Installazione e configurazione di fail2ban per Asterisk 11
Questo documento spiega come installare e configurare fail2ban per proteggere il PBX da accessi SSH e da tentativi di autenticazione SIP.
Partiamo dal presupposto che sul pbx sia già installato iptables.
Installate fail2ban:
# cd /usr/src/
# wget http://sourceforge.net/projects/fail2ban/files/fail2ban-stable/fail2ban-0.8.11/fail2ban-0.8.11.tar.gz
# tar -zxf fail2ban-0.8.11.tar.gz
# cd fail2ban-0.8.11
# python setup.py install
# cp /usr/src/fail2ban-0.8.11/files/redhat-initd /etc/init.d/fail2ban
# chmod 755 /etc/init.d/fail2ban
# cd /etc/fail2ban/filter.d
# wget http://sourceforge.net/projects/fail2ban/files/fail2ban-stable/fail2ban-0.8.11/fail2ban-0.8.11.tar.gz
# tar -zxf fail2ban-0.8.11.tar.gz
# cd fail2ban-0.8.11
# python setup.py install
# cp /usr/src/fail2ban-0.8.11/files/redhat-initd /etc/init.d/fail2ban
# chmod 755 /etc/init.d/fail2ban
# cd /etc/fail2ban/filter.d
Editare:
nano asterisk-security.conf
Copiate il quanto sotto riportato e salvate:
[INCLUDES]
[Definition]
failregex = NOTICE.* .*: No registration for peer '.*' \(from\)
NOTICE.* .*: Host failed MD5 authentication for '.*' \(.*\)
NOTICE.* .*: Host denied access to register peer '.*'
NOTICE.* .*: Host did not provide proper plaintext password for '.*'
NOTICE.* .*: Registration of '.*' rejected: '.*' from: ''
NOTICE.* .*: Peer '.*' is not dynamic (from)
NOTICE.* .*: Host denied access to register peer '.*'
NOTICE.* .*: Registration from '.*' failed for ':.*' - Wrong password
NOTICE.* .*: Registration from '.*' failed for ':.*' - Username/auth name mismatch
NOTICE.* .*: Registration from '.*' failed for ':.*' - No matching peer found
NOTICE.* .*: Registration from '.*' failed for ':.*' - Not a local domain
NOTICE.* .*: Registration from '.*' failed for ':.*' - Peer is not supposed to register
NOTICE.* .*: Registration from '.*' failed for ':.*' - Device does not match ACL
NOTICE.* .*: Registration from '.*' failed for ':.*' - Device not configured to use this transport type
NOTICE.* .*: No registration for peer '.*' \(from\)
NOTICE.* .*: Host failed MD5 authentication for '.*' \(.*\)
WARNING.* Ext. s: Friendly Scanner from
WARNING.* .*: .*Rejecting unknown SIP connection from.*
WARNING.* .*: .*Rejecting unknown SIP connection from.*
WARNING.* Ext. s: Friendly Scanner from
SECURITY.* .*: SecurityEvent="InvalidAccountID".*,Severity="Error",Service="(SIP|AMI)".*,RemoteAddress="IPV[46]\/(UDP|TCP|TLS)\/\/[0-9]+"
SECURITY.* .*: SecurityEvent="FailedACL".*,Severity="Error",Service="(SIP|AMI)".*,RemoteAddress="IPV[46]\/(UDP|TCP|TLS)\/\/[0-9]+"
SECURITY.* .*: SecurityEvent="InvalidPassword",.*,Severity="Error",Service="[a-zA-Z]+",.*,RemoteAddress="IPV[46]/(UDP|TCP|TLS)//[0-9]+"
SECURITY.* .*: SecurityEvent="ChallengeResponseFailed".*,Severity="Error",Service="(SIP|AMI)".*,RemoteAddress="IPV[46]\/(UDP|TCP|TLS)\/\/[0-9]+"
ignoreregex =
[Definition]
failregex = NOTICE.* .*: No registration for peer '.*' \(from
NOTICE.* .*: Host
NOTICE.* .*: Host
NOTICE.* .*: Host
NOTICE.* .*: Registration of '.*' rejected: '.*' from: '
NOTICE.* .*: Peer '.*' is not dynamic (from
NOTICE.* .*: Host
NOTICE.* .*: Registration from '.*' failed for '
NOTICE.* .*: Registration from '.*' failed for '
NOTICE.* .*: Registration from '.*' failed for '
NOTICE.* .*: Registration from '.*' failed for '
NOTICE.* .*: Registration from '.*' failed for '
NOTICE.* .*: Registration from '.*' failed for '
NOTICE.* .*: Registration from '.*' failed for '
NOTICE.* .*: No registration for peer '.*' \(from
NOTICE.* .*: Host
WARNING.* Ext. s: Friendly Scanner from
WARNING.* .*: .*Rejecting unknown SIP connection from
WARNING.* .*: .*Rejecting unknown SIP connection from
WARNING.* Ext. s: Friendly Scanner from
SECURITY.* .*: SecurityEvent="InvalidAccountID".*,Severity="Error",Service="(SIP|AMI)".*,RemoteAddress="IPV[46]\/(UDP|TCP|TLS)\/
SECURITY.* .*: SecurityEvent="FailedACL".*,Severity="Error",Service="(SIP|AMI)".*,RemoteAddress="IPV[46]\/(UDP|TCP|TLS)\/
SECURITY.* .*: SecurityEvent="InvalidPassword",.*,Severity="Error",Service="[a-zA-Z]+",.*,RemoteAddress="IPV[46]/(UDP|TCP|TLS)/
SECURITY.* .*: SecurityEvent="ChallengeResponseFailed".*,Severity="Error",Service="(SIP|AMI)".*,RemoteAddress="IPV[46]\/(UDP|TCP|TLS)\/
ignoreregex =
Editate il file /etc/fail2ban/jail.conf aggiungendo queste righe:
[asterisk-iptables]
enabled = true
filter = asterisk-security
action = iptables-allports[name=SIP, protocol=all]
sendmail[name=SIP, dest=fail2ban@miodominio.com, sender=fail2ban@miodominio.com]
logpath = /var/log/asterisk/fail2ban
maxretry = 3
bantime = 604800
ignoreip = 127.0.0.1
enabled = true
filter = asterisk-security
action = iptables-allports[name=SIP, protocol=all]
sendmail[name=SIP, dest=fail2ban@miodominio.com, sender=fail2ban@miodominio.com]
logpath = /var/log/asterisk/fail2ban
maxretry = 3
bantime = 604800
ignoreip = 127.0.0.1
Modificate sencondo le necessità:
* l’indirizzo e-mail a cui inviare le notifiche (quando un ip viene bannato)
* maxretry: il numero massimo di tentativi di registrazione falliti
* bantime: il tempo in secondi di "bannamento" dell’ip "incriminato"
* ignoreip: gli IP e/o range di IP da non controllare
A questo punto, aggiungete fai2ban tra i servizi che partono “automaticazmente” al boot:
chkconfig fail2ban on
e, quindi, avviate fail2ban:
/etc/init.d/fail2ban start
/etc/init.d/fail2ban start
Migliora il tuo business. Partecipa ai nostri Corsi! |
||
|
I nostri corsi OnLine ed in Aula sono studiati per garantire il miglior apprendimento e sono finalizzati a "creare professionisti nel settore". Questi i prossimi corsi in calendario: |
Corsi 2019
| Corso | Data | Tipo |
|---|