Installing Fail2ban in centos
1.yum install fail2ban
If your CentOS doesn't find the package, please execute the following command and then try again.
2.rpm -Uvh
3.yum install python iptables
tar -xf fail2ban-0.8.4.tar.bz2
cd fail2ban-0.8.4
python install
cp files/redhat-initd /etc/init.d/fail2ban
chkconfig --add fail2ban
chkconfig fail2ban on
Once installing the Fail2ban create asteirsk.conf file under the fail2ban directory
4. vi /etc/fail2ban/filter.d/asterisk.conf
and copy and paste the below
# ===================
# /etc/fail2ban/filter.d/asterisk.conf
# Fail2Ban configuration file
# $Revision: 250 $
# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf
#_daemon = asterisk
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching and is only an alias
# (?:::f{4,6}:)?(?PS+)
# Values: TEXT
failregex = Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Wrong password
Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - No matching peer found
Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Device does not match ACL
Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Username/auth name mismatch
Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Peer is not supposed to register
NOTICE.* <HOST> failed to authenticate as '.*'$
NOTICE.* .*: No registration for peer '.*' (from <HOST>)
NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing 'ss-noservice' (language '.*')
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
ignoreregex =
# ===================
Add the [asterisk-iptables] section to your /etc/fail2ban/jail.conf file :
# /etc/fail2ban/jail.conf
5 . Save and exit the file
6. vi /etc/fail2ban/jail.conf
go to the last line of theis file and paste the below lines there
enabled = true
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
logpath = /var/log/asterisk/full
maxretry = 5
bantime = 600
7. Also in /etc/fail2ban/jail.conf file you want to add your own IP address range ( ours is192.168.1.0 ) :
ignoreip =
8. make the fail2ban to start at startup
chkconfig fail2ban on
9. start the fail2ban now
/etc/init.d/fail2ban start
10 . now check whether the fail2ban is installed properly to detect the attacks
iptables -L –v
You should see "fail2ban-ASTERISK" in your iptables output.
11. now try to register a extension from outside with wrong password or
worng extension and run the iptables command to see the blocked ip