Asterisk Security with CSF

zaib_kiani · July 19, 2012, 7:37am

Hi folks,

I am trying to secure my asterisk box, i am also comparing csf performance with fail2ban.

I have installed csf version: 5.14
i have changed custom1 log path in csf.conf

CUSTOM1_LOG = “/var/log/asterisk/notice”

below rules have been placed in regex.custom.pm

#!/usr/bin/perl
sub custom_line {
my $line = shift;
my $lgfile = shift;

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^[.failed for ‘(\d+(.\d+){3})’ - (No matching peer found)./)) {
return (“Failed MondoTalkSIP login $2 from”,$1,“myasteriskmatch”,“3”,“5060”,“0”);
}

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^[.failed for ‘(\d+(.\d+){3})’ - (Username/auth name mismatch)./)) {
return (“Failed MondoTalkSIP login $2 from”,$1,“myasteriskmatch”,“3”,“5060”,“0”);
}

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^[.failed for ‘(\d+(.\d+){3})’ - (Wrong passord)./)) {
return (“Failed Asterisk login $2 from”,$1,“myasteriskmatch”,“3”,“5060”,“0”);
}

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^[.failed for ‘(\d+(.\d+){3})’ - (Device does not match ACL)./)) {
return (“Failed Asterisk login $2 from”,$1,“myasteriskmatch”,“3”,“5060”,“0”);
}

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^[.Host (\d+(.\d+){3}) (failed to authenticate)./)) {
return (“Failed Asterisk login $2 from”,$1,“myasteriskmatch”,“3”,“5060”,“0”);
}

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^[.*(No registration for peer).from (\d+(.\d+){3})./)) {
return (“Failed Asterisk login $1 from”,$2,“myasteriskmatch”,“3”,“5060”,“0”);
}

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^[.(Failed to authenticate user).@(\d+(.\d+){3}).*/)) {
return (“Failed MondoTalkSIP login $1 from”,$2,“myasteriskmatch”,“3”,“5060”,“0”);
}

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^[.Host (\d+(.\d+){3}) (failed MD5 authentication)./)) {
return (“Failed Asterisk login $2 from”,$1,“myasteriskmatch”,“3”,“5060”,“0”);
}

return 0;
}

1;

But this is not working, is there any one who can help me here? what mistake i have made?

dolesec · November 22, 2012, 10:24am

ever have any luck with this ?

zaib_kiani · November 27, 2012, 3:14am

yah now working for me

finder266 · January 6, 2021, 11:26am

I do the same script but not working can you please help me…?

jehanzaib_kiani · January 6, 2021, 11:24pm

send me your script.

finder266 · January 7, 2021, 4:23am

This is my custom file
/etc/csf/regex.custom.pm

#!/usr/bin/perl

sub custom_line {
my $line = shift;
my $lgfile = shift;

Do not edit before this point

#if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^.*failed for ‘(\d+(.\d+){3}:\d+)’ - Wrong password/)) {
#return (“Failed Asterisk login $2 from”,$1,“myasteriskmatch”,“3”,“5060,5061”,“1”);
#}

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^[.failed for ‘(\d+(.\d+){3})’ - (No matching peer found)./)) {
return (“Failed Asterisk login $2 from”,$1,“myasteriskmatch”,“3”,“5060”,“0”);
}

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^[.failed for ‘(\d+(.\d+){3})’ - (Username/auth name mismatch)./)) {
return (“Failed Asterisk login $2 from”,$1,“myasteriskmatch”,“3”,“5060”,“0”);
}

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^.*failed for ‘(\d+(.\d+){3})’ - Wrong password/)) {
return (“Failed Asterisk login $2 from”,$1,“myasteriskmatch”,“3”,“5060”,“0”);
}

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^[.failed for ‘(\d+(.\d+){3})’ - (Device does not match ACL)./)) {
return (“Failed Asterisk login $2 from”,$1,“myasteriskmatch”,“3”,“5060”,“0”);
}

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^[.Host (\d+(.\d+){3}) (failed to authenticate)./)) {
return (“Failed Asterisk login $2 from”,$1,“myasteriskmatch”,“3”,“5060”,“0”);
}

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^[.*(No registration for peer).from (\d+(.\d+){3})./)) {
return (“Failed Asterisk login $1 from”,$2,“myasteriskmatch”,“3”,“5060”,“0”);
}

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^[.(Failed to authenticate user).@(\d+(.\d+){3}).*/)) {
return (“Failed Asterisk login $1 from”,$2,“myasteriskmatch”,“3”,“5060”,“0”);
}

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^[.Host (\d+(.\d+){3}) (failed MD5 authentication)./)) {
return (“Failed Asterisk login $2 from”,$1,“myasteriskmatch”,“3”,“5060”,“0”);
}

Do not edit beyond this point

    return 0;

}

1;

Here is my log
[Jan 6 18:04:21] NOTICE[20629]: chan_sip.c:29053 handle_request_register: Registration from ‘“9000” sip:9000@my_IP’ failed for ‘185.16.38.53:5266’ - Wrong password

jehanzaib_kiani · January 7, 2021, 10:59pm

What is your path set for CUSTOM1_LOG ?

finder266 · January 8, 2021, 3:39am

/var/log/asterisk/notice

david551 · January 8, 2021, 10:50am

I’d expect the messages you would be looking at would be SECURITY ones, as per https://wiki.asterisk.org/wiki/display/AST/Security+Log+File+Format

and https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Event+Logger

finder266 · January 11, 2021, 7:08am

Not yet solved. Please any one help me about the issue…?

david551 · January 11, 2021, 1:23pm

It’s unlikely that any regular contributor is using anything other than fail2ban in this role.

I assume CSF stands for “ConfigServer Security & Firewall”, although that was somewhat down the list of hits on Google.

https://download.configserver.com/csf/readme.txt

As already noted, it is the security messages, not the notice ones, that contain the information needed for this sort of tool.

finder266 · January 17, 2021, 4:41am

Already change custom log patha to /var/log/asterisk/messages which have that mention log, but not working yet. Can any one tell me, is my regular expression fully right …?

david551 · January 17, 2021, 8:23pm

Whilst your still using completely the wrong log for this, your regular expression doesn’t match the port number, and I think it uses the metacharacter “.” as though it were a literal.

finder266 · January 18, 2021, 4:28am

Thanks for reply. Please can you tell me the right log.

david551 · January 18, 2021, 11:08am

As already stated, I’d expect the messages you would be looking at would be SECURITY ones, as per https://wiki.asterisk.org/wiki/display/AST/Security+Log+File+Format

and https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Event+Logger

finder266 · January 24, 2021, 4:25am

Apply it earlier but still same.

jehanzaib_kiani · January 24, 2021, 6:02am

can you send me the a sample of your security log file please?

finder266 · January 24, 2021, 11:06am

[Jan 24 16:55:25] SECURITY[14562] res_security_log.c: SecurityEvent=“ChallengeSent”,EventTV=“2021-01-24T16:55:25.284+0600”,Severity=“Informational”,Service=“SIP”,EventVersion=“1”,AccountID=“sip:101@host_IP”,SessionID=“0x7fb3a0006470”,LocalAddress=“IPV4/UDP/host_IP/5060”,RemoteAddress=“IPV4/UDP/5.135.141.158/58533”,Challenge=“605083ff”
[Jan 24 16:55:33] SECURITY[14562] res_security_log.c: SecurityEvent=“ChallengeSent”,EventTV=“2021-01-24T16:55:33.943+0600”,Severity=“Informational”,Service=“SIP”,EventVersion=“1”,AccountID=“sip:6222@host_IP”,SessionID=“0x7fb3a002a770”,LocalAddress=“IPV4/UDP/host_IP/5060”,RemoteAddress=“IPV4/UDP/5.135.141.158/49619”,Challenge=“0c34d357”