALL levels. The only exception is if you need to specify a specific
; verbose level. e.g, "verbose(3),*".
;
; It is highly recommended that you DO NOT turn on debug mode when running a production system
; unless you are in the process of debugging a specific issue. Debug mode outputs a LOT of
; extra messages and information that can and do fill up log files quickly. Most of these
; messages are hard to interpret without an understanding of the underlying code. Do NOT report
; debug messages as code issues, unless you have a specific issue that you are attempting to debug.
; They are messages for just that -- debugging -- and do not rise to the level of something that
; merit your attention as an Asterisk administrator.
; output notices, warnings and errors to the console
console => notice,warning,error
; output security messages to the file named "security"
security => security
; output notices, warnings and errors to the the file named "messages"
messages => notice,warning,error
; output notices, warnings, errors, verbose, dtmf, and fax to file name "full"
full => notice,warning,error,verbose,dtmf,fax
; output notices, warning, and errors to the syslog facility
syslog.local0 => notice,warning,error
Last thing is to update the file: /etc/fail2ban/jail.d/00-firewalld.conf. On my CentOS 7 box I had to set:
banaction = iptables-allports
Restart fail2ban.