UPDATED on 06.02.2013
1. Updated Fail2Ban asterisk filter, added 2 more lines at the bottom
This small “HowTo” assumes that you are doing all configurations on the raspbx-19-01-2013 image (but it should work on any asterisk & fail2ban Linux installation).
Why:
First of all to protect your privacy...
Second, there are people that all day long are scanning the Internet for SIP proxies, and most of them don't want to take control of them, they just want place calls though them. Some of them are payed to do it (by the network operators to end the calls in their network, so that they can charge interconnection fees to other operators), others do it because they don't want to pay for their phone calls, others do it just for fun... in all chases your own phone bill will be affected if you connect your raspbx to the PSTN network, like I did.
Scope:
In the present days, if you plug-in any device directly to the Internet without a minimum protection system, you are just looking for trouble, so, this howto will help you provide some protection against hackers, for your RaspberryPi Asterisk installation. One more reason for implementing fail2ban is the limited memory and CPU resources that the Pi has. As a general rule, in my opinion, it's always better to drop packets at the tcp/ip layer then to discard them at the application layer (this uses more memory and more cpu time), so fail2ban helps us do exactly this by monitoring security logs and dynamically adding & removing firewall rules.
Configuration:
First make sure that the module res_security_log.so is loaded by Asterisk. Login to the asterisk console with the following command:
asterisk-vvvr
and then run module show like res_security_log.so, the output should by like this:
Second, we have to make sure that asterisk logs SIP security events (I belive this only works on asterisk 10.x.x and above but if you are using raspbx-19-01-2013, that comes with Asterisk 11.1.2 you should be fine) by modifying the /etc/asterisk/logger.conf, so open it with your favorite text editor and add the following line at the bottom (all below commands assume that they are run by root, so please login as root or do a su - from a standard user):
security_log=>SECURITY,NOTICE
Notice: Please be advised that enabling this function will produce a high amount of logs, and I strongly suggest that you implement log rotation, so that performance will not degrade. Asterisk can rotate its own logs, or you can use lograotate.d.
Save logger.conf
Login to the asterisk console with the following command:
asterisk-vvvr
and issue a logger reload command for the logger to reload it's configuration:
And you should see the security_log file in the /var/log/asterisk/ directory:
root@raspbx~# ls /var/log/asterisk/cdr-csvcdr-customcel-customfreepbx_dbugfreepbx_debugfreepbx.logfullh323_logmessagesqueue_logsecurity_logroot@raspbx~#
Now install Fail2ban with the following command:
apt-getinstallfail2ban
After this, Fail2ban will installed and started, and it's already configured to Ban ssh failed logins, so please be careful if you are configuring over a ssh link. The main configuration files of Fail2ban are in the /etc/fail2ban/ directory:
root@raspbx~# ls /etc/fail2ban/action.dfail2ban.conffilter.djail.confroot@raspbx~#
First of all we need to create a filter specially for Asterisk, so:
cd/etc/fail2ban/filter.d/
Create an asterisk.conf file
touchasterisk.conf
Copy and paste the following regular expressions in it, using your favorite text editor:
# Fail2Ban configuration file### $Revision: 251 $#[INCLUDES]# Read common prefixes. If any customizations available -- read them from# common.localbefore=common.conf[Definition]#_daemon = asterisk# Option: failregex# Notes.: regex to match the password failures messages in the logfile. The# host must be matched by a group named "host". The tag "<HOST>" can# be used for standard IP/hostname matching and is only an alias for# (?:::f{4,6}:)?(?P<host>\S+)# Values: TEXT## Asterisk 1.8 uses Host:Port format which is reflected herefailregex=NOTICE.*.*:Registrationfrom'.*'failedfor'<HOST>:.*'-WrongpasswordNOTICE.*.*:Registrationfrom'.*'failedfor'<HOST>:.*'-NomatchingpeerfoundNOTICE.*.*:Registrationfrom'.*'failedfor'<HOST>:.*'-Username/authnamemismatchNOTICE.*.*:Registrationfrom'.*'failedfor'<HOST>:.*'-DevicedoesnotmatchACLNOTICE.*.*:Registrationfrom'.*'failedfor'<HOST>:.*'-PeerisnotsupposedtoregisterNOTICE.*.*:Registrationfrom'.*'failedfor'<HOST>:.*'-ACLerror(permit/deny)NOTICE.*.*:Registrationfrom'.*'failedfor'<HOST>:.*'-DevicedoesnotmatchACLNOTICE.*.*:Registrationfrom'\".*\".*'failedfor'<HOST>:.*'-NomatchingpeerfoundNOTICE.*.*:Registrationfrom'\".*\".*'failedfor'<HOST>:.*'-WrongpasswordNOTICE.*<HOST>failedtoauthenticateas'.*'$NOTICE.*.*:Noregistrationforpeer'.*' \(from<HOST>\)NOTICE.*.*:Host<HOST>failedMD5authenticationfor'.*'(.*)NOTICE.*.*:Failedtoauthenticateuser.*@<HOST>.*NOTICE.*.*:<HOST>failedtoauthenticateas'.*'NOTICE.*.*:<HOST>triedtoauthenticatewithnonexistentuser'.*'SECURITY.*.*:SecurityEvent="InvalidAccountID",.*,Severity="Error",Service="SIP",.*,.*,.*,.*,RemoteAddress=".*/.*/<HOST>/.*"SECURITY.*.*:SecurityEvent="ChallengeResponseFailed",.*,Severity="Error",Service="SIP",.*,.*,.*,.*,RemoteAddress=".*/.*/<HOST>/.*",.*SECURITY.*.*:SecurityEvent="InvalidPassword",.*,Severity="Error",Service="SIP",.*,.*,.*,.*,RemoteAddress=".*/.*/<HOST>/.*",.*# Option: ignoreregex# Notes.: regex to ignore. If this regex matches, the line is ignored.# Values: TEXT#
Save & close the asterisk.conf file.
This configuration is based on the original wiki howto form the fail2ban website (http://www.fail2ban.org/wiki/index.php/Asterisk) and imporved by me with the following lines:
Copy and paste the following actions in the iptables-asterisk.conf, using your favorite text editor:
# Fail2Ban configuration file## Author: Razvan Turtureanu## $Revision$#[Definition]# Option: actionstart# Notes.: command executed once at the start of Fail2Ban.# Values: CMD#actionstart=iptables-Nfail2ban-<name>iptables-Afail2ban-<name>-jRETURNiptables-I<chain>-ptcp--dport5061-jfail2ban-<name>iptables-I<chain>-pudp--dport5060-jfail2ban-<name>iptables-I<chain>-ptcp--dport5060-jfail2ban-<name># Option: actionstop# Notes.: command executed once at the end of Fail2Ban# Values: CMD#actionstop=iptables-D<chain>-ptcp--dport5061-jfail2ban-<name>iptables-D<chain>-pudp--dport5060-jfail2ban-<name>iptables-D<chain>-ptcp--dport5060-jfail2ban-<name>iptables-Ffail2ban-<name>iptables-Xfail2ban-<name># Option: actioncheck# Notes.: command executed once before each actionban command# Values: CMD#actioncheck=iptables-n-L<chain>|grep-qfail2ban-<name># Option: actionban# Notes.: command executed when banning an IP. Take care that the# command is executed with Fail2Ban user rights.# Tags: <ip> IP address# <failures> number of failures# <time> unix timestamp of the ban time# Values: CMD#actionban=iptables-Ifail2ban-<name>1-s<ip>-jDROP# Option: actionunban# Notes.: command executed when unbanning an IP. Take care that the# command is executed with Fail2Ban user rights.# Tags: <ip> IP address# <failures> number of failures# <time> unix timestamp of the ban time# Values: CMD#actionunban=iptables-Dfail2ban-<name>-s<ip>-jDROP[Init]# Defaut name of the chain#name=default# Option: chain# Notes specifies the iptables chain to which the fail2ban rules should be# added# Values: STRING Default: INPUTchain=INPUT
I have configured this action to block only SIP ports (udp:5060, tcp:5060, tcp:5061 – this is the TLS port)
Now edit the jail.conf file, located in /etc/fail2ban, using your favorite text editor, and add the folowing jail in it, below the [ssh] jail (don't forget to replace your_mail@your.domain with a real email where you want to receive the fail2ban alerts. This configuration also assumes that your raspbx installation can send mails to the outside world, to enable mail sending please read this howto: http://www.raspberry-asterisk.org/?page_id=10#4 ):
Please be aware that this configuration only works if you have allowguest=no in your sip.conf file, and a good practice is to also add alwaysauthreject=yes.
Please be aware that with this configuration you only protect your installation form people that are trying to find valid extensions on your system, by sending SIP INVITES to your server, and after that use a brute force attack to crack the extension's password. If you are using UDP or TCP transport for SIP you are not safe form the “Man in The Middle” attack, that can get real credentials by sniffing the legitimate traffic you are doing. To protect yourself form this kind of attacks, especially if you are using WiFi or any other wireless technology, you must configure Asterisk to use TLS as transport for SIP, and SRTP for media; they are both supported on raspbx distribution, if you read this post: https://sourceforge.net/p/raspbx/discussion/newfeatures/thread/169e7199/ .
Other security tips: 1. Put Asterisk behind a Firewall (your home router can act as a firewall) and do Port Forwarding to your Pi;
2. The ports I forwarded for my instalation are: udp 5060, tcp 5061, udp 50000 to 50020 (this are the RTP ports configured in /etc/asterisk/rtp.conf and you only need 2 ports opened per device plus a fiew just to be safe);
3. Use strong passwords for your SIP users (DO NOT USE PASSWORS THAT ARE THE SAME AS THE USERS or EXTENSIOS) it's the first thing a hacker will try;
This article apparently was written back in February, but now there is a script, install-fail2ban (found at /usr/bin/install-fail2ban) that installs it for you. But here is the problem with the above article. In the article, it advises you to add a line to /etc/asterisk/logger.conf, but if you read the top of that file it says this:
;--------------------------------------------------------------------------------;
; Do NOT edit this file as it is auto-generated by FreePBX. All modifications to ;
; this file must be done via the web gui. There are alternative files to make ;
; custom modifications, details at: http://freepbx.org/configuration_files ;
;--------------------------------------------------------------------------------;
So if you add that line, it will be lost when you make changes to the FreePBX configuration. The script correctly makes the changes in /etc/asterisk/logger_logfiles_custom.conf, which is where that added line needs to go.
But my question is, if you use the script, will it also protect against SSH attacks? That would likely only be a problem if you had port 22 forwarded to your RasPBX server, which I have no intention of doing, but I'd still sleep a little better with a second line of defense, knowing that fail2ban was also watching for SSH attacks. In fact on another larger installation I note that fail2ban monitors Asterisk, SSH, VSFTPD, and Apache. And in regard to that system, I have never seen any attempts to hack Apache or VSFTPD, but there are almost daily attempts on SSH.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
You will also ensure you are protecting the right SIP ports (Change to the same port and port+1 as “Bind Port” in FreePBX “Settings” -> “Asterisk SIP Settings”
nano /etc/fail2ban/action.d/iptables-asterisk.conf
Search for all lines with “--dport 5060” and “--dport 5061” and replace 5060 for the Bind Port and 5061 for Bind Port+1 number.
Restart fail2ban service so it takes the changes:
service fail2ban restart
Optional: To stop fail2ban:
service fail2ban stop
Optional: To start fail2ban:
service fail2ban start
Optional: To check if fail2ban is running:
/etc/init.d/fail2ban status
Optional: To check if SSH and ASTERISK are being protected by fail2ban:
fail2ban-client status
Optional: To check the fail2ban log and see blocked IP addresses:
cat /var/log/fail2ban.log|more
To check protection rules active in iptables:
iptables –L –v
To unblock IP address xxx.xxx.xxx.xxx blocked by fail2ban:
iptables -D fail2ban-asterisk -s xxx.xxx.xxx.xxx -j DROP
Optional: To block IP address xxx.xxx.xxx.xxx for trying to get access to your server:
iptables -I INPUT -s xxx.xxx.xxx.xxx -j DROP
iptables-save > /etc/network/iptables
Edit /etc/network/interfaces
Add the following line need to be added to the end of the file:
pre-up iptables-restore < /etc/network/iptables
To unblock IP address xxx.xxx.xxx.xxx blocked in INPUT with command above:
iptables -D INPUT -s xxx.xxx.xxx.xxx -j DROP
I hope it helps.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thank you, Nicolas, that was a very informative post.
On a related note, there is someone using a SIP hacking program (I think) that keeps trying to break into our system. They generally only make about a half dozen attempts at a time, all within a second or two, but they come back throughout the day and night at various times, and fill the call detail with their useless attempts. Seriously, there is nothing here that would be of the slightest interest to them, but it frustrates me that the CDR doesn't reveal their IP address, and when I do cat /var/log/fail2ban.log|more it appears that it's not been fail2ban that's stopping them.
We do have an offsite extension (family member using an old PAP2) so we can't simply close off all ports at the router (we currently send UDP 5060 and 10000-20000 to the Raspberry Pi), but if I could figure out what addresses these turkeys are coming in from, maybe I could block them specifically. It's more just an annoyance than anything because the way this system is set up they will never be successful.
Oh, and I do realize that what's in the CDR is determined by the Asterisk people, and not the RasPBX developer, I'm really just blowing off a little steam here.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Henk, you don't change sip.conf when using FreePBX, Instead, you go to Settings | Asterisk SIP Settings and under Advanced General Settings you can allow or disallow SIP Guests and Anonymous Inbound SIP Calls.
As for not receiving calls from your VoIP provider, typically that happens when they send calls to you from an IP address that is different from the one you use to send calls to them. If you can find out what address they are sending the calls from, you can create another trunk for inbound calls only and specify that IP address as the host address.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
hello everyone. i have installed rasp-pbx and i have change bind ports for the following applications:
-ssh 2222
-apache 2280
-asterisk 25070
i have installed the fail2ban and did all the setup as in this thread. The problem is that it can not see the ports since they have been changed. Also how can i add a dynamically updated list such as http://voipbl.org/ please?
i have a serious problem with scanners and softwares such as sip vicious, attacking me all the time and i would like to ban them
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
So I installed raspbx and followed the documentation at http://www.raspberry-asterisk.org/documentation/. I have just finished the fail2ban installation it helpfully links to. It's a difficult installation because some but not all elements of that process are already in place. Howver, I do the best I can then return back to the original documentation, and scroll down to see "This installer includes all steps described by Razvan’s tutorial." - so I just wasted several hours and probably screwed up a perfectly good fail2ban installation.
I know all this is free, but - I can't tell you how STUPID that is - putting that link UNDERNEATH the link to the documentation which is ENTIRELY NOT NEEDED.
WHy not just NOT MENTION ANY OF IT?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I'd love some help if anyone has time...I'm trying to setup an Asterisk trunk using RasPBX/FreePBX where the port is sort of non-standard. It's 5062. I'm getting all kinds of errors and grief from Asterisk about how the port is disallowed and the hostname can't be resolved...if anyone has any tips on how to overcome this I'm all ears!! I've tried a lot of stuff and it doesn't seem to want to work. HOWEVER, I CAN connect to this remote Asterisk instance using X-Lite OR using a SPA3000 or a PAP2T. So it's not my router, I don't think! My FreePBX is also successfully connected to two other SIP trunks: Sipgate and my SPA3000 (connected to the PSTN).
THANK YOU!
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
UPDATED on 06.02.2013
1. Updated Fail2Ban asterisk filter, added 2 more lines at the bottom
This small “HowTo” assumes that you are doing all configurations on the raspbx-19-01-2013 image (but it should work on any asterisk & fail2ban Linux installation).
Why:
First of all to protect your privacy...
Second, there are people that all day long are scanning the Internet for SIP proxies, and most of them don't want to take control of them, they just want place calls though them. Some of them are payed to do it (by the network operators to end the calls in their network, so that they can charge interconnection fees to other operators), others do it because they don't want to pay for their phone calls, others do it just for fun... in all chases your own phone bill will be affected if you connect your raspbx to the PSTN network, like I did.
Scope:
In the present days, if you plug-in any device directly to the Internet without a minimum protection system, you are just looking for trouble, so, this howto will help you provide some protection against hackers, for your RaspberryPi Asterisk installation. One more reason for implementing fail2ban is the limited memory and CPU resources that the Pi has. As a general rule, in my opinion, it's always better to drop packets at the tcp/ip layer then to discard them at the application layer (this uses more memory and more cpu time), so fail2ban helps us do exactly this by monitoring security logs and dynamically adding & removing firewall rules.
Configuration:
First make sure that the module res_security_log.so is loaded by Asterisk. Login to the asterisk console with the following command:
and then run module show like res_security_log.so, the output should by like this:
Exit the Asterisk console by with quit :
Second, we have to make sure that asterisk logs SIP security events (I belive this only works on asterisk 10.x.x and above but if you are using raspbx-19-01-2013, that comes with Asterisk 11.1.2 you should be fine) by modifying the /etc/asterisk/logger.conf, so open it with your favorite text editor and add the following line at the bottom (all below commands assume that they are run by root, so please login as root or do a su - from a standard user):
Notice: Please be advised that enabling this function will produce a high amount of logs, and I strongly suggest that you implement log rotation, so that performance will not degrade. Asterisk can rotate its own logs, or you can use lograotate.d.
Save logger.conf
Login to the asterisk console with the following command:
and issue a logger reload command for the logger to reload it's configuration:
To confirm the logger's reconfiguration check it with:
You should find a line like this:
Exit the Asterisk console by with quit :
And you should see the security_log file in the /var/log/asterisk/ directory:
Now install Fail2ban with the following command:
After this, Fail2ban will installed and started, and it's already configured to Ban ssh failed logins, so please be careful if you are configuring over a ssh link. The main configuration files of Fail2ban are in the /etc/fail2ban/ directory:
First of all we need to create a filter specially for Asterisk, so:
Create an asterisk.conf file
Copy and paste the following regular expressions in it, using your favorite text editor:
Save & close the asterisk.conf file.
This configuration is based on the original wiki howto form the fail2ban website (http://www.fail2ban.org/wiki/index.php/Asterisk) and imporved by me with the following lines:
The above lines will match security_log lines like the one below:
Next we need to define a fail2ban action for Asterisk, so:
Copy and paste the following actions in the iptables-asterisk.conf, using your favorite text editor:
I have configured this action to block only SIP ports (udp:5060, tcp:5060, tcp:5061 – this is the TLS port)
Now edit the jail.conf file, located in /etc/fail2ban, using your favorite text editor, and add the folowing jail in it, below the [ssh] jail (don't forget to replace your_mail@your.domain with a real email where you want to receive the fail2ban alerts. This configuration also assumes that your raspbx installation can send mails to the outside world, to enable mail sending please read this howto: http://www.raspberry-asterisk.org/?page_id=10#4 ):
now restart the fail2ban service like this:
after this, if you issue this iptables command:
you shoud see something like this:
Please be aware that this configuration only works if you have allowguest=no in your sip.conf file, and a good practice is to also add alwaysauthreject=yes.
Please be aware that with this configuration you only protect your installation form people that are trying to find valid extensions on your system, by sending SIP INVITES to your server, and after that use a brute force attack to crack the extension's password. If you are using UDP or TCP transport for SIP you are not safe form the “Man in The Middle” attack, that can get real credentials by sniffing the legitimate traffic you are doing. To protect yourself form this kind of attacks, especially if you are using WiFi or any other wireless technology, you must configure Asterisk to use TLS as transport for SIP, and SRTP for media; they are both supported on raspbx distribution, if you read this post: https://sourceforge.net/p/raspbx/discussion/newfeatures/thread/169e7199/ .
Other security tips:
1. Put Asterisk behind a Firewall (your home router can act as a firewall) and do Port Forwarding to your Pi;
2. The ports I forwarded for my instalation are: udp 5060, tcp 5061, udp 50000 to 50020 (this are the RTP ports configured in /etc/asterisk/rtp.conf and you only need 2 ports opened per device plus a fiew just to be safe);
3. Use strong passwords for your SIP users (DO NOT USE PASSWORS THAT ARE THE SAME AS THE USERS or EXTENSIOS) it's the first thing a hacker will try;
4. Force SIP clients to use TLS and SRTP (if Asterisk is configured to support those protocols, if not please follow this official howto https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial);
5. Keep your instalation up to date with the security updates;
6. Allocate time to read the Asterisk official Security Advisories (http://www.asterisk.org/downloads/security-advisories)
7. Allocate time to read and interpret log files;
Thanks for your time,
Razvan Turtureanu.
Last edit: Razvan Turtureanu 2013-02-06
I strongly suggest adding 3 more lines to actions, to cover PJSIP and not only SIP:
BTW, it's also possible to simply change the "Service=" part regex to detect SIP and PJSIP:
Thank you for your suggestion. I've added this to install-fail2ban, the new script is available through the regular updates.
This article apparently was written back in February, but now there is a script, install-fail2ban (found at /usr/bin/install-fail2ban) that installs it for you. But here is the problem with the above article. In the article, it advises you to add a line to /etc/asterisk/logger.conf, but if you read the top of that file it says this:
;--------------------------------------------------------------------------------;
; Do NOT edit this file as it is auto-generated by FreePBX. All modifications to ;
; this file must be done via the web gui. There are alternative files to make ;
; custom modifications, details at: http://freepbx.org/configuration_files ;
;--------------------------------------------------------------------------------;
So if you add that line, it will be lost when you make changes to the FreePBX configuration. The script correctly makes the changes in /etc/asterisk/logger_logfiles_custom.conf, which is where that added line needs to go.
But my question is, if you use the script, will it also protect against SSH attacks? That would likely only be a problem if you had port 22 forwarded to your RasPBX server, which I have no intention of doing, but I'd still sleep a little better with a second line of defense, knowing that fail2ban was also watching for SSH attacks. In fact on another larger installation I note that fail2ban monitors Asterisk, SSH, VSFTPD, and Apache. And in regard to that system, I have never seen any attempts to hack Apache or VSFTPD, but there are almost daily attempts on SSH.
Hi VoIPuser, yes, the current version of fail2ban (Installed via install-fail2ban) protects ssh and Asterisk (extension login attempts).
The file where you need to make any changes is /etc/fail2ban/jail.local as /etc/fail2ban/jail.conf can be overwritten in newer versions of RASPBX.
Here are the contents of my jail.local file for your reference:
[DEFAULT]
destemail = youremail@company.com
action = %(action_mw)s
[asterisk]
enabled = true
filter = asterisk
action = iptables-asterisk[name=asterisk]
sendmail[name=Asterisk, dest=youremail@company.com, sender=root]
logpath = /var/log/asterisk/security_log
maxretry = 3
bantime = 3600
[ssh]
enabled = true
maxretry = 5
bantime = 3600
You will also ensure you are protecting the right SIP ports (Change to the same port and port+1 as “Bind Port” in FreePBX “Settings” -> “Asterisk SIP Settings”
nano /etc/fail2ban/action.d/iptables-asterisk.conf
Search for all lines with “--dport 5060” and “--dport 5061” and replace 5060 for the Bind Port and 5061 for Bind Port+1 number.
Restart fail2ban service so it takes the changes:
service fail2ban restart
Optional: To stop fail2ban:
service fail2ban stop
Optional: To start fail2ban:
service fail2ban start
Optional: To check if fail2ban is running:
/etc/init.d/fail2ban status
Optional: To check if SSH and ASTERISK are being protected by fail2ban:
fail2ban-client status
Optional: To check the fail2ban log and see blocked IP addresses:
cat /var/log/fail2ban.log|more
To check protection rules active in iptables:
iptables –L –v
To unblock IP address xxx.xxx.xxx.xxx blocked by fail2ban:
iptables -D fail2ban-asterisk -s xxx.xxx.xxx.xxx -j DROP
Optional: To block IP address xxx.xxx.xxx.xxx for trying to get access to your server:
iptables -I INPUT -s xxx.xxx.xxx.xxx -j DROP
iptables-save > /etc/network/iptables
Edit /etc/network/interfaces
Add the following line need to be added to the end of the file:
pre-up iptables-restore < /etc/network/iptables
To unblock IP address xxx.xxx.xxx.xxx blocked in INPUT with command above:
iptables -D INPUT -s xxx.xxx.xxx.xxx -j DROP
I hope it helps.
Thank you, Nicolas, that was a very informative post.
On a related note, there is someone using a SIP hacking program (I think) that keeps trying to break into our system. They generally only make about a half dozen attempts at a time, all within a second or two, but they come back throughout the day and night at various times, and fill the call detail with their useless attempts. Seriously, there is nothing here that would be of the slightest interest to them, but it frustrates me that the CDR doesn't reveal their IP address, and when I do cat /var/log/fail2ban.log|more it appears that it's not been fail2ban that's stopping them.
We do have an offsite extension (family member using an old PAP2) so we can't simply close off all ports at the router (we currently send UDP 5060 and 10000-20000 to the Raspberry Pi), but if I could figure out what addresses these turkeys are coming in from, maybe I could block them specifically. It's more just an annoyance than anything because the way this system is set up they will never be successful.
Oh, and I do realize that what's in the CDR is determined by the Asterisk people, and not the RasPBX developer, I'm really just blowing off a little steam here.
When I set allowguest=no in sip.conf than I block all incoming calls from my VoIP provider. How can I avoid that ?
Henk, you don't change sip.conf when using FreePBX, Instead, you go to Settings | Asterisk SIP Settings and under Advanced General Settings you can allow or disallow SIP Guests and Anonymous Inbound SIP Calls.
As for not receiving calls from your VoIP provider, typically that happens when they send calls to you from an IP address that is different from the one you use to send calls to them. If you can find out what address they are sending the calls from, you can create another trunk for inbound calls only and specify that IP address as the host address.
Hello, How do I UNBAN myself. Somehow I must have banned myself?, as I had an two emails from my box saying :-
Hi,
The IP XXX.XXX.XXX.XXX has just been banned by Fail2Ban after
4 attempts against Asterisk.
Regards,
Fail2Ban
Hi,
The IP XXX.XXX.XXX.XXX has just been banned by Fail2Ban after
4 attempts against Asterisk.
Regards,
Fail2Ban
The 'X's is my IP external address. I've tried so far
root@raspbx:~# iptables -D fail2ban-asterisk -s XXX.XXX.XXX.XXX -j DROP
iptables: Bad rule (does a matching rule exist in that chain?).
and iptables -L -v gives the following :-
iptables -L -v
Chain INPUT (policy ACCEPT 47595 packets, 8923K bytes)
pkts bytes target prot opt in out source destination
0 0 fail2ban-asterisk tcp -- any any anywhere anywhere tcp dpt:sip
2452 818K fail2ban-asterisk udp -- any any anywhere anywhere udp dpt:sip
0 0 fail2ban-asterisk tcp -- any any anywhere anywhere tcp dpt:sip-tls
1515 126K fail2ban-ssh tcp -- any any anywhere anywhere multiport dports ssh
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 45981 packets, 9379K bytes)
pkts bytes target prot opt in out source destination
Chain fail2ban-asterisk (3 references)
pkts bytes target prot opt in out source destination
2452 818K RETURN all -- any any anywhere anywhere
Chain fail2ban-ssh (1 references)
pkts bytes target prot opt in out source destination
1515 126K RETURN all -- any any anywhere anywhere
I'm looking at the fail2ban-asterisk and fail2ban-ssh references...
What should I do please ?
Dave.
hello everyone. i have installed rasp-pbx and i have change bind ports for the following applications:
-ssh 2222
-apache 2280
-asterisk 25070
i have installed the fail2ban and did all the setup as in this thread. The problem is that it can not see the ports since they have been changed. Also how can i add a dynamically updated list such as http://voipbl.org/ please?
i have a serious problem with scanners and softwares such as sip vicious, attacking me all the time and i would like to ban them
So I installed raspbx and followed the documentation at http://www.raspberry-asterisk.org/documentation/. I have just finished the fail2ban installation it helpfully links to. It's a difficult installation because some but not all elements of that process are already in place. Howver, I do the best I can then return back to the original documentation, and scroll down to see "This installer includes all steps described by Razvan’s tutorial." - so I just wasted several hours and probably screwed up a perfectly good fail2ban installation.
I know all this is free, but - I can't tell you how STUPID that is - putting that link UNDERNEATH the link to the documentation which is ENTIRELY NOT NEEDED.
WHy not just NOT MENTION ANY OF IT?
I'd love some help if anyone has time...I'm trying to setup an Asterisk trunk using RasPBX/FreePBX where the port is sort of non-standard. It's 5062. I'm getting all kinds of errors and grief from Asterisk about how the port is disallowed and the hostname can't be resolved...if anyone has any tips on how to overcome this I'm all ears!! I've tried a lot of stuff and it doesn't seem to want to work. HOWEVER, I CAN connect to this remote Asterisk instance using X-Lite OR using a SPA3000 or a PAP2T. So it's not my router, I don't think! My FreePBX is also successfully connected to two other SIP trunks: Sipgate and my SPA3000 (connected to the PSTN).
THANK YOU!
I also strongly suggest adding the following line to actions:
SECURITY.* .*: SecurityEvent="ChallengeSent",.*,.*,Service="(PJ)?SIP",.*,AccountID="<unknown>",.*,.*,RemoteAddress=".*/.*/<HOST>/.*",Challenge=""
I had hundreds of thousands of these entries in my logs: