[Asterisk] Defence of brute force attack

Posted on by

Asterisk Server 를 생성하고 계속해서 Brute-force Attack 이 들어왔다.
비록 뚫린 흔적은 발견하지 못했지만 계속해서 들어오는 Brute Force Attack 은 내게 계속해서 “방심하면 뚫린다”라는 긴장감을 주었다..

그래서 그 방지책으로 fail2ban 설정을 찾을 수 있었고, 아래의 내용으로 fail2ban 설정 후, 안심할 수 있었다.

Asterisk 관련 fail2ban 스크립트 설정법

jail2ban.conf

logpath 가 약간 이상하게 잡혀있는데, 이는 Freepbx 를 설치해서 기본 로그 파일 경로가 수정되었기 때문이다.

[asterisk-iptables]

enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
logpath  = /var/log/asterisk/full
maxretry = 5
bantime = 259200
findtime = 8640

 

filter.d/asterisk.conf

# Fail2Ban configuration file
#
#
# $Revision: 250 $
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf


[Definition]

#_daemon = asterisk

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>S+)
# Values:  TEXT
#

# Asterisk 1.4 use the following failregex

failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Wrong password
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Peer is not supposed to register
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - ACL error (permit/deny)
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL
            NOTICE.* <HOST> failed to authenticate as '.*'$
            NOTICE.* .*: No registration for peer '.*' (from <HOST>)
            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
            NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
            NOTICE.* .*: Sending fake auth rejection for device .*<sip:.*@<HOST>>;tag=.*
            NOTICE.* .*: Registration from '".*".*' failed for '<HOST>' - No matching peer found
            NOTICE.* .*: Registration from '".*".*' failed for '<HOST>:.*' - No matching peer found
            NOTICE.* .*: Registration from '".*".*' failed for '<HOST>' - Wrong password
            NOTICE.* .*: Registration from '".*".*' failed for '<HOST>:.*' - Wrong password

# In Asterisk 1.8 use the same as above, but after <HOST> add :.* before the single quote. This is because in Asterisk 1.8, the log file includes a port number which 1.4 did not.

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

 

출처: http://www.voip-info.org/wiki/view/Fail2Ban+%28with+iptables%29+And+Asterisk

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.