Re: [Fail2ban-users] Is it possible for an ip to be locked again and again after being picked up by the RECIDIVE jail?

[Tom H. <to...@wh...>]

Hi,

This is probably the problem with asterisk: its UDP. Anyone can send you
packets that appear to come from the IP address that you pick up from
the logs, but there is no proof that that is the actual IP address that
sent the packets, because that is simply how UDP works.

So there is another ip address sending you asterisk packets that *seem*
to come from 195.154.16.40, but they actually come from somewhere else.
So the packets are not actually blocked by fail2ban, because the new
packets don't come from the blocked IP address.

You can test if your filter works OK by generating the bad logins
yourself, from an IP address you know. That should block your access
(and other regular users who have their credentials wrong). But it won't
stop crackers that fake the ip header in the UDP packet. This is the
main reason why an asterisk filter (or any UDP-based filter for that
matter) is not really useful.

It's probably a better idea to block asterisk access using tricks like
banning country ranges that you wouldn't expect any connections from,
but f2b is not the right tool for that.

Kind regards,
	Tom

On 12-04-17 15:08, Lawrence wrote:
> Hello, sorry for my bad english.
> 
> I'm a bit confused with the functioning of fail2ban.
> I read a lot and made my own filter and jails to get several SIP
> attackers trying to authenticate devices. The log show lines like this:
> /​​[Apr 12 05:23:06] NOTICE[1645][C-00000093] chan_sip.c: Failed to
> authenticate device 1001<sip:1001@10.0.2.15:5060>;tag=5ee3ff7a//
> //[Apr 12 05:28:35] NOTICE[1645][C-00000094] chan_sip.c: Failed to
> authenticate device 222<sip:222@10.0.2.15:5060>;tag=c2384eab/
> 
> Note that there have no IP from attacker.
> I found on google to enable the "security" to /var/log/asterisk/fail2ban
> on /etc/asterisk/logger.conf by add the flowing line to get more
> detailed log:
> /fail2ban => security,notice,warning,error/
> 
> Now I got the IP from attackers with something like this on my
> /etc/asterisk/fail2ban log file:
> /[Apr 11 19:17:53] SECURITY[1704] res_security_log.c:
> SecurityEvent="InvalidPassword",EventTV="2017-04-11T19:17:53.017-0300",Severity="Error",Service="SIP",EventVersion="2",AccountID="001448323395006",SessionID="0x7f16ac00aa08",LocalAddress="IPV4/UDP/10.0.2.15/5060",RemoteAddress="IPV4/UDP/*195.154.16.40*/5070",Challenge="",ReceivedChallenge="",ReceivedHash=""//
> //[Apr 11 19:27:42] SECURITY[1704] res_security_log.c:
> SecurityEvent="InvalidPassword",EventTV="2017-04-11T19:27:42.678-0300",Severity="Error",Service="SIP",EventVersion="2",AccountID="001548323395006",SessionID="0x7f16ac00a768",LocalAddress="IPV4/UDP/10.0.2.15/5060",RemoteAddress="IPV4/UDP/*195.154.16.40*/5070",Challenge="",ReceivedChallenge="",ReceivedHash=""/
> 
> I made an filter to get it and it's looks like work ok, because the
> attacker, after 3 times start to going to the iptables chains of my
> filter, and after 5 times on fist jail go to the RECIDIVE jail, that we
> can see with iptables -L -n:
> /Chain fail2ban-ast-dev-auth (1 references)//
> //target     prot opt source               destination        //
> //REJECT     all  --  *195.154.16.40*      0.0.0.0/0           
> reject-with icmp-port-unreachable//
> //RETURN     all  --  0.0.0.0/0            0.0.0.0/0          //
> //
> //Chain fail2ban-recidive (1 references)//
> //target     prot opt source               destination        //
> //REJECT     all  --  *195.154.16.40*        0.0.0.0/0           
> reject-with icmp-port-unreachable//
> //REJECT     all  --  89.163.210.102       0.0.0.0/0           
> reject-with icmp-port-unreachable//
> //REJECT     all  --  85.114.135.111       0.0.0.0/0           
> reject-with icmp-port-unreachable//
> //REJECT     all  --  78.31.67.139         0.0.0.0/0           
> reject-with icmp-port-unreachable//
> //REJECT     all  --  95.154.217.167       0.0.0.0/0           
> reject-with icmp-port-unreachable//
> //REJECT     all  --  89.163.144.106       0.0.0.0/0           
> reject-with icmp-port-unreachable//
> //RETURN     all  --  0.0.0.0/0            0.0.0.0/0          /
> 
> I think it's strange the same IP ​​195.154.16.40 on both Jails because
> the ban time for ast-dev-auth is 1 hour and RECIDIVE is 1 week.
> Thus I search on logs to understand if the ip 195.154.16.40 go into both
> jail at the same time, because I think it's not possible to get into ​​
> ast-dev-auth again, if the IP was already blocked in RECIDIVE, but...
> 
> /cat /var/log/fail2ban.log |grep 195.154.16.40//
> /*/1 time...../*/
> //2017-04-11 14:33:30,843 fail2ban.actions[811]: WARNING
> [asterisk-device-auth] Ban 195.154.16.40//
> //2017-04-11 15:33:30,237 fail2ban.actions[811]: WARNING
> [asterisk-device-auth] Unban 195.154.16.40//
> /*/2 time...../*/
> //2017-04-11 16:21:10,236 fail2ban.actions[14820]: WARNING
> [asterisk-device-auth] Ban 195.154.16.40//
> //2017-04-11 17:21:10,866 fail2ban.actions[14820]: WARNING
> [asterisk-device-auth] Unban 195.154.16.40//
> /*/3 time...../*/
> //2017-04-11 18:04:19,238 fail2ban.actions[14820]: WARNING
> [asterisk-device-auth] Ban 195.154.16.40//
> //2017-04-11 19:04:19,949 fail2ban.actions[14820]: WARNING
> [asterisk-device-auth] Unban 195.154.16.40//
> /*/4 time...../*/
> //2017-04-11 19:47:36,327 fail2ban.actions[14820]: WARNING
> [asterisk-device-auth] Ban 195.154.16.40//
> //2017-04-11 20:47:37,032 fail2ban.actions[14820]: WARNING
> [asterisk-device-auth] Unban 195.154.16.40//
> /*/5 time...../*/
> //2017-04-11 21:33:06,866 fail2ban.actions[14820]: WARNING
> [asterisk-device-auth] Ban 195.154.16.40//
> //2017-04-11 22:33:07,736 fail2ban.actions[14820]: WARNING
> [asterisk-device-auth] Unban 195.154.16.40//
> /*/Now RECIDIVE get it..../*/
> //2017-04-11 21:33:08,520 fail2ban.actions[14820]: WARNING [*recidive*]
> Ban 195.154.16.40//
> //
> /*/But ast-dev-auth still get it again and again.... on same time it's
> should be blocked by RECIDIVE/*/
> //2017-04-11 23:15:02,495 fail2ban.actions[14820]: WARNING
> [asterisk-device-auth] Ban 195.154.16.40//
> //2017-04-12 00:15:02,902 fail2ban.actions[14820]: WARNING
> [asterisk-device-auth] Unban 195.154.16.40//
> //2017-04-12 00:58:19,726 fail2ban.actions[14820]: WARNING
> [asterisk-device-auth] Ban 195.154.16.40//
> //2017-04-12 01:58:19,926 fail2ban.actions[14820]: WARNING
> [asterisk-device-auth] Unban 195.154.16.40//
> //2017-04-12 02:39:14,401 fail2ban.actions[14820]: WARNING
> [asterisk-device-auth] Ban 195.154.16.40//
> //2017-04-12 03:39:15,342 fail2ban.actions[14820]: WARNING
> [asterisk-device-auth] Unban 195.154.16.40/
> 
> I would like to understand it.
> Thanks.
> 
> 
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> 
> 
> 
> _______________________________________________
> Fail2ban-users mailing list
> Fai...@li...
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>