Fail2Ban

Here's a way to configure a fail2ban system for SIP and IAX2 registration attemps :

Install fail2ban :

apt-get install fail2ban

First we need to log to syslog. Add the following configuration to /etc/asterisk/logger.conf:

syslog.local0 => notice ; Used by fail2ban 

Then you need to configure rsyslog to store those messages in a file (for instance /var/log/auth-asterisk.log). Create /etc/rsyslog.d/asterisk-auth.conf and add the following lines to it:

#
# Logging for asterisk registration
#
local0.* -/var/log/auth-asterisk.log

We now have the necessary authentication logs for fail2ban to work. We will now configure it to ban users 10 minutes after 5 failed authentication attempts. First, add the following entry in a file named /etc/fail2ban/jail.local:

[asterisk-iptables]

enabled = true
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
logpath = /var/log/auth-asterisk.log
maxretry = 5
bantime = 600

Then, we describe how the failed attempts look like in the logs with the use of a regular expression. Open a file named /etc/fail2ban/filter.d/asterisk.conf and add the following code:

[Definition]

failregex = asterisk.*chan_sip.c.*Registration from .* failed for '' - Wrong password
asterisk.*chan_sip.c.*Registration from .* failed for '' - No matching peer found
asterisk.*chan_sip.c.*Registration from .* failed for '' - Username/auth name mismatch
asterisk.*chan_iax2.c.*register_verify: Host '' did not provide proper plaintext password for.*
asterisk.*chan_iax2.c.*register_verify: Host '' failed MD5 authentication for .*

ignoreregex =

Restart fail2ban, asterisk and rsyslog so the changes are applied. Make 5 login attempts with a wrong password and you should see a line in the netfilter firewall that blocks your IP.

To finish this shiny new configuration, you might want to add /var/log/auth-asterisk.log to the asterisk logrotate configuration file.