Install fail2ban :
apt-get install fail2ban
First we need to log to syslog. Add the following configuration to /etc/asterisk/logger.conf:
syslog.local0 => notice ; Used by fail2ban
Then you need to configure rsyslog to store those messages in a file (for instance /var/log/auth-asterisk.log). Create /etc/rsyslog.d/asterisk-auth.conf and add the following lines to it:
#
# Logging for asterisk registration
#
local0.* -/var/log/auth-asterisk.log
We now have the necessary authentication logs for fail2ban to work. We will now configure it to ban users 10 minutes after 5 failed authentication attempts. First, add the following entry in a file named /etc/fail2ban/jail.local:
[asterisk-iptables]
enabled = true
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
logpath = /var/log/auth-asterisk.log
maxretry = 5
bantime = 600
Then, we describe how the failed attempts look like in the logs with the use of a regular expression. Open a file named /etc/fail2ban/filter.d/asterisk.conf and add the following code:
[Definition]
failregex = asterisk.*chan_sip.c.*Registration from .* failed for '
asterisk.*chan_sip.c.*Registration from .* failed for '
asterisk.*chan_sip.c.*Registration from .* failed for '
asterisk.*chan_iax2.c.*register_verify: Host '
asterisk.*chan_iax2.c.*register_verify: Host '
ignoreregex =
Restart fail2ban, asterisk and rsyslog so the changes are applied. Make 5 login attempts with a wrong password and you should see a line in the netfilter firewall that blocks your IP.
To finish this shiny new configuration, you might want to add /var/log/auth-asterisk.log to the asterisk logrotate configuration file.
