As Internet accessible corporate Voice over IP servers continue to grow in number, so does the risk of rogue individuals gaining access to SIP extensions due to weak or poorly managed Asterisk passwords.
You can protect your Asterisk server using Fail2Ban. Fail2ban scans log files like /var/log/asterisk/full or /var/log/secure and bans IP addresses with to any password failures. It then updates firewall rules to reject the IP address permenantly or for a administrator defined period of time.
This article does NOT negate the need to set strong SIP extension passwords or change system default passwords, this is purely aimed at countering the most common way to hack SIP servers: Brute-forcing SIP passwords.
To install Fail2Ban for Asterisk –
SSH to your VoIP server and login as root , then type the following commands:
yum -y install jwhois
tar -jxf fail2ban-0.8.4.tar.bz2
python setup.py install
cp /usr/src/fail2ban-0.8.4/files/redhat-initd /etc/init.d/fail2ban
chmod 755 /etc/init.d/fail2ban
Copy these the following into a new configuration file: /etc/fail2ban/filter.d/asterisk.conf:
Modify the [default] ignoreip section and Add the [asterisk-iptables] section to your /etc/fail2ban/jail.conf file:
NOTE: You need to define your alert email address below.
ignoreip = 127.0.0.1 192.168.0.0/16 10.0.0.0/8 172.16.0.0/16
enabled = true
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
sendmail-whois[name=ASTERISK, [email protected], [email protected]]
logpath = /var/log/asterisk/fail2ban
maxretry = 5
bantime = 600
Backup the logger.conf file to logger.conf~ and create a new configuration file:
# mv /etc/asterisk/logger.conf /etc/asterisk/logger.conf.bak
# touch /etc/asterisk/logger.conf
Copy the following into a new configuration file /etc/asterisk/logger.conf:
full => notice,warning,error,debug,verbose
fail2ban => notice
Reload logger module in Asterisk:
# asterisk -rx "module reload logger"
Add Fail2ban to the list of startup services:
# chkconfig fail2ban on
# /etc/init.d/fail2ban start
Check if fail2ban is listed in IPTABLES:
# iptables -L -v
You should see “fail2ban-ASTERISK” in your iptables output.
With this configuration in place, anyone trying to brute force (hack) your SIP account passwords will now be banned after 5 failed login attempts for 600 seconds (10 minutes). If required, you can adjust these variables in /etc/fail2ban/jail.conf.
How to test –
Download a copy of X-Lite and try to connect to your Asterisk box using false credentials. Make sure you don’t try this from an IP address that is on the “ignoreip” list ( 192.168.22.0/24 for instance ). If your client gets blocked after 5 attempts and you receive an email saying your IP has been blocked, then you can safely assume that your configuration is working correctly.
You can also test the filter regex expressions using:
$fail2ban-regex /var/log/asterisk/full /etc/fail2ban/filter.d/asterisk.conf
$fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf
NOTE: The above rules test Asterisk and SSH rules against your log history.