From: Sebastian A. <sh...@op...> - 2013-06-26 07:07:24
|
It seems that the Asterisk page on the fail2ban wiki (http://www.fail2ban.org/wiki/index.php/Asterisk) has become outdated, as it states fail2ban can't protect against certain types of attacks. The page makes several references to this fact, and links to a post on forums.asterisk.org I believe these problems have been fixed with the advent of the security log since Asterisk 10+ (by default located in /var/log/asterisk/security, when enabled in /etc/asterisk/logger.conf). The security log now provides sufficient data for fail2ban to block attackers exploiting just INVITE's, instead of the one's trying to REGISTER. Unless my research on the above is wrong, I think it would be useful for the wiki page to be updated with the relevant information (including new filters/regex's for the security log - along the lines of the ones found here: http://www.voip-info.org/wiki/view/Fail2Ban+%28with+iptables%29+And+Asterisk). I'd be happy to add the info myself if I can get an account to the wiki - or if anybody else who has access already can do it would be great. |
From: Daniel B. <dan...@in...> - 2013-06-26 12:18:22
|
On 26/06/13 17:07, Sebastian Arcus wrote: > It seems that the Asterisk page on the fail2ban wiki > (http://www.fail2ban.org/wiki/index.php/Asterisk) has become outdated, yes. Hopefully out filter's haven't been. > as it states fail2ban can't protect against certain types of attacks. > The page makes several references to this fact, and links to a post on > forums.asterisk.org > > I believe these problems have been fixed with the advent of the security > log since Asterisk 10+ (by default located in > /var/log/asterisk/security, when enabled in /etc/asterisk/logger.conf). > The security log now provides sufficient data for fail2ban to block > attackers exploiting just INVITE's, instead of the one's trying to REGISTER. Updated a month ago to include this: https://github.com/fail2ban/fail2ban/commit/5c8fb68a2cd803a820bc624ac47bf8462fb5cd4d#config/filter.d/asterisk.conf Can you see anything here missing or wrong? https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/asterisk.conf > Unless my research on the above is wrong, I think it would be useful for > the wiki page to be updated with the relevant information (including new > filters/regex's for the security log - along the lines of the ones found > here: > http://www.voip-info.org/wiki/view/Fail2Ban+%28with+iptables%29+And+Asterisk). > > I'd be happy to add the info myself if I can get an account to the wiki > - or if anybody else who has access already can do it would be great. Or perhaps we can obsolete the wiki pages and point straight to the filter. |
From: Sebastian A. <sh...@op...> - 2013-06-26 15:35:42
|
On 26/06/13 13:18, Daniel Black wrote: > On 26/06/13 17:07, Sebastian Arcus wrote: >> It seems that the Asterisk page on the fail2ban wiki >> (http://www.fail2ban.org/wiki/index.php/Asterisk) has become outdated, > > yes. Hopefully out filter's haven't been. > >> as it states fail2ban can't protect against certain types of attacks. >> The page makes several references to this fact, and links to a post on >> forums.asterisk.org >> >> I believe these problems have been fixed with the advent of the security >> log since Asterisk 10+ (by default located in >> /var/log/asterisk/security, when enabled in /etc/asterisk/logger.conf). >> The security log now provides sufficient data for fail2ban to block >> attackers exploiting just INVITE's, instead of the one's trying to REGISTER. > > Updated a month ago to include this: > https://github.com/fail2ban/fail2ban/commit/5c8fb68a2cd803a820bc624ac47bf8462fb5cd4d#config/filter.d/asterisk.conf > > Can you see anything here missing or wrong? > > https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/asterisk.conf The fail2ban filter above includes only regex for the InvalidAccountID security event. The voip-info.org page also includes regexes for the FailedACL, ChallengeResponseFailed and InvalidPassword security events. Unless somebody knows of a good reason not to include them, I guess they are needed in the filter as well? > >> Unless my research on the above is wrong, I think it would be useful for >> the wiki page to be updated with the relevant information (including new >> filters/regex's for the security log - along the lines of the ones found >> here: >> http://www.voip-info.org/wiki/view/Fail2Ban+%28with+iptables%29+And+Asterisk). >> >> I'd be happy to add the info myself if I can get an account to the wiki >> - or if anybody else who has access already can do it would be great. > > Or perhaps we can obsolete the wiki pages and point straight to the filter. Maybe that's not a bad idea. The reason I raised it is because the wiki page comes up pretty much at top of Google results when searching for Asterisk+fail2ban - so I guess it is likely that many people will think it is current information (I did so too until I dug around some more). However, one of the advantages of the wiki page is that it includes extra setup information. For example for Asterisk, it is necessary to change the date format and configure the security log in /etc/asterisk/logger.conf - as it isn't turned on by default - and then to restart the logger module in Asterisk. For the above filter, the main log would need to be configured to include security logging (as opposed to having a separate security log, which is another route some setups go - with separate filter/jail for the main and security logs). Unless that information can be included somewhere in the Github. |
From: Daniel B. <dan...@in...> - 2013-06-26 21:05:17
|
On 26/06/13 23:42, Sebastian Arcus wrote: > On 26/06/13 13:18, Daniel Black wrote: >> On 26/06/13 17:07, Sebastian Arcus wrote: >>> It seems that the Asterisk page on the fail2ban wiki >>> (http://www.fail2ban.org/wiki/index.php/Asterisk) has become outdated, >> >> yes. Hopefully out filter's haven't been. >> >>> as it states fail2ban can't protect against certain types of attacks. >>> The page makes several references to this fact, and links to a post on >>> forums.asterisk.org >>> >>> I believe these problems have been fixed with the advent of the security >>> log since Asterisk 10+ (by default located in >>> /var/log/asterisk/security, when enabled in /etc/asterisk/logger.conf). >>> The security log now provides sufficient data for fail2ban to block >>> attackers exploiting just INVITE's, instead of the one's trying to REGISTER. >> >> Updated a month ago to include this: >> https://github.com/fail2ban/fail2ban/commit/5c8fb68a2cd803a820bc624ac47bf8462fb5cd4d#config/filter.d/asterisk.conf >> >> Can you see anything here missing or wrong? >> >> https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/asterisk.conf > > The fail2ban filter above includes only regex for the InvalidAccountID > security event. The voip-info.org page also includes regexes for the > FailedACL, ChallengeResponseFailed and InvalidPassword security events. > Unless somebody knows of a good reason not to include them, I guess they > are needed in the filter as well? Sounds fair to include these. Thanks for bringing these to our attention. Can you provide some log samples of these failures? >> >>> Unless my research on the above is wrong, I think it would be useful for >>> the wiki page to be updated with the relevant information (including new >>> filters/regex's for the security log - along the lines of the ones found >>> here: >>> http://www.voip-info.org/wiki/view/Fail2Ban+%28with+iptables%29+And+Asterisk). >>> >>> I'd be happy to add the info myself if I can get an account to the wiki >>> - or if anybody else who has access already can do it would be great. >> >> Or perhaps we can obsolete the wiki pages and point straight to the filter. > > Maybe that's not a bad idea. The reason I raised it is because the wiki > page comes up pretty much at top of Google results when searching for > Asterisk+fail2ban - so I guess it is likely that many people will think > it is current information (I did so too until I dug around some more). > > However, one of the advantages of the wiki page is that it includes > extra setup information. For example for Asterisk, it is necessary to > change the date format and configure the security log in > /etc/asterisk/logger.conf - as it isn't turned on by default - and then > to restart the logger module in Asterisk. For the above filter, the main > log would need to be configured to include security logging (as opposed > to having a separate security log, which is another route some setups go > - with separate filter/jail for the main and security logs). Unless that > information can be included somewhere in the Github. fair assessment. |
From: Yehuda K. <ye...@ym...> - 2013-06-26 15:39:08
|
I think we should keep it in the wiki. I sent login information to Sebastian. - Y On Wed, Jun 26, 2013 at 8:18 AM, Daniel Black <dan...@in...>wrote: > On 26/06/13 17:07, Sebastian Arcus wrote: > > It seems that the Asterisk page on the fail2ban wiki > > (http://www.fail2ban.org/wiki/index.php/Asterisk) has become outdated, > > yes. Hopefully out filter's haven't been. > > > as it states fail2ban can't protect against certain types of attacks. > > The page makes several references to this fact, and links to a post on > > forums.asterisk.org > > > > I believe these problems have been fixed with the advent of the security > > log since Asterisk 10+ (by default located in > > /var/log/asterisk/security, when enabled in /etc/asterisk/logger.conf). > > The security log now provides sufficient data for fail2ban to block > > attackers exploiting just INVITE's, instead of the one's trying to > REGISTER. > > Updated a month ago to include this: > > https://github.com/fail2ban/fail2ban/commit/5c8fb68a2cd803a820bc624ac47bf8462fb5cd4d#config/filter.d/asterisk.conf > > Can you see anything here missing or wrong? > > > https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/asterisk.conf > > > Unless my research on the above is wrong, I think it would be useful for > > the wiki page to be updated with the relevant information (including new > > filters/regex's for the security log - along the lines of the ones found > > here: > > > http://www.voip-info.org/wiki/view/Fail2Ban+%28with+iptables%29+And+Asterisk > ). > > > > I'd be happy to add the info myself if I can get an account to the wiki > > - or if anybody else who has access already can do it would be great. > > Or perhaps we can obsolete the wiki pages and point straight to the filter. > > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > |
From: Sebastian A. <sh...@op...> - 2013-07-05 09:41:16
|
On 26/06/13 16:11, Yehuda Katz wrote: > I think we should keep it in the wiki. > I sent login information to Sebastian. > > - Y > Thanks Yehuda. Been a bit busy lately - but will get on with updating the wiki page now. Sebastian |
From: Daniel B. <dan...@in...> - 2013-06-26 23:25:52
|
On 26/06/13 23:42, Sebastian Arcus wrote: > On 26/06/13 13:18, Daniel Black wrote: >> On 26/06/13 17:07, Sebastian Arcus wrote: >>> It seems that the Asterisk page on the fail2ban wiki >>> (http://www.fail2ban.org/wiki/index.php/Asterisk) has become outdated, >> >> yes. Hopefully out filter's haven't been. >> >>> as it states fail2ban can't protect against certain types of attacks. >>> The page makes several references to this fact, and links to a post on >>> forums.asterisk.org >>> >>> I believe these problems have been fixed with the advent of the security >>> log since Asterisk 10+ (by default located in >>> /var/log/asterisk/security, when enabled in /etc/asterisk/logger.conf). >>> The security log now provides sufficient data for fail2ban to block >>> attackers exploiting just INVITE's, instead of the one's trying to REGISTER. >> >> Updated a month ago to include this: >> https://github.com/fail2ban/fail2ban/commit/5c8fb68a2cd803a820bc624ac47bf8462fb5cd4d#config/filter.d/asterisk.conf >> >> Can you see anything here missing or wrong? >> >> https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/asterisk.conf > > The fail2ban filter above includes only regex for the InvalidAccountID > security event. The voip-info.org page also includes regexes for the > FailedACL, ChallengeResponseFailed and InvalidPassword security events. > Unless somebody knows of a good reason not to include them, I guess they > are needed in the filter as well? better? https://github.com/grooverdan/fail2ban/commit/fa7a105483e6653d45830ae0336c84daba6899fc I'd like more examples of SECURITY log events The regex to match the log prefix is getting fairly log due to variations. Is it still right? |
From: Sebastian A. <sh...@op...> - 2013-07-05 10:10:35
|
On 27/06/13 00:25, Daniel Black wrote: > On 26/06/13 23:42, Sebastian Arcus wrote: >> On 26/06/13 13:18, Daniel Black wrote: >>> On 26/06/13 17:07, Sebastian Arcus wrote: >>>> It seems that the Asterisk page on the fail2ban wiki >>>> (http://www.fail2ban.org/wiki/index.php/Asterisk) has become outdated, >>> >>> yes. Hopefully out filter's haven't been. >>> >>>> as it states fail2ban can't protect against certain types of attacks. >>>> The page makes several references to this fact, and links to a post on >>>> forums.asterisk.org >>>> >>>> I believe these problems have been fixed with the advent of the security >>>> log since Asterisk 10+ (by default located in >>>> /var/log/asterisk/security, when enabled in /etc/asterisk/logger.conf). >>>> The security log now provides sufficient data for fail2ban to block >>>> attackers exploiting just INVITE's, instead of the one's trying to REGISTER. >>> >>> Updated a month ago to include this: >>> https://github.com/fail2ban/fail2ban/commit/5c8fb68a2cd803a820bc624ac47bf8462fb5cd4d#config/filter.d/asterisk.conf >>> >>> Can you see anything here missing or wrong? >>> >>> https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/asterisk.conf >> >> The fail2ban filter above includes only regex for the InvalidAccountID >> security event. The voip-info.org page also includes regexes for the >> FailedACL, ChallengeResponseFailed and InvalidPassword security events. >> Unless somebody knows of a good reason not to include them, I guess they >> are needed in the filter as well? > > > better? > > https://github.com/grooverdan/fail2ban/commit/fa7a105483e6653d45830ae0336c84daba6899fc > > I'd like more examples of SECURITY log events > > The regex to match the log prefix is getting fairly log due to > variations. Is it still right? > Thanks for that. I'll copy it into my Asterisk/fail2ban install and keep an eye on it to see if it works fine. |
From: Tom H. <to...@wh...> - 2013-06-27 07:55:03
Attachments:
signature.asc
|
On 06/26/2013 03:42 PM, Sebastian Arcus wrote: >> Or perhaps we can obsolete the wiki pages and point straight to the filter. > > Maybe that's not a bad idea. The reason I raised it is because the wiki > page comes up pretty much at top of Google results when searching for > Asterisk+fail2ban - so I guess it is likely that many people will think > it is current information (I did so too until I dug around some more). > > However, one of the advantages of the wiki page is that it includes > extra setup information. For example for Asterisk, it is necessary to > change the date format and configure the security log in > /etc/asterisk/logger.conf - as it isn't turned on by default - and then > to restart the logger module in Asterisk. For the above filter, the main > log would need to be configured to include security logging (as opposed > to having a separate security log, which is another route some setups go > - with separate filter/jail for the main and security logs). Unless that > information can be included somewhere in the Github. IMHO, the easiest way to make sure that the documentation doesn't get out of sync with the filter definitions, is to add it to the filter itself. Add the required/preferred Asterisk setup as comments in the file, and simply make the wiki page say "yes we support it" and point to the filter file on github for the gory details. Regards, Tom |
From: Yehuda K. <ye...@ym...> - 2013-06-27 15:41:48
|
What I have seen some other projects do (can't remember which right now) is put most of the documentation in the code (using something like POD for Perl, maybe we could use ReStructuredText) and have a post-commit hook that writes that documentation to the wiki page, using a sub-page: > <!-- ------------------------------------------------------ --> > <!-- The text of the Documentation is on a locked subpage which is > created automatically from comments in __FILE__. --> > <!-- Please make all changes to GitHub and this page will be updated by a > post-commit hook. --> > <!-- ------------------------------------------------------ --> > {{docs}} > <br> > == Notes == > <!-- ---------------------------------------------------------- --> > <!-- Add more resources here --> > <!-- ---------------------------------------------------------- --> Thoughts? On Thu, Jun 27, 2013 at 3:54 AM, Tom Hendrikx <to...@wh...> wrote: > On 06/26/2013 03:42 PM, Sebastian Arcus wrote: > >> Or perhaps we can obsolete the wiki pages and point straight to the > filter. > > > > Maybe that's not a bad idea. The reason I raised it is because the wiki > > page comes up pretty much at top of Google results when searching for > > Asterisk+fail2ban - so I guess it is likely that many people will think > > it is current information (I did so too until I dug around some more). > > > > However, one of the advantages of the wiki page is that it includes > > extra setup information. For example for Asterisk, it is necessary to > > change the date format and configure the security log in > > /etc/asterisk/logger.conf - as it isn't turned on by default - and then > > to restart the logger module in Asterisk. For the above filter, the main > > log would need to be configured to include security logging (as opposed > > to having a separate security log, which is another route some setups go > > - with separate filter/jail for the main and security logs). Unless that > > information can be included somewhere in the Github. > > IMHO, the easiest way to make sure that the documentation doesn't get > out of sync with the filter definitions, is to add it to the filter > itself. Add the required/preferred Asterisk setup as comments in the > file, and simply make the wiki page say "yes we support it" and point to > the filter file on github for the gory details. > > Regards, > Tom > > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > |
From: Yehuda K. <ye...@ym...> - 2013-06-27 15:35:58
|
I created a sample page: http://www.fail2ban.org/wiki/index.php/Sandbox/Documentation_Page On Thu, Jun 27, 2013 at 11:11 AM, Yehuda Katz <ye...@ym...> wrote: > What I have seen some other projects do (can't remember which right now) > is put most of the documentation in the code (using something like POD for > Perl, maybe we could use ReStructuredText) and have a post-commit hook that > writes that documentation to the wiki page, using a sub-page: > >> <!-- ------------------------------------------------------ --> >> <!-- The text of the Documentation is on a locked subpage which is >> created automatically from comments in __FILE__. --> >> <!-- Please make all changes to GitHub and this page will be updated by >> a post-commit hook. --> >> <!-- ------------------------------------------------------ --> >> {{docs}} >> <br> >> == Notes == >> <!-- ---------------------------------------------------------- --> >> <!-- Add more resources here --> >> <!-- ---------------------------------------------------------- --> > > > Thoughts? > > > On Thu, Jun 27, 2013 at 3:54 AM, Tom Hendrikx <to...@wh...> wrote: > >> On 06/26/2013 03:42 PM, Sebastian Arcus wrote: >> >> Or perhaps we can obsolete the wiki pages and point straight to the >> filter. >> > >> > Maybe that's not a bad idea. The reason I raised it is because the wiki >> > page comes up pretty much at top of Google results when searching for >> > Asterisk+fail2ban - so I guess it is likely that many people will think >> > it is current information (I did so too until I dug around some more). >> > >> > However, one of the advantages of the wiki page is that it includes >> > extra setup information. For example for Asterisk, it is necessary to >> > change the date format and configure the security log in >> > /etc/asterisk/logger.conf - as it isn't turned on by default - and then >> > to restart the logger module in Asterisk. For the above filter, the main >> > log would need to be configured to include security logging (as opposed >> > to having a separate security log, which is another route some setups go >> > - with separate filter/jail for the main and security logs). Unless that >> > information can be included somewhere in the Github. >> >> IMHO, the easiest way to make sure that the documentation doesn't get >> out of sync with the filter definitions, is to add it to the filter >> itself. Add the required/preferred Asterisk setup as comments in the >> file, and simply make the wiki page say "yes we support it" and point to >> the filter file on github for the gory details. >> >> Regards, >> Tom >> >> >> >> ------------------------------------------------------------------------------ >> This SF.net email is sponsored by Windows: >> >> Build for Windows Store. >> >> http://p.sf.net/sfu/windows-dev2dev >> _______________________________________________ >> Fail2ban-users mailing list >> Fai...@li... >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users >> >> > |
From: Sebastian A. <sh...@op...> - 2013-07-05 09:42:29
|
On 27/06/13 08:54, Tom Hendrikx wrote: > On 06/26/2013 03:42 PM, Sebastian Arcus wrote: >>> Or perhaps we can obsolete the wiki pages and point straight to the filter. >> >> Maybe that's not a bad idea. The reason I raised it is because the wiki >> page comes up pretty much at top of Google results when searching for >> Asterisk+fail2ban - so I guess it is likely that many people will think >> it is current information (I did so too until I dug around some more). >> >> However, one of the advantages of the wiki page is that it includes >> extra setup information. For example for Asterisk, it is necessary to >> change the date format and configure the security log in >> /etc/asterisk/logger.conf - as it isn't turned on by default - and then >> to restart the logger module in Asterisk. For the above filter, the main >> log would need to be configured to include security logging (as opposed >> to having a separate security log, which is another route some setups go >> - with separate filter/jail for the main and security logs). Unless that >> information can be included somewhere in the Github. > > IMHO, the easiest way to make sure that the documentation doesn't get > out of sync with the filter definitions, is to add it to the filter > itself. Add the required/preferred Asterisk setup as comments in the > file, and simply make the wiki page say "yes we support it" and point to > the filter file on github for the gory details. > > Regards, > Tom > I like the idea above as well. All in one place - people installing are much less likely to miss it |
From: Sebastian A. <sh...@op...> - 2013-06-29 00:05:45
|
On 26/06/13 13:18, Daniel Black wrote: > On 26/06/13 17:07, Sebastian Arcus wrote: >> It seems that the Asterisk page on the fail2ban wiki >> (http://www.fail2ban.org/wiki/index.php/Asterisk) has become outdated, > > yes. Hopefully out filter's haven't been. > >> as it states fail2ban can't protect against certain types of attacks. >> The page makes several references to this fact, and links to a post on >> forums.asterisk.org >> >> I believe these problems have been fixed with the advent of the security >> log since Asterisk 10+ (by default located in >> /var/log/asterisk/security, when enabled in /etc/asterisk/logger.conf). >> The security log now provides sufficient data for fail2ban to block >> attackers exploiting just INVITE's, instead of the one's trying to REGISTER. > > Updated a month ago to include this: > https://github.com/fail2ban/fail2ban/commit/5c8fb68a2cd803a820bc624ac47bf8462fb5cd4d#config/filter.d/asterisk.conf > > Can you see anything here missing or wrong? > > https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/asterisk.conf > Also, the wiki page could include the fact that security logging has only been introduced from Asterisk 10.x - so it is useless trying to configure it if running a previous version (with the caveats that fail2ban will be a lot less effective without it - along the lines of the current warnings on the fail2ban wiki page). That's another bit of information that took a while to unearth (which version the security logging became available in Asterisk, that is). |
From: Daniel B. <dan...@in...> - 2013-06-29 08:11:25
|
On 26/06/13 23:47, Sebastian Arcus wrote: > > Also, the wiki page could include the fact that security logging has > only been introduced from Asterisk 10.x - so it is useless trying to > configure it if running a previous version (with the caveats that > fail2ban will be a lot less effective without it - along the lines of > the current warnings on the fail2ban wiki page). That's another bit of > information that took a while to unearth (which version the security > logging became available in Asterisk, that is). The dirty secret of fail2ban is its developers aren't experts in every application for which there is a filter written. The more information you, as a user of fail2ban and asterisk, can provide the better it will be for everyone. Sample logs ( https://github.com/fail2ban/fail2ban/blob/master/testcases/files/logs/asterisk this is about how much is known ), configuration options used etc are very welcome. For all the writers of blogs and forum posts about fail2ban, contribute (at least a link) here (mailing list or github) at so everyone can benefit. Daniel |
From: Sebastian A. <sh...@op...> - 2013-07-05 10:32:22
|
On 27/06/13 00:25, Daniel Black wrote: > On 26/06/13 23:42, Sebastian Arcus wrote: >> On 26/06/13 13:18, Daniel Black wrote: >>> On 26/06/13 17:07, Sebastian Arcus wrote: >>>> It seems that the Asterisk page on the fail2ban wiki >>>> (http://www.fail2ban.org/wiki/index.php/Asterisk) has become outdated, >>> >>> yes. Hopefully out filter's haven't been. >>> >>>> as it states fail2ban can't protect against certain types of attacks. >>>> The page makes several references to this fact, and links to a post on >>>> forums.asterisk.org >>>> >>>> I believe these problems have been fixed with the advent of the security >>>> log since Asterisk 10+ (by default located in >>>> /var/log/asterisk/security, when enabled in /etc/asterisk/logger.conf). >>>> The security log now provides sufficient data for fail2ban to block >>>> attackers exploiting just INVITE's, instead of the one's trying to REGISTER. >>> >>> Updated a month ago to include this: >>> https://github.com/fail2ban/fail2ban/commit/5c8fb68a2cd803a820bc624ac47bf8462fb5cd4d#config/filter.d/asterisk.conf >>> >>> Can you see anything here missing or wrong? >>> >>> https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/asterisk.conf >> >> The fail2ban filter above includes only regex for the InvalidAccountID >> security event. The voip-info.org page also includes regexes for the >> FailedACL, ChallengeResponseFailed and InvalidPassword security events. >> Unless somebody knows of a good reason not to include them, I guess they >> are needed in the filter as well? > > > better? > > https://github.com/grooverdan/fail2ban/commit/fa7a105483e6653d45830ae0336c84daba6899fc > > I'd like more examples of SECURITY log events > > The regex to match the log prefix is getting fairly log due to > variations. Is it still right? > > > I've just tried the regex's proposed above with fail2ban 0.8.10, and I get the following error when trying to start fail2ban: /etc/fail2ban/filter.d# /etc/rc.d/rc.fail2ban restart Stopping fail2ban ERROR Unable to contact server. Is it running? Starting fail2ban: Traceback (most recent call last): File "/usr/bin/fail2ban-client", line 426, in <module> if client.start(sys.argv): File "/usr/bin/fail2ban-client", line 395, in start return self.__processCommand(args) File "/usr/bin/fail2ban-client", line 184, in __processCommand ret = self.__readConfig() File "/usr/bin/fail2ban-client", line 400, in __readConfig ret = self.__configurator.getOptions() File "/usr/share/fail2ban/client/configurator.py", line 69, in getOptions return self.__jails.getOptions(jail) File "/usr/share/fail2ban/client/jailsreader.py", line 72, in getOptions ret = jail.getOptions() File "/usr/share/fail2ban/client/jailreader.py", line 80, in getOptions self.__filter.getOptions(self.__opts) File "/usr/share/fail2ban/client/filterreader.py", line 58, in getOptions self.__opts = ConfigReader.getOptions(self, "Definition", opts, pOpts) File "/usr/share/fail2ban/client/configreader.py", line 105, in getOptions v = self.get(sec, option[1]) File "/usr/lib/python2.6/ConfigParser.py", line 546, in get return self._interpolate(section, option, value, d) File "/usr/lib/python2.6/ConfigParser.py", line 614, in _interpolate self._interpolate_some(option, L, rawval, section, vars, 1) File "/usr/lib/python2.6/ConfigParser.py", line 649, in _interpolate_some section, map, depth + 1) File "/usr/lib/python2.6/ConfigParser.py", line 646, in _interpolate_some option, section, rest, var) ConfigParser.InterpolationMissingOptionError: Bad value substitution: section: [Definition] option : failregex key : __pid_re rawval : :?(?:\[\S+\d*\])? \S+:\d* Fore reference, here is my full asterisk.local filter (sorry about the wrapping): # Fail2Ban configuration file # # # $Revision: 250 $ # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local #before = common.conf [Definition] #_daemon = asterisk # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>\S+) # Values: TEXT # log_prefix= \[\]\s*(?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[\S+\d*\])? \S+:\d* failregex = ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - Wrong password$ ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - No matching peer found$ ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - Username/auth name mismatch$ ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - Device does not match ACL$ ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - Peer is not supposed to register$ ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - ACL error \(permit/deny\)$ ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - Not a local domain$ ^%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension not found in context 'default'\.$ ^%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$ ^%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$ ^%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$ ^%(log_prefix)s Failed to authenticate user [^@]+@<HOST>\S*$ ^%(log_prefix)s (?:handle_request_subscribe: )?Sending fake auth rejection for (device|user) \d*<sip:[^@]+@<HOST>>;tag=\w+\S* ^%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID$ |
From: Tom H. <to...@wh...> - 2013-07-05 11:42:43
Attachments:
signature.asc
|
On 07/05/2013 12:32 PM, Sebastian Arcus wrote: > On 27/06/13 00:25, Daniel Black wrote: >> On 26/06/13 23:42, Sebastian Arcus wrote: >>> On 26/06/13 13:18, Daniel Black wrote: >>>> On 26/06/13 17:07, Sebastian Arcus wrote: >>>>> It seems that the Asterisk page on the fail2ban wiki >>>>> (http://www.fail2ban.org/wiki/index.php/Asterisk) has become outdated, >>>> >>>> yes. Hopefully out filter's haven't been. >>>> >>>>> as it states fail2ban can't protect against certain types of attacks. >>>>> The page makes several references to this fact, and links to a post on >>>>> forums.asterisk.org >>>>> >>>>> I believe these problems have been fixed with the advent of the security >>>>> log since Asterisk 10+ (by default located in >>>>> /var/log/asterisk/security, when enabled in /etc/asterisk/logger.conf). >>>>> The security log now provides sufficient data for fail2ban to block >>>>> attackers exploiting just INVITE's, instead of the one's trying to REGISTER. >>>> >>>> Updated a month ago to include this: >>>> https://github.com/fail2ban/fail2ban/commit/5c8fb68a2cd803a820bc624ac47bf8462fb5cd4d#config/filter.d/asterisk.conf >>>> >>>> Can you see anything here missing or wrong? >>>> >>>> https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/asterisk.conf >>> >>> The fail2ban filter above includes only regex for the InvalidAccountID >>> security event. The voip-info.org page also includes regexes for the >>> FailedACL, ChallengeResponseFailed and InvalidPassword security events. >>> Unless somebody knows of a good reason not to include them, I guess they >>> are needed in the filter as well? >> >> >> better? >> >> https://github.com/grooverdan/fail2ban/commit/fa7a105483e6653d45830ae0336c84daba6899fc >> >> I'd like more examples of SECURITY log events >> >> The regex to match the log prefix is getting fairly log due to >> variations. Is it still right? >> >> >> > > I've just tried the regex's proposed above with fail2ban 0.8.10, and I > get the following error when trying to start fail2ban: > > /etc/fail2ban/filter.d# /etc/rc.d/rc.fail2ban restart > Stopping fail2ban > ERROR Unable to contact server. Is it running? > Starting fail2ban: > Traceback (most recent call last): > File "/usr/bin/fail2ban-client", line 426, in <module> > if client.start(sys.argv): > File "/usr/bin/fail2ban-client", line 395, in start > return self.__processCommand(args) > File "/usr/bin/fail2ban-client", line 184, in __processCommand > ret = self.__readConfig() > File "/usr/bin/fail2ban-client", line 400, in __readConfig > ret = self.__configurator.getOptions() > File "/usr/share/fail2ban/client/configurator.py", line 69, in getOptions > return self.__jails.getOptions(jail) > File "/usr/share/fail2ban/client/jailsreader.py", line 72, in getOptions > ret = jail.getOptions() > File "/usr/share/fail2ban/client/jailreader.py", line 80, in getOptions > self.__filter.getOptions(self.__opts) > File "/usr/share/fail2ban/client/filterreader.py", line 58, in getOptions > self.__opts = ConfigReader.getOptions(self, "Definition", opts, pOpts) > File "/usr/share/fail2ban/client/configreader.py", line 105, in > getOptions > v = self.get(sec, option[1]) > File "/usr/lib/python2.6/ConfigParser.py", line 546, in get > return self._interpolate(section, option, value, d) > File "/usr/lib/python2.6/ConfigParser.py", line 614, in _interpolate > self._interpolate_some(option, L, rawval, section, vars, 1) > File "/usr/lib/python2.6/ConfigParser.py", line 649, in _interpolate_some > section, map, depth + 1) > File "/usr/lib/python2.6/ConfigParser.py", line 646, in _interpolate_some > option, section, rest, var) > ConfigParser.InterpolationMissingOptionError: Bad value substitution: > section: [Definition] > option : failregex > key : __pid_re > rawval : :?(?:\[\S+\d*\])? \S+:\d* > 'log_prefix' in asterisk.conf uses '__pid_re', which is probably defined in common.conf, but you commented the include line for that file. Uncomment and try again... > > Fore reference, here is my full asterisk.local filter (sorry about the > wrapping): > > # Fail2Ban configuration file > # > # > # $Revision: 250 $ > # > > [INCLUDES] > > # Read common prefixes. If any customizations available -- read them from > # common.local > #before = common.conf > > > [Definition] > > #_daemon = asterisk > > # Option: failregex > # Notes.: regex to match the password failures messages in the logfile. The > # host must be matched by a group named "host". The tag > "<HOST>" can > # be used for standard IP/hostname matching and is only an > alias for > # (?:::f{4,6}:)?(?P<host>\S+) > # Values: TEXT > # > > log_prefix= \[\]\s*(?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[\S+\d*\])? \S+:\d* > > failregex = ^%(log_prefix)s Registration from '[^']*' failed for > '<HOST>(:\d+)?' - Wrong password$ > ^%(log_prefix)s Registration from '[^']*' failed for > '<HOST>(:\d+)?' - No matching peer found$ > ^%(log_prefix)s Registration from '[^']*' failed for > '<HOST>(:\d+)?' - Username/auth name mismatch$ > ^%(log_prefix)s Registration from '[^']*' failed for > '<HOST>(:\d+)?' - Device does not match ACL$ > ^%(log_prefix)s Registration from '[^']*' failed for > '<HOST>(:\d+)?' - Peer is not supposed to register$ > ^%(log_prefix)s Registration from '[^']*' failed for > '<HOST>(:\d+)?' - ACL error \(permit/deny\)$ > ^%(log_prefix)s Registration from '[^']*' failed for > '<HOST>(:\d+)?' - Not a local domain$ > ^%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to > extension '\d+' rejected because extension not found in context 'default'\.$ > ^%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$ > ^%(log_prefix)s No registration for peer '[^']*' \(from > <HOST>\)$ > ^%(log_prefix)s Host <HOST> failed MD5 authentication for > '[^']*' \([^)]+\)$ > ^%(log_prefix)s Failed to authenticate user [^@]+@<HOST>\S*$ > ^%(log_prefix)s (?:handle_request_subscribe: )?Sending fake > auth rejection for (device|user) \d*<sip:[^@]+@<HOST>>;tag=\w+\S* > ^%(log_prefix)s > SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID$ > > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > |
From: Sebastian A. <sh...@op...> - 2013-07-06 08:37:53
|
On 05/07/13 12:42, Tom Hendrikx wrote: < /snip> >> ConfigParser.InterpolationMissingOptionError: Bad value substitution: >> section: [Definition] >> option : failregex >> key : __pid_re >> rawval : :?(?:\[\S+\d*\])? \S+:\d* >> > > 'log_prefix' in asterisk.conf uses '__pid_re', which is probably defined > in common.conf, but you commented the include line for that file. > Uncomment and try again... > >> Thank you Tom - that seems to have done the trick. Now fail2ban is starting without complaints. One side note: I was wondering why does your regex for security events match so closely on so many fields: EventTV, Severity, Service, EventVersion? As far as I can work out, none of them seem to be relevant or used by fail2ban. Wouldn't that make it more likely that any minor change in the log file syntax from the Asterisk team would render the regex inoperative? Sebastian |
From: Sebastian A. <sh...@op...> - 2013-07-06 08:54:10
|
Hi Tom, </ snip> >>>>> Updated a month ago to include this: >>>>> https://github.com/fail2ban/fail2ban/commit/5c8fb68a2cd803a820bc624ac47bf8462fb5cd4d#config/filter.d/asterisk.conf >>>>> >>>>> Can you see anything here missing or wrong? >>>>> >>>>> https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/asterisk.conf >>>> >>>> The fail2ban filter above includes only regex for the InvalidAccountID >>>> security event. The voip-info.org page also includes regexes for the >>>> FailedACL, ChallengeResponseFailed and InvalidPassword security events. >>>> Unless somebody knows of a good reason not to include them, I guess they >>>> are needed in the filter as well? >>> >>> >>> better? >>> >>> https://github.com/grooverdan/fail2ban/commit/fa7a105483e6653d45830ae0336c84daba6899fc >>> >>> I'd like more examples of SECURITY log events >>> >>> The regex to match the log prefix is getting fairly log due to >>> variations. Is it still right? >>> >>> >>> Although the regex above and the filter from git is starting OK now - I've had a look through my security log and I realised the filter wasn't picking up on InvalidPassword. I used fail2ban-regex against the filter regex from git and indeed, it doesn't do any finds. Here is one of the lines from my log which the regex should find. Still running fail2ban 0.8.10 and Asterisk 11.4.0. Sorry about line wrapping - this is a single line from the log: [2013-07-06 09:09:25] SECURITY[3308] res_security_log.c: SecurityEvent="InvalidPassword",EventTV="1373098165-824497",Severity="Error",Service="SIP",EventVersion="2",AccountID="972592891005",SessionID="0x88aab6c",LocalAddress="IPV4/UDP/92.28.73.180/5060",RemoteAddress="IPV4/UDP/141.255.164.106/5084",Challenge="41d26de5",ReceivedChallenge="41d26de5",ReceivedHash="7a6a3a2e95a05260aee612896e1b4a39" |
From: Daniel B. <dan...@in...> - 2013-07-07 07:51:30
|
On 06/07/13 18:53, Sebastian Arcus wrote: > Hi Tom, > > </ snip> > >>>>> Updated a month ago to include this: > >>>>> > https://github.com/fail2ban/fail2ban/commit/5c8fb68a2cd803a820bc624ac47bf8462fb5cd4d#config/filter.d/asterisk.conf > >>>>> > >>>>> Can you see anything here missing or wrong? > >>>>> > >>>>> > https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/asterisk.conf > >>>> > >>>> The fail2ban filter above includes only regex for the > InvalidAccountID > >>>> security event. The voip-info.org page also includes regexes for the > >>>> FailedACL, ChallengeResponseFailed and InvalidPassword security > events. > >>>> Unless somebody knows of a good reason not to include them, I > guess they > >>>> are needed in the filter as well? > >>> > >>> > >>> better? > >>> > >>> > https://github.com/grooverdan/fail2ban/commit/fa7a105483e6653d45830ae0336c84daba6899fc > >>> > >>> I'd like more examples of SECURITY log events > >>> > >>> The regex to match the log prefix is getting fairly log due to > >>> variations. Is it still right? > >>> > >>> > >>> > > Although the regex above and the filter from git is starting OK now - > I've had a look through my security log and I realised the filter wasn't > picking up on InvalidPassword. I used fail2ban-regex against the filter > regex from git and indeed, it doesn't do any finds. Here is one of the > lines from my log which the regex should find. Still running fail2ban > 0.8.10 and Asterisk 11.4.0. Sorry about line wrapping - this is a single > line from the log: > > > [2013-07-06 09:09:25] SECURITY[3308] res_security_log.c: > SecurityEvent="InvalidPassword",EventTV="1373098165-824497",Severity="Error",Service="SIP",EventVersion="2",AccountID="972592891005",SessionID="0x88aab6c",LocalAddress="IPV4/UDP/92.28.73.180/5060",RemoteAddress="IPV4/UDP/141.255.164.106/5084",Challenge="41d26de5",ReceivedChallenge="41d26de5",ReceivedHash="7a6a3a2e95a05260aee612896e1b4a39" Fixed in master: https://github.com/fail2ban/fail2ban/commit/619603fe054765da7bcfed374c55ce07c142abeb#config/filter.d/asterisk.conf Please report bugs in the github issue tracker just so we don't miss them. |
From: Sebastian A. <sh...@op...> - 2013-07-07 08:10:11
|
On 07/07/13 08:51, Daniel Black wrote: > On 06/07/13 18:53, Sebastian Arcus wrote: >> Hi Tom, >> >> </ snip> >>>>>>> Updated a month ago to include this: >>>>>>> >> https://github.com/fail2ban/fail2ban/commit/5c8fb68a2cd803a820bc624ac47bf8462fb5cd4d#config/filter.d/asterisk.conf >>>>>>> >>>>>>> Can you see anything here missing or wrong? >>>>>>> >>>>>>> >> https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/asterisk.conf >>>>>> >>>>>> The fail2ban filter above includes only regex for the >> InvalidAccountID >>>>>> security event. The voip-info.org page also includes regexes for the >>>>>> FailedACL, ChallengeResponseFailed and InvalidPassword security >> events. >>>>>> Unless somebody knows of a good reason not to include them, I >> guess they >>>>>> are needed in the filter as well? >>>>> >>>>> >>>>> better? >>>>> >>>>> >> https://github.com/grooverdan/fail2ban/commit/fa7a105483e6653d45830ae0336c84daba6899fc >>>>> >>>>> I'd like more examples of SECURITY log events >>>>> >>>>> The regex to match the log prefix is getting fairly log due to >>>>> variations. Is it still right? >>>>> >>>>> >>>>> >> >> Although the regex above and the filter from git is starting OK now - >> I've had a look through my security log and I realised the filter wasn't >> picking up on InvalidPassword. I used fail2ban-regex against the filter >> regex from git and indeed, it doesn't do any finds. Here is one of the >> lines from my log which the regex should find. Still running fail2ban >> 0.8.10 and Asterisk 11.4.0. Sorry about line wrapping - this is a single >> line from the log: >> >> >> [2013-07-06 09:09:25] SECURITY[3308] res_security_log.c: >> SecurityEvent="InvalidPassword",EventTV="1373098165-824497",Severity="Error",Service="SIP",EventVersion="2",AccountID="972592891005",SessionID="0x88aab6c",LocalAddress="IPV4/UDP/92.28.73.180/5060",RemoteAddress="IPV4/UDP/141.255.164.106/5084",Challenge="41d26de5",ReceivedChallenge="41d26de5",ReceivedHash="7a6a3a2e95a05260aee612896e1b4a39" > > Fixed in master: > > https://github.com/fail2ban/fail2ban/commit/619603fe054765da7bcfed374c55ce07c142abeb#config/filter.d/asterisk.conf > > Please report bugs in the github issue tracker just so we don't miss them. I'll try. I haven't delved into git or github yet - so I'll have to spend some time figuring out the thing - but I suppose it's about the time for me :-) I'm still not sure why the regex matches so tightly. After all, if the line contains something like "InvalidPassword" and an IP address - it should be all that is needed, right? Even the log/event type doesn't seem to matter - unless I'm missing something? I was also thinking that having a regex on 4, 5 or 7 different lines, each one for a different error/error type seems a lot more readable, specially for people not very advanced in reading regex's, than having all the variations to be searched for on a single line. Less advanced users will then be able to attempt troubleshooting and suggest changes to regex's when they don't work for them. |
From: Daniel B. <dan...@in...> - 2013-07-07 08:01:25
|
On 06/07/13 18:37, Sebastian Arcus wrote: > One side note: I was wondering why does your regex for security events > match so closely on so many fields: EventTV, Severity, Service, > EventVersion? Based on the recent apache filter DoS vulnerability in fail2ban the stricter the filter the less chance of a DoS vulnerability. > As far as I can work out, none of them seem to be relevant > or used by fail2ban. Right. > Wouldn't that make it more likely that any minor > change in the log file syntax from the Asterisk team would render the > regex inoperative? Yes. Though, the format of the Security log seems to be pretty thought out now. I suppose a generic match of ,X=".." at the end may mitigate this. I'm not ready for this yet. If you can find the asterisk source code for these log messages it may help match the regex better. Are there things other than challenges and received hashes that are going to get logged with FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword messages? We've got a DoS vulnerability on one side and an allowing persistent fails to continue unblocked on the other hand. The only real option is to get the filters right. |
From: Sebastian A. <sh...@op...> - 2013-07-07 17:59:55
|
On 07/07/13 09:01, Daniel Black wrote: > On 06/07/13 18:37, Sebastian Arcus wrote: >> One side note: I was wondering why does your regex for security events >> match so closely on so many fields: EventTV, Severity, Service, >> EventVersion? > > Based on the recent apache filter DoS vulnerability in fail2ban the > stricter the filter the less chance of a DoS vulnerability. > >> As far as I can work out, none of them seem to be relevant >> or used by fail2ban. > > Right. > >> Wouldn't that make it more likely that any minor >> change in the log file syntax from the Asterisk team would render the >> regex inoperative? > > Yes. > > Though, the format of the Security log seems to be pretty thought out > now. I suppose a generic match of ,X=".." at the end may mitigate this. > I'm not ready for this yet. If you can find the asterisk source code for > these log messages it may help match the regex better. Are there things > other than challenges and received hashes that are going to get logged > with FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword > messages? > > We've got a DoS vulnerability on one side and an allowing persistent > fails to continue unblocked on the other hand. The only real option is > to get the filters right. > Thanks for the explanation Daniel. I wasn't aware that loose matching can lead to DoS attacks. I'll keep on testing the proposed regex's and report to the list any significant findings. |