...
First we are going to install the rpmforge repository and use the fail2ban package from there -
| Code Block |
|---|
|
rpm -Uhv http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm |
...
sed -i 's/enabled = 0/enabled = 1/' /etc/yum.repos.d/rpmforge.repo |
...
yum install -y fail2ban jwhois |
Now disable the rpmforge repo do that it doesn't interfere with any of the CentOS/Asterisk packages -
| Code Block |
|---|
|
sed -i 's/enabled = 1/enabled = 0/' /etc/yum.repos.d/rpmforge.repo |
Next we are going to create the fail2ban configuration file for Asterisk. This tells fail2ban what text to monitor the logs for -
| Code Block |
|---|
cat >> /etc/fail2ban/filter.d/asterisk.conf <<-EOF
# Fail2Ban configuration file
#
#
# $Revision: 250 $
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf
[Definition]
#_daemon = asterisk
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Peer is not supposed to register
NOTICE.* <HOST> failed to authenticate as '.*'$
NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
EOF |
Next we are going to add some lines to the jail.conf file that tells fail2ban what log files to monitor and what action to take when the required text is detected. This includes sending an alert e-mail so you may want to change 'root' to your e-mail address. It also includes the length of time the IP address is blocked for in seconds. Here we have it set to 3 days, you may want to modify this -
| Code Block |
|---|
cat >> /etc/fail2ban/jail.conf <<-EOF
[asterisk-iptables]
enabled = true
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
sendmail-whois[name=ASTERISK, dest=root, sender=fail2ban@example.org]
logpath = /var/log/asterisk/full
maxretry = 5
bantime = 259200
EOF |
Fail2ban needs the date in the Asterisk log files written in a specific format. To do this we can add a line to the 'General' section of the Asterisk logger configuration file. If you already have a 'General' section in there you will just want to add the line manually rather than running the command below -
| Code Block |
|---|
cat >> /etc/asterisk/logger.conf <<-EOF
[general]
dateformat=%F %T
EOF
asterisk -rx "logger reload"
|
Finally we want to fire up fail2ban and set it to start at boot time -
| Code Block |
|---|
service fail2ban start
chkconfig fail2ban on |
One final thing you may want to do is 'whitelist' your own IP address/s. You can do this by adding them to the ignoreip line in the jail.conf file. Here's a couple of lines to do it automatically, just change the IP address here for your own IP address -
| Code Block |
|---|
sed -i 's/ignoreip = /ignoreip = 123.123.123.123 /' /etc/fail2ban/jail.conf
service fail2ban restart |
