Asterisk Dominicana: Instalando y configurando Asterisk 11 / Fail2ban en Ubuntu Server/Centos

viernes, 31 de octubre de 2014

Instalando y configurando Asterisk 11 / Fail2ban en Ubuntu Server/Centos

 Ubuntu

sudo apt-get update
sudo apt-get install fail2ban

Centos

rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

yum install fail2ban

En Asterisk

editamos el archivo logger.conf

nano /etc/asterisk/logger.conf

fail2ban2=> security,notice,warning,error

Recargamos la configuracion de Asterisk

asterisk-dominicana*CLI> reload

Esto creara un archivo llamado /var/log/asterisk/fail2ban2

Si es Freepbx Editamos el archivo , /etc/asterisk/logger_logfiles_custom.conf y agregamos la siguiente linea.

fail2ban2 => security,notice,warning,error

Recargamos la configuracion de Asterisk

asterisk-dominicana*CLI> reload

Esto creara un archivo llamado /var/log/asterisk/fail2ban2

Editamos el archivo jail.conf

NOTA HABILITAR LA POLITICA CAMBIANDOLA DE enabled  = false  a enabled  = true

el ejemplo mas abajo

nano /etc/fail2ban/jail.conf

agregamos la siguiente linea

[asterisk-udp]

enabled  = true
filter   = asterisk
port     = 5060,5061
protocol = udp
#logpath  = /var/log/asterisk/messages
logpath  = /var/log/asterisk/fail2ban2

FINALMENTE REINICIAMOS  EL SERVICIO

service fail2ban restart

Esta es una copia de la configuracion de mi archivo de configuracion de fail2ban

y Asterisk

localizando en /etc/fail2ban/filter.d/asterisk.conf


# Fail2Ban configuration file
#
# Author: Xavier Devlamynck
#
#


[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
failregex = NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '<HOST>(:[0-9]+)?' - Wrong password$
            NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '<HOST>(:[0-9]+)?' - No matching peer found$
            NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '<HOST>(:[0-9]+)?' - Username/auth name mismatch$
            NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '<HOST>(:[0-9]+)?' - Device does not match ACL$
            NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '<HOST>(:[0-9]+)?' - Peer is not supposed to register$
            NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '<HOST>(:[0-9]+)?' - ACL error \(permit/deny\)$
            NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '<HOST>(:[0-9]+)?' - Not a local domain$
            NOTICE%(__pid_re)s\[[^:]+\] [^:]+: Call from '[^']*' \(<HOST>:[0-9]+\) to extension '[0-9]+' rejected because extension not found in context 'de$
            NOTICE%(__pid_re)s [^:]+: Host <HOST> failed to authenticate as '[^']*'$
            NOTICE%(__pid_re)s [^:]+: No registration for peer '[^']*' \(from <HOST>\)$
            NOTICE%(__pid_re)s [^:]+: Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
            NOTICE%(__pid_re)s [^:]+: Failed to authenticate user [^@]+@<HOST>\S*$
            SECURITY%(__pid_re)s [^:]+: SecurityEvent="InvalidAccountID",EventTV="[0-9-]+",Severity="[a-zA-Z]+",Service="[a-zA-Z]+",EventVersion="[0-9]+",Ac$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

###########################################################

Verificamos nuestro IPTABLES

root@asterisk-dominicana:/etc/fail2ban/filter.d# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-asterisk-udp  udp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 5060,5061,7654
fail2ban-asterisk-tcp  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 5060,5061
fail2ban-ssh  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 22

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-asterisk-tcp (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain fail2ban-asterisk-udp (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain fail2ban-ssh (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Link de ayuda

Si queremos desbloquear una IP  Baneada el proceso es el siguiente

Verifcamos la IP bloqueada iptables -L -n

Buscamos el JAIL

nano /etc/fail2ban/jail.conf

NOTA TAMBIEN la configuracion puede estar en tambien en /etc/fail2ban/jail.local

En mi caso el Jail es asterisk-udp

Corremos el comando fail2ban-client set asterisk-udp unbanip 190.166.130.113
Listo

Nota:
La sistanxis general del comando es la siguiente
fail2ban-client set JAIL unbanip IP-ADDRESS

https://www.digitalocean.com/community/tutorials/how-to-install-and-use-fail2ban-on-ubuntu-14-04

http://www.coochey.net/?p=61

http://www.tutorials.makkugasho.com/2014/02/21/asterisk-11-5-fail2ban/

1 comentario:

Unknown13 de marzo de 2019, 0:42
Gracias por su ayuda, tú sabes porqué sale este error en el estado de fail2ban??

ERROR NOK: ('No \'host\' group in \'SECURITY(?:\\[\\d+\\]) [^:]+: SecurityEvent="InvalidAccountID",EventTV="[0-9-]+",Severity="[a-zA-Z]+",Service="[a-zA-Z]+",Even...[0-9]+",Ac$\'',)
ResponderEliminar
Respuestas

Añadir comentario

Soporte & Consultoria

viernes, 31 de octubre de 2014

Instalando y configurando Asterisk 11 / Fail2ban en Ubuntu Server/Centos

1 comentario: