Installing Fail2ban in centos
1.yum install fail2ban
If your CentOS doesn't find the package, please execute the following command and then try again.
2.rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm
3.yum install python iptables
or
wget http://downloads.sourceforge.net/project/fail2ban/fail2ban-stable/fail2ban-0.8.4/fail2ban-0.8.4.tar.bz2?use_mirror=transact
Once installing the Fail2ban create asteirsk.conf file under the fail2ban directory
4. vi /etc/fail2ban/filter.d/asterisk.conf
and copy and paste the below
# ===================
# /etc/fail2ban/filter.d/asterisk.conf
# Fail2Ban configuration file
#
#
# $Revision: 250 $
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf
[Definition]
#_daemon = asterisk
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
#The
# host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching and is only an alias
#for
# (?:::f{4,6}:)?(?PS+)
# Values: TEXT
#
failregex = Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Wrong password
Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - No matching peer found
Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Device does not match ACL
Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Username/auth name mismatch
Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Peer is not supposed to register
NOTICE.* <HOST> failed to authenticate as '.*'$
NOTICE.* .*: No registration for peer '.*' (from <HOST>)
NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing 'ss-noservice' (language '.*')
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# ===================
Add the [asterisk-iptables] section to your /etc/fail2ban/jail.conf file :
# /etc/fail2ban/jail.conf
#====================
5 . Save and exit the file
6. vi /etc/fail2ban/jail.conf
go to the last line of theis file and paste the below lines there
[asterisk-iptables]
enabled = true
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
sendmail-whois[name=ASTERISK,
dest=youremailaddress@somewhere.com, sender=fail2ban@somewhere.com]
logpath = /var/log/asterisk/full
maxretry = 5
bantime = 600
#====================
7. Also in /etc/fail2ban/jail.conf file you want to add your own IP address range ( ours is192.168.1.0 ) :
ignoreip = 127.0.0.1 192.168.1.0/24
8. make the fail2ban to start at startup
chkconfig fail2ban on
9. start the fail2ban now
/etc/init.d/fail2ban start
10 . now check whether the fail2ban is installed properly to detect the attacks
iptables -L –v
You should see "fail2ban-ASTERISK" in your iptables output.
11. now try to register a extension from outside with wrong password or worng extension and run the iptables command to see the blocked ip addresses
1.yum install fail2ban
If your CentOS doesn't find the package, please execute the following command and then try again.
2.rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm
3.yum install python iptables
or
wget http://downloads.sourceforge.net/project/fail2ban/fail2ban-stable/fail2ban-0.8.4/fail2ban-0.8.4.tar.bz2?use_mirror=transact
tar -xf fail2ban-0.8.4.tar.bz2cd fail2ban-0.8.4python setup.py installcp files/redhat-initd /etc/init.d/fail2banchkconfig --add fail2banchkconfig fail2ban onOnce installing the Fail2ban create asteirsk.conf file under the fail2ban directory
4. vi /etc/fail2ban/filter.d/asterisk.conf
and copy and paste the below
# ===================
# /etc/fail2ban/filter.d/asterisk.conf
# Fail2Ban configuration file
#
#
# $Revision: 250 $
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf
[Definition]
#_daemon = asterisk
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
#The
# host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching and is only an alias
#for
# (?:::f{4,6}:)?(?PS+)
# Values: TEXT
#
failregex = Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Wrong password
Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - No matching peer found
Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Device does not match ACL
Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Username/auth name mismatch
Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Peer is not supposed to register
NOTICE.* <HOST> failed to authenticate as '.*'$
NOTICE.* .*: No registration for peer '.*' (from <HOST>)
NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing 'ss-noservice' (language '.*')
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# ===================
Add the [asterisk-iptables] section to your /etc/fail2ban/jail.conf file :
# /etc/fail2ban/jail.conf
#====================
5 . Save and exit the file
6. vi /etc/fail2ban/jail.conf
go to the last line of theis file and paste the below lines there
[asterisk-iptables]
enabled = true
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
sendmail-whois[name=ASTERISK,
dest=youremailaddress@somewhere.com, sender=fail2ban@somewhere.com]
logpath = /var/log/asterisk/full
maxretry = 5
bantime = 600
#====================
7. Also in /etc/fail2ban/jail.conf file you want to add your own IP address range ( ours is192.168.1.0 ) :
ignoreip = 127.0.0.1 192.168.1.0/24
8. make the fail2ban to start at startup
chkconfig fail2ban on
9. start the fail2ban now
/etc/init.d/fail2ban start
10 . now check whether the fail2ban is installed properly to detect the attacks
iptables -L –v
You should see "fail2ban-ASTERISK" in your iptables output.
11. now try to register a extension from outside with wrong password or worng extension and run the iptables command to see the blocked ip addresses
