#Проверяем установление ли iptables нет нет то: apt-get install fail2ban
iptables
#Установка fail2ban
apt-get install fail2ban
#Правим конфиг лога asterisk
nano /etc/asterisk/logger.conf
# разделе general
[general]
#Добавляем
dateformat=%F %T
# В разделе logfiles
[logfiles]
#Добавляем
messages => security,notice,warning,error
#сохраняем изменения
#Перегружаем логи asterisk
asterisk -rx "logger reload"
#Проверяем работу лог
tail –f /var/log/asterisk/messages
#Делаем копию конфига
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.old
#Открываем файл настроек
nano /etc/fail2ban/jail.conf
#Проверяем если нужно добавляем
ignoreip = 127.0.0.1/8
#Создаем правила обработки asterisk
[asterisk-iptables]
enabled = true
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
sendmail[name=ASTERISK, dest=you@yourmail.co.uk, sender=fail2ban@local.local]
logpath = /var/log/asterisk/messages
maxretry = 4
findtime = 1600
bantime = 86400
#Открываем конфиг фильтра
nano /etc/fail2ban/filter.d/asterisk.conf
#Создаем правило фильтрации
# Fail2Ban filter for asterisk authentication failures
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = asterisk
__pid_re = (?:\[\d+\])
iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4}
# All Asterisk log messages begin like this:
log_prefix= (?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])? \S+:\d*( in \w+:)?
failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration from '[^']*' failed for '(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from '[^']*' \(:\d+\) to extension '\d+' rejected because extension not found in context 'default'\.$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host failed to authenticate as '[^']*'$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration for peer '[^']*' \(from \)$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host failed MD5 authentication for '[^']*' \([^)]+\)$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to authenticate (user|device) [^@]+@\S*$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s hacking attempt detected ''$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="(\d*|)",SessionID=".+",LocalAddress="IPV[46]/(UDP|TCP|WS)/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UDP|TCP|WS)//\d+"(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",ExpectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$
^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )Ext\. s: "Rejecting unknown SIP connection from "$
ignoreregex =
# Author: Xavier Devlamynck / Daniel Black
#
# General log format - main/logger.c:ast_log
# Address format - ast_sockaddr_stringify
#
# First regex: channels/chan_sip.c
#
# main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in syslog
#Рестартуем fail2ban
sudo /etc/init.d/fail2ban restart
или
sudo services fail2ban restart
#Проверка iptables
iptables -L -n
#Проверяем заблокированные IP
fail2ban-client status asterisk-iptables
iptables
#Установка fail2ban
apt-get install fail2ban
#Правим конфиг лога asterisk
nano /etc/asterisk/logger.conf
# разделе general
[general]
#Добавляем
dateformat=%F %T
# В разделе logfiles
[logfiles]
#Добавляем
messages => security,notice,warning,error
#сохраняем изменения
#Перегружаем логи asterisk
asterisk -rx "logger reload"
#Проверяем работу лог
tail –f /var/log/asterisk/messages
#Делаем копию конфига
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.old
Настройка Fail2ban
#Открываем файл настроек
nano /etc/fail2ban/jail.conf
#Проверяем если нужно добавляем
ignoreip = 127.0.0.1/8
#Создаем правила обработки asterisk
[asterisk-iptables]
enabled = true
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
sendmail[name=ASTERISK, dest=you@yourmail.co.uk, sender=fail2ban@local.local]
logpath = /var/log/asterisk/messages
maxretry = 4
findtime = 1600
bantime = 86400
#Открываем конфиг фильтра
nano /etc/fail2ban/filter.d/asterisk.conf
#Создаем правило фильтрации
# Fail2Ban filter for asterisk authentication failures
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = asterisk
__pid_re = (?:\[\d+\])
iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4}
# All Asterisk log messages begin like this:
log_prefix= (?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])? \S+:\d*( in \w+:)?
failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration from '[^']*' failed for '(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from '[^']*' \(:\d+\) to extension '\d+' rejected because extension not found in context 'default'\.$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host failed to authenticate as '[^']*'$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration for peer '[^']*' \(from \)$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host failed MD5 authentication for '[^']*' \([^)]+\)$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to authenticate (user|device) [^@]+@\S*$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s hacking attempt detected ''$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="(\d*|)",SessionID=".+",LocalAddress="IPV[46]/(UDP|TCP|WS)/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UDP|TCP|WS)//\d+"(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",ExpectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$
^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )Ext\. s: "Rejecting unknown SIP connection from "$
ignoreregex =
# Author: Xavier Devlamynck / Daniel Black
#
# General log format - main/logger.c:ast_log
# Address format - ast_sockaddr_stringify
#
# First regex: channels/chan_sip.c
#
# main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in syslog
#Рестартуем fail2ban
sudo /etc/init.d/fail2ban restart
или
sudo services fail2ban restart
#Проверка iptables
iptables -L -n
#Проверяем заблокированные IP
fail2ban-client status asterisk-iptables
Комментариев нет:
Отправить комментарий