From: Lawrence <law...@ya...> - 2017-04-12 13:22:05
|
Hello, sorry for my bad english. I'm a bit confused with the functioning of fail2ban. I read a lot and made my own filter and jails to get several SIP attackers trying to authenticate devices. The log show lines like this: /[Apr 12 05:23:06] NOTICE[1645][C-00000093] chan_sip.c: Failed to authenticate device 1001<sip:1001@10.0.2.15:5060>;tag=5ee3ff7a// //[Apr 12 05:28:35] NOTICE[1645][C-00000094] chan_sip.c: Failed to authenticate device 222<sip:222@10.0.2.15:5060>;tag=c2384eab/ Note that there have no IP from attacker. I found on google to enable the "security" to /var/log/asterisk/fail2ban on /etc/asterisk/logger.conf by add the flowing line to get more detailed log: /fail2ban => security,notice,warning,error/ Now I got the IP from attackers with something like this on my /etc/asterisk/fail2ban log file: /[Apr 11 19:17:53] SECURITY[1704] res_security_log.c: SecurityEvent="InvalidPassword",EventTV="2017-04-11T19:17:53.017-0300",Severity="Error",Service="SIP",EventVersion="2",AccountID="001448323395006",SessionID="0x7f16ac00aa08",LocalAddress="IPV4/UDP/10.0.2.15/5060",RemoteAddress="IPV4/UDP/*195.154.16.40*/5070",Challenge="",ReceivedChallenge="",ReceivedHash=""// //[Apr 11 19:27:42] SECURITY[1704] res_security_log.c: SecurityEvent="InvalidPassword",EventTV="2017-04-11T19:27:42.678-0300",Severity="Error",Service="SIP",EventVersion="2",AccountID="001548323395006",SessionID="0x7f16ac00a768",LocalAddress="IPV4/UDP/10.0.2.15/5060",RemoteAddress="IPV4/UDP/*195.154.16.40*/5070",Challenge="",ReceivedChallenge="",ReceivedHash=""/ I made an filter to get it and it's looks like work ok, because the attacker, after 3 times start to going to the iptables chains of my filter, and after 5 times on fist jail go to the RECIDIVE jail, that we can see with iptables -L -n: /Chain fail2ban-ast-dev-auth (1 references)// //target prot opt source destination // //REJECT all -- *195.154.16.40* 0.0.0.0/0 reject-with icmp-port-unreachable// //RETURN all -- 0.0.0.0/0 0.0.0.0/0 // // //Chain fail2ban-recidive (1 references)// //target prot opt source destination // //REJECT all -- *195.154.16.40* 0.0.0.0/0 reject-with icmp-port-unreachable// //REJECT all -- 89.163.210.102 0.0.0.0/0 reject-with icmp-port-unreachable// //REJECT all -- 85.114.135.111 0.0.0.0/0 reject-with icmp-port-unreachable// //REJECT all -- 78.31.67.139 0.0.0.0/0 reject-with icmp-port-unreachable// //REJECT all -- 95.154.217.167 0.0.0.0/0 reject-with icmp-port-unreachable// //REJECT all -- 89.163.144.106 0.0.0.0/0 reject-with icmp-port-unreachable// //RETURN all -- 0.0.0.0/0 0.0.0.0/0 / I think it's strange the same IP 195.154.16.40 on both Jails because the ban time for ast-dev-auth is 1 hour and RECIDIVE is 1 week. Thus I search on logs to understand if the ip 195.154.16.40 go into both jail at the same time, because I think it's not possible to get into ast-dev-auth again, if the IP was already blocked in RECIDIVE, but... /cat /var/log/fail2ban.log |grep 195.154.16.40// /*/1 time...../*/ //2017-04-11 14:33:30,843 fail2ban.actions[811]: WARNING [asterisk-device-auth] Ban 195.154.16.40// //2017-04-11 15:33:30,237 fail2ban.actions[811]: WARNING [asterisk-device-auth] Unban 195.154.16.40// /*/2 time...../*/ //2017-04-11 16:21:10,236 fail2ban.actions[14820]: WARNING [asterisk-device-auth] Ban 195.154.16.40// //2017-04-11 17:21:10,866 fail2ban.actions[14820]: WARNING [asterisk-device-auth] Unban 195.154.16.40// /*/3 time...../*/ //2017-04-11 18:04:19,238 fail2ban.actions[14820]: WARNING [asterisk-device-auth] Ban 195.154.16.40// //2017-04-11 19:04:19,949 fail2ban.actions[14820]: WARNING [asterisk-device-auth] Unban 195.154.16.40// /*/4 time...../*/ //2017-04-11 19:47:36,327 fail2ban.actions[14820]: WARNING [asterisk-device-auth] Ban 195.154.16.40// //2017-04-11 20:47:37,032 fail2ban.actions[14820]: WARNING [asterisk-device-auth] Unban 195.154.16.40// /*/5 time...../*/ //2017-04-11 21:33:06,866 fail2ban.actions[14820]: WARNING [asterisk-device-auth] Ban 195.154.16.40// //2017-04-11 22:33:07,736 fail2ban.actions[14820]: WARNING [asterisk-device-auth] Unban 195.154.16.40// /*/Now RECIDIVE get it..../*/ //2017-04-11 21:33:08,520 fail2ban.actions[14820]: WARNING [*recidive*] Ban 195.154.16.40// // /*/But ast-dev-auth still get it again and again.... on same time it's should be blocked by RECIDIVE/*/ //2017-04-11 23:15:02,495 fail2ban.actions[14820]: WARNING [asterisk-device-auth] Ban 195.154.16.40// //2017-04-12 00:15:02,902 fail2ban.actions[14820]: WARNING [asterisk-device-auth] Unban 195.154.16.40// //2017-04-12 00:58:19,726 fail2ban.actions[14820]: WARNING [asterisk-device-auth] Ban 195.154.16.40// //2017-04-12 01:58:19,926 fail2ban.actions[14820]: WARNING [asterisk-device-auth] Unban 195.154.16.40// //2017-04-12 02:39:14,401 fail2ban.actions[14820]: WARNING [asterisk-device-auth] Ban 195.154.16.40// //2017-04-12 03:39:15,342 fail2ban.actions[14820]: WARNING [asterisk-device-auth] Unban 195.154.16.40/ I would like to understand it. Thanks. |