OSSLab::開放軟體實驗室(Open Source Software Lab) > VoIP > IP PBX > 軟體式 IP PBX > Asterisk - 免費 IP PBX 網路電話交換平台 > Tips > 設置 Asterisk 的安全性 (security) > fail2ban for Asterisk
內容表格
- 1. 主要設定檔
- 2. 攻擊紀錄 Log 報表分析
- 3. 參考資料
主要設定檔
for Asterisk 1.6.x)
/etc/fail2ban/filter.d/asterisk.conf
# Fail2Ban configuration file
#
#
# $Revision: 250 $
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf
[Definition]
#_daemon = asterisk
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Peer is not supposed to register
NOTICE.* <HOST> failed to authenticate as '.*'$
NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing 'ss-noservice' (language '.*')
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
for Asterisk 1.8.x)
/etc/fail2ban/filter.d/asterisk.conf
# Fail2Ban configuration file
#
#
# $Revision: 250 $
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf
[Definition]
#_daemon = asterisk
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex = Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Wrong password
Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - No matching peer found
Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Device does not match ACL
Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Username/auth name mismatch
Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Peer is not supposed to register
NOTICE.* <HOST> failed to authenticate as '.*'$
NOTICE.* .*: No registration for peer '.*' (from <HOST>)
NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
NOTICE.* .*: Sending fake auth rejection for device .*@<HOST>.*
VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing 'ss-noservice' (language '.*')
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
更新於 2012-3-14:
fail2ban 於 CentOS 6.x 將無法正常工作,詳細資訊及解決方法請參閱:
- http://www.pbxinaflash.com/community...6/#post-101539
- https://github.com/fail2ban/fail2ban/issues/44
攻擊紀錄 Log 報表分析
- https://github.com/a-lang/F2B-Report
- How to Monitor Fail2Ban Logs on ELK Stack (ELK - ElasticSearch Logstash Kibana)
列出近日的惡意 IP 、攻擊次數,並作排序。
# awk '($(NF-1) = /Ban/){print $NF}' /var/log/fail2ban.log | sort | uniq -c | sort -n
1 61.234.104.167
1 70.38.71.19
2 111.73.46.74
2 122.225.97.123
2 122.225.97.82
2 222.186.34.241
2 61.174.51.217
3 91.220.131.33
4 183.110.253.233
5 222.136.71.19
9 37.48.81.34
前十大攻擊次數的惡意 IP,搜尋 fail2ban 現有及歷史所有紀錄。
# zgrep -h "Ban " /var/log/fail2ban.log* | awk '{print $NF}' | sort | uniq -c | sort -n | tail -10
4 218.2.0.135
4 61.174.51.217
6 134.213.134.172
7 192.198.92.242
7 93.174.95.41
9 37.48.81.34
11 183.110.253.233
17 37.59.31.66
18 222.136.71.19
42 192.126.120.81
前十大攻擊次數的惡意 IP 網段,搜尋 fail2ban 現有及歷史所有紀錄。
# zgrep -h "Ban " /var/log/fail2ban.log* | awk '{print $NF}' | awk -F\. '{print $1"."$2"."}' | sort | uniq -c | sort -n | tail -10
9 37.48.
11 117.27.
11 183.110.
15 222.186.
16 218.2.
17 37.59.
18 222.136.
26 61.174.
42 192.126.
105 122.225.
搜尋現有及各個歷史紀錄檔,來自網段 122.225 的每階段的攻擊次數。
# zgrep -c 122.225. /var/log/fail2ban.log* /var/log/fail2ban.log:50 /var/log/fail2ban.log-20141017:37 /var/log/fail2ban.log-20141020:14 /var/log/fail2ban.log-20141023:44 /var/log/fail2ban.log-20141028:66
列出攻擊 IP、攻擊次數、被攻擊的服務
grep "Ban " /var/log/fail2ban.log | awk -F[\ \:] '{print $10,$8}' | sort | uniq -c | sort -n
2 111.73.46.74 [ssh-iptables]
2 122.225.97.123 [ssh-iptables]
2 122.225.97.82 [ssh-iptables]
2 222.186.34.241 [ssh-iptables]
2 61.174.51.217 [ssh-iptables]
3 91.220.131.33 [ssh-iptables]
4 183.110.253.233 [ssh-iptables]
5 222.136.71.19 [ssh-iptables]
9 37.48.81.34 [asterisk-iptables]
今日最新攻擊報告
# grep "Ban " /var/log/fail2ban.log | grep `date +%Y-%m-%d` | awk '{print $NF}' | sort | awk '{print $1,"("$1")"}' | logresolve | uniq -c | sort -n
1 106.120.170.71 (106.120.170.71)
1 122.225.97.123 (122.225.97.123)
1 221.194.44.197 (221.194.44.197)
1 222.186.34.241 (222.186.34.241)
1 222.60.95.243 (222.60.95.243)
1 hn.kd.ny.adsl (222.136.71.19)
1 usloft1168.serverprofi24.com (209.239.114.179)
依照服務類型,單日的被攻擊次數
# zgrep -h "Ban " /var/log/fail2ban.log* | awk '{print $5,$1}' | sort | uniq -c
1 [asterisk-iptables] /var/log/fail2ban.log-20141028:2014-10-26
2 [asterisk-iptables] /var/log/fail2ban.log-20141028:2014-10-27
3 [asterisk-iptables] /var/log/fail2ban.log:2014-10-29
6 [asterisk-iptables] /var/log/fail2ban.log:2014-10-30
23 [ssh-iptables] /var/log/fail2ban.log-20141017:2014-10-15
33 [ssh-iptables] /var/log/fail2ban.log-20141017:2014-10-16
16 [ssh-iptables] /var/log/fail2ban.log-20141017:2014-10-17
35 [ssh-iptables] /var/log/fail2ban.log-20141020:2014-10-17
22 [ssh-iptables] /var/log/fail2ban.log-20141020:2014-10-18
- Was this page helpful?
- 標籤 (Edit tags)
- 什麼連接到這裡
文件 1
| 文件 | 大小 | 日期 | 附件上傳者 | |||
|---|---|---|---|---|---|---|
 | fail2ban-report.sh 無描述 | 2.86 KB | 10:30, 22 Nov 2014 | alang | 動作 | |
| Images 0 | ||
|---|---|---|
| No images to display in the gallery. |
您必須 登入 才能發佈評論。
Powered by MindTouch Core