Asterisk Server 를 생성하고 계속해서 Brute-force Attack 이 들어왔다.
비록 뚫린 흔적은 발견하지 못했지만 계속해서 들어오는 Brute Force Attack 은 내게 계속해서 “방심하면 뚫린다”라는 긴장감을 주었다..
그래서 그 방지책으로 fail2ban 설정을 찾을 수 있었고, 아래의 내용으로 fail2ban 설정 후, 안심할 수 있었다.
Asterisk 관련 fail2ban 스크립트 설정법
jail2ban.conf
logpath 가 약간 이상하게 잡혀있는데, 이는 Freepbx 를 설치해서 기본 로그 파일 경로가 수정되었기 때문이다.
1 2 3 4 5 6 7 8 9 | [asterisk-iptables] enabled = true filter = asterisk action = iptables-allports[name=ASTERISK, protocol=all] logpath = /var/log/asterisk/full maxretry = 5 bantime = 259200 findtime = 8640 |
filter.d/asterisk.conf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 | # Fail2Ban configuration file # # # $Revision: 250 $ # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local #before = common.conf [Definition] #_daemon = asterisk # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>S+) # Values: TEXT # # Asterisk 1.4 use the following failregex failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Wrong password NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username /auth name mismatch NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Peer is not supposed to register NOTICE.* .*: Registration from '.*' failed for '<HOST>' - ACL error (permit /deny ) NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL NOTICE.* <HOST> failed to authenticate as '.*' $ NOTICE.* .*: No registration for peer '.*' (from <HOST>) NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*) NOTICE.* .*: Failed to authenticate user .*@<HOST>.* NOTICE.* .*: Sending fake auth rejection for device .*<sip:.*@<HOST>>;tag=.* NOTICE.* .*: Registration from '".*".*' failed for '<HOST>' - No matching peer found NOTICE.* .*: Registration from '".*".*' failed for '<HOST>:.*' - No matching peer found NOTICE.* .*: Registration from '".*".*' failed for '<HOST>' - Wrong password NOTICE.* .*: Registration from '".*".*' failed for '<HOST>:.*' - Wrong password # In Asterisk 1.8 use the same as above, but after <HOST> add :.* before the single quote. This is because in Asterisk 1.8, the log file includes a port number which 1.4 did not. # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = |
출처: http://www.voip-info.org/wiki/view/Fail2Ban+%28with+iptables%29+And+Asterisk