fail2ban alternative

I’d like to start with a little philosophy. It doesn’t matter if your securing a building or a server locks just keep honest people honest. For computer security, knowing how your system works peeking in on it is probably more effective than any application or script that could ever be developed. If you understand exactly what the security measures do and don’t do then you have no excuse for having a false sense of security. In that same line, I looked at fail2ban and not only was it going to take longer to configure the way I wanted it to, I really didn’t need what it was offering. Our biggest problem are SIP attacks from script kiddies.

I found a slick perl script at:
teamforrest.com/blog/171/ast … und-block/
I have tweaked it (and added comments, etc.) and figured I’d share

#!/usr/bin/perl -w
# Crontab Schedule - runs every 2 minutes and writes to log file
#   */2 * * * * perl /root/check-failed-regs2.pl &> /var/log/fail.log 2>&1
# 
# IP Tables Configuration - do this first
#  iptables -N asterisk
#  iptables -A INPUT -j asterisk
#  iptables -A FORWARD -j asterisk
#

use strict;
use warnings;
my (@failhost);
my %currblocked;
my %addblocked;
my $action;

# Set the path and filename for the Asterisk log file
open (MYINPUTFILE, "/var/log/asterisk/full") or die "\n", $!, "Does log file file exist\?\n\n";

while (<MYINPUTFILE>) {
	my ($line) = $_;
	chomp($line);
# Test for no patching peer
	if ($line =~ m/\' failed for \'(.*?)\' - No matching peer found/) {
		push(@failhost,$1);
	}
# Test for wrong password
	if ($line =~ m/\' failed for \'(.*?)\' - Wrong password/) {
		push(@failhost,$1);
	}
}
# Loads the existing list of entries in the asterisk iptable.  Check path.
my $blockedhosts = `/sbin/iptables -n -L asterisk`;

while ($blockedhosts =~ /(.*)/g) {
	my ($line2) = $1;
	chomp($line2);
	if ($line2 =~ m/(\d+\.\d+\.\d+\.\d+)(\s+)/) {
		$currblocked{ $1 } = 'blocked';
	}
}

if (@failhost) {
	&count_unique(@failhost);
	while (my ($ip, $count) = each(%addblocked)) {
# Already blocked - ignore		
		if (exists $currblocked{ $ip }) {
			print "$ip already blocked\n";
		} else {
# Private network address, probably internal, fix the offending sip device
		if ($ip =~ /^172\./) {
			print "$ip is screwed up - fix the phone!\n";
		} else {
# block address with too many failed requests - tweak via $count >= 4
			if ($count >= 4) {
				$action = `iptables -I asterisk -s $ip -j DROP`;
				print "$ip blocked. Failed attempts: $count\n";
			} else {
				print "$ip NOT blocked. Only $count failed attempt(s).\n";
			}}
		}
	}
} else {
# Uncomment next line for verification of operation/debugging
#	print "no failed registrations.\n";
}

sub count_unique {
    my @array = @_;
    my %count;
    map { $count{$_}++ } @array;
    map {($addblocked{ $_ } = ${count{$_}})} sort keys(%count);
}

This script watches your full log file and if there are multiple failed attempts to register a SIP device it adds a firewall rule blocking the offending address.

Two big problems:

  1. Watching asterisk logs does not let you identify attackers. It does not matter if you are using fail2ban or custom script. Read “Fail2ban: False sense of security” This is aside from the fact that banning random IPs might not be a good idea in general.

  2. Network addresses starting with 172. are not internal. Someone should read RFC1918.

This is simply another example of a low brow asterisk specific “solution”, where people, w/o understanding of how the software they are using works, jump to conclusions.

Blockhost works too as alternative to Fail2Ban.

and I have a nice bridge to sell…

For most of the people who think fail2ban adds security to their system, changing the SIP port from 5060 to a different value would provide much more security. Unfortunately using a non-standard SIP port is beyond the skills of many asterisk users.

I realize the last statement is not overly optimistic about the asterisk community in general :astonished:

talk is cheap, when the amazon cloud start the flood of SIP attacks we moved on Blockhost and no more nasty attacks.

Yes you can repeat me again and again that my asterisk is vulnerable and it will in risk, but, in my practice my servers banned all those “smartty” guys who tried to register or make calls without permission.

Damn thor - chill a bit.

  1. Try reading the header of my message. I am fully aware that no script is going to provide complete security so it’s awfully hard to have a false sense of security. Also, if a random IP is attempting to connect to one of my boxes then I’m going to ban it. If there are extenuating circumstances in which an address needs to be allowed then I will go back and release it. Kill them now and let me sort them out later. You say that watching Asterisk logs don’t let you identify attackers? I think your full of it and await your detailed explanation.

  2. I’m fully aware that 172.16.0.0/12 is the designated private IP address range but allowing 172.* was a heck of a lot easier to code and I consider the hole small enough - remember, I don’t rely on this as a complete security solution.

  3. I have been in the telephony industry for over a decade and the computer industry for over 2. I’d appreciate it if you’d take your snide remarks about “people w/o understanding of how the software they are using works, jump to conclusions” and shove it. Are you a professional troll or just pissed off at something specific? I THOUGHT these forums were here for users to share ideas and solutions. Sorry if I was incorrect.

You are such a charmer :unamused: I already told you to read viewtopic.php?t=78988

I followed your link and it doesn’t explain how to identify hackers at all. It appears to be complaining about how Asterisk doesn’t log enough data and about how wrong people are for using friend instead of user/peer settings. If the script I found and modified to help me block the script kiddies trying to hack into my boxes via SIP brute force attacks does just that, then it is neither unhelpful or worthless.
While I believe that constructive criticism has it’s place I think your perception is warped. If, as you say, watching Asterisk log files “does not let you identify hackers” then please, enlighten all of us how exactly we should be doing that…and keep it in the realm of using existing software versions. Telling us there is no way is also unacceptable. There are some of us with production machine(s) in the field.

So you are saying ignorance is a bliss ? I am simply trying to raise awareness of the problem and all I am getting back is criticism from people who stick to their old beliefs and refuse to accept reality. I also have not seen a case for type=friend despite of asking for it for over a month.

Simple questions to ask yourself which can address the script kiddie problem:

  1. Do you need to have the SIP port exposed to the internet ?

If not, block it and do not allow remote access to your box. The SIP port does not need to be open on your firewall for asterisk to place/receive calls to/from your VoIP provider. This is networking 101 which many people seem to miss.

  1. If you do need to have the SIP port exposed, does it have to be 5060 ?

You can change the port asterisk is using for SIP and things will still work. It will require reconfiguration of your phones to make them aware of the new port but that’s pretty much it. Your VoIP provider does not care what port the SIP traffic is coming from when you register. If you do not register, you can tell your VSP to use a different port to send the SIP traffic to you.

Since 1.6 asterisk can advertise a different port depending whether it talks to hosts on localnet or not. You can use 5060 internally and on your firewall map one port on your external IP to 5060 to reach asterisk. This would not require phone reconfiguration.

Alternatively you can deploy a SIP proxy in front of Asterisk to handle the incoming traffic from the internet - Opensips or Kamailio are good choices.