Fail2Ban

開始安裝

for SuSE)
yast > Software > Software Management >

Search Phrase = fail2ban <Enter>

Actions = Install <項目會出現＋號>

Accept <Enter>

for CentOS)
# yum install fail2ban

for CentOS 5.5)
此版本無法從 yum 安裝，改以手動安裝如下

檔案下載：http://sourceforge.net/projects/fail2ban/files/

wget http://sourceforge.net/projects/fail2ban/files/fail2ban-stable/fail2ban-0.8.4/fail2ban-0.8.4.tar.bz2/download
tar xf fail2ban-0.8.4.tar.bz2
cd fail2ban-0.8.4
python setup.py install
cp files/redhat-initd /etc/init.d/fail2ban 

設定自動啟動

chkconfig --add fail2ban
chkconfig fail2ban on 

設定 Fail2ban

vi /etc/fail2ban/filter.d/asterisk.conf

# Fail2Ban configuration file
#
#
# $Revision: 250 $
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf


[Definition]

#_daemon = asterisk

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#

failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL
            NOTICE.* .*: Registration from '.*" .* failed for '<HOST>' - Peer is not supposed to register
            NOTICE.* <HOST> failed to authenticate as '.*'$
            NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
            NOTICE.* .*: Failed to authenticate user .*@<HOST>.*

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

vi /etc/fail2ban/jail.conf

# Important: exclude your local network in the ban IPs list
ignoreip = 127.0.0.1 192.168.0.0/16

## This is for SSH on OpenSUSE only.
## If enable, change 'false' as 'true'
[ssh-iptables]

enabled  = false
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=you@mail.com, sender=fail2ban@mail.com]
logpath  = /var/log/messages
maxretry = 5

##
[asterisk-iptables]

enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
           sendmail-whois[name=ASTERISK, dest=root, sender=fail2ban@example.org]
logpath  = /var/log/asterisk/fail2ban
maxretry = 5
bantime = 259200

NOTES:

＊ logpath  路徑必須與下述的 logger.conf 的設定相同。
＊ 若有開啟 ssh-iptables，並且在啟動 fail2ban 服務後，檢查 fail2ban.log 若出現錯誤訊息如下，可忽略它。
     fail2ban.actions.action: ERROR  iptables -N fail2ban-SSH
     iptables -A fail2ban-SSH -j RETURN
     iptables -I INPUT -p tcp --dport ssh -j fail2ban-SSH returned 400
＊ 別忘了要將 LAN 的網段加入 ignoreip，免得不小心自己都無法登入。

＊ 如果是 CentOS 5.x，[ssh-iptables]，必須改成
logpath = /var/log/secure

 

設定 Asterisk

適用: 1.6.2.x
編輯/etc/asterisk/logger.conf

[general]
dateformat=%F %T

[logfiles]
console => notice,warning,error
messages => notice,warning,error,debug,verbose
fail2ban => notice

NOTES:

增加  dateformat 與 fail2ban logfile

啟動 Fail2ban

// 載入 Asterisk 的 logger 設定

# asterisk -rx "module reload logger"
# asterisk -rx "logger show channels"

Channel                             Type     Status    Configuration
-------                             ----     ------    -------------
/var/log/asterisk/fail2ban          File     Enabled    - Notice
/var/log/asterisk/messages          File     Enabled    - Debug Verbose Warning Notice Error
                                    Console  Enabled    - Warning Notice Error

// 設定開機自動啟動 Fail2ban

yast > System

// 手動立即啟動 Fail2ban

/etc/init.d/fail2ban start

// 檢查 iptables 規則過濾狀況

# iptables -L -nv

Chain INPUT (policy ACCEPT 5561K packets, 966M bytes)
 pkts bytes target     prot opt in     out     source               destination
  216 16120 fail2ban-SSH  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22
23182 1973K fail2ban-ASTERISK  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 5091K packets, 884M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain fail2ban-ASTERISK (1 references)
 pkts bytes target     prot opt in     out     source               destination
23182 1973K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain fail2ban-SSH (1 references)
 pkts bytes target     prot opt in     out     source               destination
   18  1788 DROP       all  --  *      *       123.123.123.123        0.0.0.0/0
  198 14332 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

NOTES:

fail2ban-SSH 的有關項目，只會在 jail.conf 啟用 SSH-iptables 後才會出現。

增加黑/白名單功能(選用)

說明：fail2ban 在偵測到異常 IPs 時，只能在指定時間內進行阻擋，這個時間若設定太長，有可能會影響到某些合法操作下被封鎖的情況，所以可以增加黑白名單的控制，方法如下：

編輯 /etc/fail2ban/action.d/iptables.conf
增加最後一行

actionstart = iptables -N fail2ban-<name>
              iptables -A fail2ban-<name> -j RETURN
              iptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name>
              for IP in `cat /etc/fail2ban/ip.deny`; do iptables -I fail2ban-SSH 1 -s $IP -j DROP;done
...
...
actionban = if [ -z `awk '$1 == "<ip>" { print "true" }' /etc/fail2ban/ip.allow` ]; then iptables -I fail2ban-<name> 1 -s <ip> -j DROP;fi
if [ -z `awk '$1 == "<ip>" { print "true" }' /etc/fail2ban/ip.deny` ] && [ -z `awk '$1 == "<ip>" { print "true" }' /etc/fail2ban/ip.allow` ]; then echo "<ip>" >> /etc/fail2ban/ip.deny;fi
...
...
actionunban = if [ -z `awk '$1 == "<ip>" { print "true" }' /etc/fail2ban/ip.deny` ]; then iptables -D fail2ban-<name> -s <ip> -j DROP;fi
if [ -z `awk '$1 == "<ip>" { print "true" }' /etc/fail2ban/ip.deny` ] && [ -z `awk '$1 == "<ip>" { print "true" }' /etc/fail2ban/ip.allow` ]; then echo "<ip>" >> /etc/fail2ban/ip.allow;fi 

新增兩個檔案：

1. /etc/fail2ban/ip.deny (黑名單)
2. /etc/fail2ban/ip.allow (白名單)

 註：若有變更黑名單內容時，需重啟 fail2ban 才能被套用。

F.A.Q

#logtarget = SYSLOG
logtarget = /var/log/fail2ban.log

# fail2ban-client status
Status
|- Number of jail:      1
`- Jail list:           asterisk-iptables

# fail2ban-client status asterisk-iptables
|- filter
|  |- File list:        /var/log/asterisk/fail2ban
|  |- Currently failed: 0
|  `- Total failed:     0
`- action
   |- Currently banned: 0
   |  `- IP list:       
   `- Total banned:     0

;syslog keyword : This special keyword logs to syslog facility
;將下行註解拿掉
syslog.local0 => notice,warning,error

# iptables -D fail2ban-ASTERISK -s 123.123.123.123 -j DROP

[from-sip-external]
; 註解原有內容，加上以下內容
exten => _.,1,NoOp(Received incoming SIP connection from unknown peer to ${EXTEN})
exten => _.,n,Set(DID=${IF($["${EXTEN:1:2}"=""]?s:${EXTEN})})
exten => _.,n,Set(foo=${SIPCHANINFO(recvip)})
exten => _.,n,NoOp(Incoming SIP connection from unknown peer failed for ${foo} - Unknown connection from peer)
exten => _.,n,Hangup
exten => h,1,Hangup
exten => i,1,Hangup
exten => t,1,Hangup 

...
failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password
            ...
            ...
            NOTICE.* .*: Incoming SIP connection from unknown peer failed for '<HOST>' - Unknown connection from peer

參考連結

• Preventing Brute Force Attacks With Fail2ban On OpenSUSE 10.3
• Fail2ban - Asterisk
• Fail2Ban (with iptables) And Asterisk (voip-info)
• Install Fail2Ban on Elastix 1.6
• fail2ban and iptables (on-line PDF)
• http://centoshelp.org/security/fail2ban/
• http://net.nthu.edu.tw/2009/security:fail2ban
• Protect Asterisk with Fail2Ban on Debian 5
• Fail2ban Manual Unban Single Host (for iptables)