Secure Asterisk 13 with Fail2ban on Ubuntu 16.04

Cyphercodes

2018-04-08

Introduction

Fail2ban is a brute-force detection system that analyzes the log files on your system to figure out failed login attempts to various services and block them. By default, it uses iptables to block attacking IP addresses.

When trying to set up Fail2ban with Asterisk, the Asterisk jail file that comes with your installed Fail2ban version may not always be compatible with your Asterisk version and you may face issues such as attacks not getting blocked or error messages like:

2018-04-08 15:53:26,494 fail2ban.filter         [10340]: ERROR   No 'host' group in 'SECURITY.* SecurityEvent="FailedACL".*RemoteAddress=".+?/.+?//.+?".*'
2018-04-08 15:53:26,494 fail2ban.transmitter    [10340]: WARNING Command ['set', 'asterisk', 'addfailregex', 'SECURITY.* SecurityEvent="FailedACL".*RemoteAddress=".+?/.+?//.+?".*'] has failed. Received RegexException('No \'host\' group in \'SECURITY.* SecurityEvent="FailedACL".*RemoteAddress=".+?/.+?//.+?".*\'',)
2018-04-08 15:53:26,496 fail2ban.filter         [10340]: ERROR   No 'host' group in 'SECURITY.* SecurityEvent="InvalidAccountID".*RemoteAddress=".+?/.+?//.+?".*'
2018-04-08 15:53:26,497 fail2ban.transmitter    [10340]: WARNING Command ['set', 'asterisk', 'addfailregex', 'SECURITY.* SecurityEvent="InvalidAccountID".*RemoteAddress=".+?/.+?//.+?".*'] has failed. Received RegexException('No \'host\' group in \'SECURITY.* SecurityEvent="InvalidAccountID".*RemoteAddress=".+?/.+?//.+?".*\'',)
2018-04-08 15:53:26,497 fail2ban.filter         [10340]: ERROR   No 'host' group in 'SECURITY.* SecurityEvent="ChallengeResponseFailed".*RemoteAddress=".+?/.+?//.+?".*'
2018-04-08 15:53:26,498 fail2ban.transmitter    [10340]: WARNING Command ['set', 'asterisk', 'addfailregex', 'SECURITY.* SecurityEvent="ChallengeResponseFailed".*RemoteAddress=".+?/.+?//.+?".*'] has failed. Received RegexException('No \'host\' group in \'SECURITY.* SecurityEvent="ChallengeResponseFailed".*RemoteAddress=".+?/.+?//.+?".*\'',)
2018-04-08 15:53:26,499 fail2ban.filter         [10340]: ERROR   No 'host' group in 'SECURITY.* SecurityEvent="InvalidPassword".*RemoteAddress=".+?/.+?//.+?".*'
2018-04-08 15:53:26,499 fail2ban.transmitter    [10340]: WARNING Command ['set', 'asterisk', 'addfailregex', 'SECURITY.* SecurityEvent="InvalidPassword".*RemoteAddress=".+?/.+?//.+?".*'] has failed. Received RegexException('No \'host\' group in \'SECURITY.* SecurityEvent="InvalidPassword".*RemoteAddress=".+?/.+?//.+?".*\'',)

I will share a working configuration tested with:

Ubuntu 16.04
Asterisk 13.19.0
Fail2Ban 0.9.3

Configuration

/etc/fail2ban/filter.d/asterisk.conf:

# Fail2Ban filter for asterisk authentication failures
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = asterisk

__pid_re = (?:\s*\[\d+\])

iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4}

# All Asterisk log messages begin like this:
log_prefix= (?:NOTICE|SECURITY|WARNING)%(__pid_re)s:?(?:\[C-[\da-f]*\])?:? [^:]+:\d*(?:(?: in)? [^:]+:)?

prefregex = ^%(__prefix_line)s%(log_prefix)s <F-CONTENT>.+</F-CONTENT>$

failregex = ^Registration from '[^']*' failed for '<HOST>(:\d+)?' - (?:Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
            ^Call from '[^']*' \(<HOST>:\d+\) to extension '[^']*' rejected because extension not found in context
            ^(?:Host )?<HOST> (?:failed (?:to authenticate\b|MD5 authentication\b)|tried to authenticate with nonexistent user\b)
            ^No registration for peer '[^']*' \(from <HOST>\)$
            ^hacking attempt detected '<HOST>'$
            ^SecurityEvent="(?:FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)"(?:(?:,(?!RemoteAddress=)\w+="[^"]*")*|.*?),RemoteAddress="IPV[46]/(UDP|TCP|WS)/<HOST>/\d+"(?:,(?!RemoteAddress=)\w+="[^"]*")*$
            ^"Rejecting unknown SIP connection from <HOST>"$
            ^Request (?:'[^']*' )?from '(?:[^']*|.*?)' failed for '<HOST>(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching endpoint found|Not match Endpoint(?: Contact)? ACL|(?:Failed|Error) to authenticate)\s*$

# FreePBX (todo: make optional in v.0.10):
#            ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )[^:]+: Friendly Scanner from <HOST>$

ignoreregex =

datepattern = {^LN-BEG}

/etc/fail2ban/jail.local:

In the jail.local file, you have to uncomment or add the following asterisk jail:

[asterisk]
enabled  = true
port     = 5060,5061
action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
           %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
logpath  = /var/log/asterisk/security
maxretry = 3

Recommended Configuration:

In /etc/fail2ban/jail.local, it is also recommended to set the configurations below to make your system more secure:

# "bantime" is the number of seconds that a host is banned.
bantime  = 172800

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 1200

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

bantime is increased to 2 days, findtime increased to 20 minutes, and maxretry is decreased to 3 attempts.

Verify that Fail2ban is working

First reload fail2ban:

fail2ban-client reload

Check the status of the asterisk filter:

fail2ban-client status asterisk

If you can see a list of blocked IPs then your fail2ban is running and properly detecting brute-force attacks on your Asterisk system!

It means you have properly secured your Asterisk box.

Tips

If you Asterisk version is different, you may need a different Asterisk filter file for Fail2ban to work properly.

The best resource for you to find different versions of the Asterisk filter log is Fail2ban’s official Github repository:

https://github.com/fail2ban/fail2ban

There you may go to config/filter.d/asterisk.conf and click on history to find all the different versions of that filter file and start testing them with your Asterisk version.

Usually, if you are using a recent and stable Asterisk and Fail2ban version, the latest file present there should work best with your setup.