Fail2Ban en Elastix

Al tener un Asterisk o Elastix abierto hacia afuera por tener un troncal o extensiones SIP que se logueen desde afuera, estará expuesto a recibir ataques de intentos de logueo por fuerza bruta. Para prevenir estos ataques podemos usar fail2ban para que cuando detecte un cierto nº de registros erróneos banee esa IP.

A continuacion se explican los pasos para instalar fail2ban, aunque en Elastix ya viene configurado por defecto. Si contamos con un serivdor Elastix podemos ir directamente a la parte de configuracion.

yum update 

yum install fail2ban 

Para que cuando nos envie mails nos incluya el whois de el atacante instalamos

yum -y install jwhois

Asi ya tenemos instalado iptables.

Lo primero es habilitar el Security log de Asterisk en el logger.conf (/etc/asterisk/logger.conf)
Alli vamos a agregar

messages => security, notice,warning,error 

Tambien debemos modificar el formato de la fecha y hora de modo que fail2ban lo entienda, lo hacemos agregando una linea que sea

[general] dateformat=%F %T 

Hacemos un restart del modulo logger de Asterisk

asterisk -rx "logger reload" 

Los demas archivos de config están en /etc/fail2ban
Editamos /etc/fail2ban/jail.conf que es donde se definen los diferentes servicios que queremos banear y lo que queremos hacer en caso de que intenten atacar ese servicio.
Podemos echar un vistazo via ssh para crear el nuestro.

Lo definimos de la siguiente manera:

/etc/fail2ban/jail.conf

# Asterisk
[asterisk-iptables]
enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
           sendmail-whois[name=ASTERISK, dest=loquesea@loquesea.com, sender=loquesea.com]
logpath  = /var/log/asterisk/messages
maxretry = 5
bantime = 259200  

Se define una regla que bloquea el acceso por iptables a esa IP si lo intenta de forma errónea mas de 5 veces (maxretry) y la banea durante 72 horas (259200 secs).
También envía un mail con el whois de la ip y lo guarda en los logs.
Al prinicpio de este archivo quizás queramos definir también las ip’s que no serán baneadas,
por si algún día banea la nuestra propia (separadas por espacios):
ignoreip = 127.0.0.1 192.168.1.10 192.168.1.2

A continuación editamos las reglas del servicio asterisk en el archivo /etc/fail2ban/filter.d/asterisk.conf
ACTUALIZACION para Asterisk 1.8. La configuración que ponen en la mayoría de los sitios NO FUNCIONA.
Incluso no funciona la del libro oficial de AsteriskAsterisk – The definitive guide.
Así que porque no te estén llegando mails de avisos del servicio fail2ban no es porque todo vaya bien y se hayan olvidado de ti.
De echo, todo lo contrario, es muy mala señal. Así que ahí tenemos un filter que realmente funciona en Asterisk 1.8:

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from                             
# common.local                                                                                        
#before = common.conf                                                                                 

[Definition]

#_daemon = asterisk                                                                                   

# Option:  failregex                                                                                  
# Notes.:  regex to match the password failures messages in the logfile. The                          
#          host must be matched by a group named "host". The tag "<HOST>" can                         
#          be used for standard IP/hostname matching and is only an alias for                         
#          (?:::f{4,6}:)?(?P<HOST>\S+)                                                                
# Values:  TEXT                                                                                       
#                                                                                                     

failregex = NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>(:[0-9]{1,5})?' - No matching peer found
            NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>(:[0-9]{1,5})?' - Wrong password
            NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>(:[0-9]{1,5})?' - Username/auth name mismatch
            NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>(:[0-9]{1,5})?' - Device does not match ACL
            NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>(:[0-9]{1,5})?' - Peer is not supposed to register
            NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>(:[0-9]{1,5})?' - ACL error (permit/deny)
            NOTICE.* .*: Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Wrong password
            NOTICE.* .*: Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Username/auth name mismatch
            NOTICE.* .*: Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Device does not match ACL
            NOTICE.* .*: Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Peer is not supposed to register
            NOTICE.* .*: Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - ACL error (permit/deny)
            NOTICE.* <HOST> failed to authenticate as '.*'$
            NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
            NOTICE.* .*: Failed to authenticate user .*@<HOST>.*

# Option:  ignoreregex                                                                                
# Notes.:  regex to ignore. If this regex matches, the line is ignored.                               
# Values:  TEXT                                                                                       
# 
ignoreregex =  

Reiniciamos el servicio

/etc/init.d/fail2ban restart  

un cliente es baneado, ¿cómo lo desbloqueo?

Comprobamos que ip’s están bloquedadas con iptables:

# iptables -L -v -n --line-numbers

Nos devuelve
Chain fail2ban-SSH (1 references)
num   pkts bytes target     prot opt in     out   source              destination
1       19  2332 DROP       all  --  *      *     193.87.172.171      0.0.0.0/0
2       16  1704 DROP       all  --  *      *     222.58.151.68       0.0.0.0/0
3       15   980 DROP       all  --  *      *     218.108.224.81      0.0.0.0/0
4        6   360 DROP       all  --  *      *     91.196.170.231      0.0.0.0/0
5     8504  581K RETURN     all  --  *      *     0.0.0.0/0           0.0.0.0/0

Podemos ver que 193.87.172.171 está bloqueada, así que para desbloquearla ejecutaremos:

iptables -D chain rulenum
Ej: iptables -D fail2ban-SSH 1

Con eso borrariamos la linea 1 de la cadena fail2ban-SSH
1 19 2332 DROP all -- * * 193.87.172.171 0.0.0.0/0

Tambien podemos desbloquearla por IP:

fail2ban-client set asterisk unbanip XXX.XXX.XXX.XXX

Tener en cuenta que el numero que ingresamos es el de la referencia (en este caso Chain fail2ban-ssh (1 references)

Si ejecutamos iptables -L de nuevo veremos que ya no está bloqueada.

Bloquear todo lo que no venga de mi troncal de voip

Aunque si no tenemos ningún cliente externo, seguramente lo mas seguro sea banear a todo el mundo que no sea la IP de nuestro troncal SIP.
Para ello nada mejor que iptables, donde cerraríamos todo y habilitamos tan solo la conexión de nuestro proveedor o del troncal:

iptables -I INPUT 10 -p tcp --dport 5060 -s XX.XX.XX.XX -j ACCEPT  

Para configurar la lista blanca debemos agregar la linea ignoreip al archivo jail.conf. Las IPs deben ir separadas por "espacio".
Y luego debemos reiniciar el servicio.

Quedaria algo parecido a

ignoreip = 192.168.0.0/24 100.100.1.1 172.16.1.1 10.1.1.1

Con el comando puesto abajo seria de forma automatica.

sed -i 's/ignoreip = /ignoreip = 123.123.123.123 /' /etc/fail2ban/jail.conf
service fail2ban restart

Por si es necesario dejo un esquema de la estructura de fail2ban en caso de que sea necesario.

/etc/fail2ban/
├── action.d
│   ├── dummy.conf
│   ├── hostsdeny.conf
│   ├── iptables.conf
│   ├── mail-whois.conf
│   ├── mail.conf
│   └── shorewall.conf
├── fail2ban.conf
├── fail2ban.local
├── filter.d
│   ├── apache-auth.conf
│   ├── apache-noscript.conf
│   ├── couriersmtp.conf
│   ├── postfix.conf
│   ├── proftpd.conf
│   ├── qmail.conf
│   ├── sasl.conf
│   ├── sshd.conf
│   └── vsftpd.conf
├── jail.conf
└── jail.local

Recursos:

/etc/asterisk/logger.conf Generico

;
; Logging Configuration
;
; In this file, you configure logging to files or to
; the syslog system.
;
; "logger reload" at the CLI will reload configuration
; of the logging system.

[general]
; Customize the display of debug message time stamps
; this example is the ISO 8601 date format (yyyy-mm-dd HH:MM:SS)
; see strftime(3) Linux manual for format specifiers
;dateformat=%F %T
;
; This appends the hostname to the name of the log files.
;appendhostname = yes
;
; This determines whether or not we log queue events to a file
; (defaults to yes).
;queue_log = no
;
; This determines whether or not we log generic events to a file
; (defaults to yes).
;event_log = no
;
;
; For each file, specify what to log.
;
; For console logging, you set options at start of
; Asterisk with -v for verbose and -d for debug
; See 'asterisk -h' for more information.
;
; Directory for log files is configures in asterisk.conf
; option astlogdir
;
[logfiles]
;
; Format is "filename" and then "levels" of debugging to be included:
;    debug
;    notice
;    warning
;    error
;    verbose
;    dtmf
;
; Special filename "console" represents the system console
;
; We highly recommend that you DO NOT turn on debug mode if you are simply
; running a production system.  Debug mode turns on a LOT of extra messages,
; most of which you are unlikely to understand without an understanding of
; the underlying code.  Do NOT report debug messages as code issues, unless
; you have a specific issue that you are attempting to debug.  They are
; messages for just that -- debugging -- and do not rise to the level of
; something that merit your attention as an Asterisk administrator.  Debug
; messages are also very verbose and can and do fill up logfiles quickly;
; this is another reason not to have debug mode on a production system unless
; you are in the process of debugging a specific issue.
;
;debug => debug
console => notice,warning,error
;console => notice,warning,error,debug
messages => notice,warning,error
;full => notice,warning,error,debug,verbose

;syslog keyword : This special keyword logs to syslog facility 
;
;syslog.local0 => notice,warning,error
;

/etc/fail2ban/jail.conf Generico

# Fail2Ban jail base specification file
#
# HOW TO ACTIVATE JAILS:
#
# YOU SHOULD NOT MODIFY THIS FILE.
#
# It will probably be overwitten or improved in a distribution update.
#
# Provide customizations in a jail.local file or a jail.d/customisation.local.
# For example to change the default bantime for all jails and to enable the
# ssh-iptables jail the following (uncommented) would appear in the .local file.
# See man 5 jail.conf for details.
#
# [DEFAULT]
# bantime = 3600
#
# [ssh-iptables]
# enabled = true

# Comments: use '#' for comment lines and ';' (following a space) for inline comments

# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8

# External command that will take an tagged arguments to ignore, e.g. <ip>,
# and return true if the IP is to be ignored. False otherwise.
#
# ignorecommand = /path/to/command <ip>
ignorecommand =

# "bantime" is the number of seconds that a host is banned.
bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime" 
# seconds.
findtime  = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

# "backend" specifies the backend used to get files modification.
# Available options are "pyinotify", "gamin", "polling" and "auto".
# This option can be overridden in each jail as well.
#
# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
#              If pyinotify is not installed, Fail2ban will use auto.
# gamin:     requires Gamin (a file alteration monitor) to be installed.
#              If Gamin is not installed, Fail2ban will use auto.
# polling:   uses a polling algorithm which does not require external libraries.
# auto:      will try to use the following backends, in order:
#              pyinotify, gamin, polling.
backend = auto

# "usedns" specifies if jails should trust hostnames in logs,
#   warn when DNS lookups are performed, or ignore all hostnames in logs
#
# yes:   if a hostname is encountered, a DNS lookup will be performed.
# warn:  if a hostname is encountered, a DNS lookup will be performed,
#        but it will be logged as a warning.
# no:    if a hostname is encountered, will not be used for banning,
#        but it will be logged as info.
usedns = warn

# This jail corresponds to the standard configuration in Fail2ban.
# The mail-whois action send a notification e-mail with a whois request
# in the body.

[pam-generic]

enabled = false
filter  = pam-generic
action  = iptables-allports[name=pam,protocol=all]
logpath = /var/log/secure

[xinetd-fail]

enabled = false
filter  = xinetd-fail
action  = iptables-allports[name=xinetd,protocol=all]
logpath = /var/log/daemon*log

[ssh-iptables]

enabled  = false
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"]
logpath  = /var/log/sshd.log
maxretry = 5

[ssh-ddos]

enabled  = false
filter   = sshd-ddos
action   = iptables[name=SSHDDOS, port=ssh, protocol=tcp]
logpath  = /var/log/sshd.log
maxretry = 2

[dropbear]

enabled  = false
filter   = dropbear
action   = iptables[name=dropbear, port=ssh, protocol=tcp]
logpath  = /var/log/messages
maxretry = 5

[proftpd-iptables]

enabled  = false
filter   = proftpd
action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
           sendmail-whois[name=ProFTPD, dest=you@example.com]
logpath  = /var/log/proftpd/proftpd.log
maxretry = 6

[gssftpd-iptables]

enabled  = false
filter   = gssftpd
action   = iptables[name=GSSFTPd, port=ftp, protocol=tcp]
           sendmail-whois[name=GSSFTPd, dest=you@example.com]
logpath  = /var/log/daemon.log
maxretry = 6

[pure-ftpd]

enabled  = false
filter   = pure-ftpd
action   = iptables[name=pureftpd, port=ftp, protocol=tcp]
logpath  = /var/log/pureftpd.log
maxretry = 6

[wuftpd]

enabled  = false
filter   = wuftpd
action   = iptables[name=wuftpd, port=ftp, protocol=tcp]
logpath  = /var/log/daemon.log
maxretry = 6

[sendmail-auth]

enabled  = false
filter   = sendmail-auth
action   = iptables-multiport[name=sendmail-auth, port="submission,465,smtp", protocol=tcp]
logpath  = /var/log/mail.log

[sendmail-reject]

enabled  = false
filter   = sendmail-reject
action   = iptables-multiport[name=sendmail-auth, port="submission,465,smtp", protocol=tcp]
logpath  = /var/log/mail.log

# This jail forces the backend to "polling".
[sasl-iptables]

enabled  = false
filter   = postfix-sasl
backend  = polling
action   = iptables[name=sasl, port=smtp, protocol=tcp]
           sendmail-whois[name=sasl, dest=you@example.com]
logpath  = /var/log/mail.log

# ASSP SMTP Proxy Jail
[assp]

enabled = false
filter  = assp
action  = iptables-multiport[name=assp,port="25,465,587"]
logpath = /root/path/to/assp/logs/maillog.txt

# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
# used to avoid banning the user "myuser".
[ssh-tcpwrapper]

enabled     = false
filter      = sshd
action      = hostsdeny[daemon_list=sshd]
              sendmail-whois[name=SSH, dest=you@example.com]
ignoreregex = for myuser from
logpath     = /var/log/sshd.log

# Here we use blackhole routes for not requiring any additional kernel support
# to store large volumes of banned IPs
[ssh-route]

enabled  = false
filter   = sshd
action   = route
logpath  = /var/log/sshd.log
maxretry = 5

# Here we use a combination of Netfilter/Iptables and IPsets
# for storing large volumes of banned IPs
#
# IPset comes in two versions. See ipset -V for which one to use
# requires the ipset package and kernel support.
[ssh-iptables-ipset4]

enabled  = false
filter   = sshd
action   = iptables-ipset-proto4[name=SSH, port=ssh, protocol=tcp]
logpath  = /var/log/sshd.log
maxretry = 5

[ssh-iptables-ipset6]

enabled  = false
filter   = sshd
action   = iptables-ipset-proto6[name=SSH, port=ssh, protocol=tcp, bantime=600]
logpath  = /var/log/sshd.log
maxretry = 5

# bsd-ipfw is ipfw used by BSD. It uses ipfw tables.
# table number must be unique.
# 
# This will create a deny rule for that table ONLY if a rule 
# for the table doesn't ready exist.
#
[ssh-bsd-ipfw]

enabled  = false
filter   = sshd
action   = bsd-ipfw[port=ssh,table=1]
logpath  = /var/log/auth.log
maxretry = 5

# This jail demonstrates the use of wildcards in "logpath".
# Moreover, it is possible to give other files on a new line.
[apache-tcpwrapper]

enabled  = false
filter     = apache-auth
action   = hostsdeny
logpath  = /var/log/apache*/*error.log
           /home/www/myhomepage/error.log
maxretry = 6

[apache-modsecurity]

enabled  = false
filter     = apache-modsecurity
action   = iptables-multiport[name=apache-modsecurity,port="80,443"]
logpath  = /var/log/apache*/*error.log
           /home/www/myhomepage/error.log
maxretry = 2

[apache-overflows]

enabled  = false
filter     = apache-overflows
action   = iptables-multiport[name=apache-overflows,port="80,443"]
logpath  = /var/log/apache*/*error.log
           /home/www/myhomepage/error.log
maxretry = 2

[apache-nohome]

enabled  = false
filter     = apache-nohome
action   = iptables-multiport[name=apache-nohome,port="80,443"]
logpath  = /var/log/apache*/*error.log
           /home/www/myhomepage/error.log
maxretry = 2

[nginx-http-auth]

enabled = false
filter  = nginx-http-auth
action  = iptables-multiport[name=nginx-http-auth,port="80,443"]
logpath = /var/log/nginx/error.log

[squid]

enabled = false
filter  = squid
action  = iptables-multiport[name=squid,port="80,443,8080"]
logpath = /var/log/squid/access.log

# The hosts.deny path can be defined with the "file" argument if it is
# not in /etc.
[postfix-tcpwrapper]

enabled  = false
filter   = postfix
action   = hostsdeny[file=/not/a/standard/path/hosts.deny]
           sendmail[name=Postfix, dest=you@example.com]
logpath  = /var/log/postfix.log
bantime  = 300

[cyrus-imap]

enabled = false
filter  = cyrus-imap
action  = iptables-multiport[name=cyrus-imap,port="143,993"]
logpath = /var/log/mail*log

[courierlogin]

enabled = false
filter  = courierlogin
action  = iptables-multiport[name=courierlogin,port="25,110,143,465,587,993,995"]
logpath = /var/log/mail*log

[couriersmtp]

enabled = false
filter  = couriersmtp
action  = iptables-multiport[name=couriersmtp,port="25,465,587"]
logpath = /var/log/mail*log

[qmail-rbl]

enabled = false
filter  = qmail
action  = iptables-multiport[name=qmail-rbl,port="25,465,587"]
logpath = /service/qmail/log/main/current

[sieve]

enabled = false
filter  = sieve
action  = iptables-multiport[name=sieve,port="25,465,587"]
logpath = /var/log/mail*log

# Do not ban anybody. Just report information about the remote host.
# A notification is sent at most every 600 seconds (bantime).
[vsftpd-notification]

enabled  = false
filter   = vsftpd
action   = sendmail-whois[name=VSFTPD, dest=you@example.com]
logpath  = /var/log/vsftpd.log
maxretry = 5
bantime  = 1800

# Same as above but with banning the IP address.
[vsftpd-iptables]

enabled  = false
filter   = vsftpd
action   = iptables[name=VSFTPD, port=ftp, protocol=tcp]
           sendmail-whois[name=VSFTPD, dest=you@example.com]
logpath  = /var/log/vsftpd.log
maxretry = 5
bantime  = 1800

# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.
[apache-badbots]

enabled  = false
filter   = apache-badbots
action   = iptables-multiport[name=BadBots, port="http,https"]
           sendmail-buffered[name=BadBots, lines=5, dest=you@example.com]
logpath  = /var/www/*/logs/access_log
bantime  = 172800
maxretry = 1

# Use shorewall instead of iptables.
[apache-shorewall]

enabled  = false
filter   = apache-noscript
action   = shorewall
           sendmail[name=Postfix, dest=you@example.com]
logpath  = /var/log/apache2/error_log

# Monitor roundcube server
[roundcube-iptables]

enabled  = false
filter   = roundcube-auth
action   = iptables-multiport[name=RoundCube, port="http,https"]
logpath  = /var/log/roundcube/userlogins

# Monitor SOGo groupware server
[sogo-iptables]

enabled  = false
filter   = sogo-auth
# without proxy this would be:
# port    = 20000
action   = iptables-multiport[name=SOGo, port="http,https"]
logpath  = /var/log/sogo/sogo.log

[groupoffice]

enabled  = false
filter   = groupoffice
action   = iptables-multiport[name=groupoffice, port="http,https"]
logpath  = /home/groupoffice/log/info.log 

[openwebmail]

enabled  = false
filter   = openwebmail
logpath  = /var/log/openwebmail.log
action   = ipfw
           sendmail-whois[name=openwebmail, dest=you@example.com]
maxretry = 5

[horde]

enabled  = false
filter   = horde
logpath  = /var/log/horde/horde.log
action   = iptables-multiport[name=horde, port="http,https"]
maxretry = 5

# Ban attackers that try to use PHP's URL-fopen() functionality
# through GET/POST variables. - Experimental, with more than a year
# of usage in production environments.
[php-url-fopen]

enabled  = false
action   = iptables-multiport[name=php-url-open, port="http,https"]
filter   = php-url-fopen
logpath  = /var/www/*/logs/access_log
maxretry = 1

[suhosin]

enabled  = false
filter   = suhosin
action   = iptables-multiport[name=suhosin, port="http,https"]
# adapt the following two items as needed
logpath  = /var/log/lighttpd/error.log
maxretry = 2

[lighttpd-auth]

enabled  = false
filter   = lighttpd-auth
action   = iptables-multiport[name=lighttpd-auth, port="http,https"]
# adapt the following two items as needed
logpath  = /var/log/lighttpd/error.log
maxretry = 2

# This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip" 
# option is overridden in this jail. Moreover, the action "mail-whois" defines
# the variable "name" which contains a comma using "". The characters '' are
# valid too.
[ssh-ipfw]

enabled  = false
filter   = sshd
action   = ipfw[localhost=192.168.0.1]
           sendmail-whois[name="SSH,IPFW", dest=you@example.com]
logpath  = /var/log/auth.log
ignoreip = 168.192.0.1

# !!! WARNING !!!
#   Since UDP is connection-less protocol, spoofing of IP and imitation
#   of illegal actions is way too simple.  Thus enabling of this filter
#   might provide an easy way for implementing a DoS against a chosen
#   victim. See
#    http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
#   Please DO NOT USE this jail unless you know what you are doing.
#
# IMPORTANT: see filter.d/named-refused for instructions to enable logging
# This jail blocks UDP traffic for DNS requests.
# [named-refused-udp]
#
# enabled  = false
# filter   = named-refused
# action   = iptables-multiport[name=Named, port="domain,953", protocol=udp]
#            sendmail-whois[name=Named, dest=you@example.com]
# logpath  = /var/log/named/security.log
# ignoreip = 168.192.0.1

# IMPORTANT: see filter.d/named-refused for instructions to enable logging
# This jail blocks TCP traffic for DNS requests.
[named-refused-tcp]

enabled  = false
filter   = named-refused
action   = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
           sendmail-whois[name=Named, dest=you@example.com]
logpath  = /var/log/named/security.log
ignoreip = 168.192.0.1

[nsd]

enabled = false
filter  = nsd
action  = iptables-multiport[name=nsd-tcp, port="domain", protocol=tcp]
          iptables-multiport[name=nsd-udp, port="domain", protocol=udp]
logpath = /var/log/nsd.log

[asterisk]

enabled  = false
filter   = asterisk
action   = iptables-multiport[name=asterisk-tcp, port="5060,5061", protocol=tcp]
           iptables-multiport[name=asterisk-udp, port="5060,5061", protocol=udp]
           sendmail-whois[name=Asterisk, dest=you@example.com, sender=fail2ban@example.com]
logpath  = /var/log/asterisk/messages
maxretry = 10

[freeswitch]

enabled  = false
filter   = freeswitch
logpath  = /var/log/freeswitch.log
maxretry = 10
action   = iptables-multiport[name=freeswitch-tcp, port="5060,5061,5080,5081", protocol=tcp]
           iptables-multiport[name=freeswitch-udp, port="5060,5061,5080,5081", protocol=udp]

[ejabberd-auth]

enabled = false
filter = ejabberd-auth
logpath = /var/log/ejabberd/ejabberd.log
action   = iptables[name=ejabberd, port=xmpp-client, protocol=tcp]

#  Historical support (before https://github.com/fail2ban/fail2ban/issues/37 was fixed )
#  use [asterisk] for new jails
[asterisk-tcp]

enabled  = false
filter   = asterisk
action   = iptables-multiport[name=asterisk-tcp, port="5060,5061", protocol=tcp]
           sendmail-whois[name=Asterisk, dest=you@example.com, sender=fail2ban@example.com]
logpath  = /var/log/asterisk/messages
maxretry = 10

#  Historical support (before https://github.com/fail2ban/fail2ban/issues/37 was fixed )
#  use [asterisk] for new jails
[asterisk-udp]

enabled  = false
filter     = asterisk
action   = iptables-multiport[name=asterisk-udp, port="5060,5061", protocol=udp]
           sendmail-whois[name=Asterisk, dest=you@example.com, sender=fail2ban@example.com]
logpath  = /var/log/asterisk/messages
maxretry = 10

[mysqld-iptables]

enabled  = false
filter   = mysqld-auth
action   = iptables[name=mysql, port=3306, protocol=tcp]
           sendmail-whois[name=MySQL, dest=root, sender=fail2ban@example.com]
logpath  = /var/log/mysqld.log
maxretry = 5

[mysqld-syslog]

enabled  = false
filter   = mysqld-auth
action   = iptables[name=mysql, port=3306, protocol=tcp]
logpath  = /var/log/daemon.log
maxretry = 5

# Jail for more extended banning of persistent abusers
# !!! WARNING !!!
#   Make sure that your loglevel specified in fail2ban.conf/.local
#   is not at DEBUG level -- which might then cause fail2ban to fall into
#   an infinite loop constantly feeding itself with non-informative lines
[recidive]

enabled  = false
filter   = recidive
logpath  = /var/log/fail2ban.log
action   = iptables-allports[name=recidive,protocol=all]
           sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]
bantime  = 604800  ; 1 week
findtime = 86400   ; 1 day
maxretry = 5

# PF is a BSD based firewall
[ssh-pf]

enabled  = false
filter   = sshd
action   = pf
logpath  = /var/log/sshd.log
maxretry = 5

[3proxy]

enabled = false
filter  = 3proxy
action  = iptables[name=3proxy, port=3128, protocol=tcp]
logpath = /var/log/3proxy.log

[exim]

enabled = false
filter  = exim
action  = iptables-multiport[name=exim,port="25,465,587"]
logpath = /var/log/exim/mainlog

[exim-spam]

enabled = false
filter  = exim-spam
action  = iptables-multiport[name=exim-spam,port="25,465,587"]
logpath = /var/log/exim/mainlog

[perdition]

enabled = false
filter  = perdition
action  = iptables-multiport[name=perdition,port="110,143,993,995"]
logpath = /var/log/maillog

[uwimap-auth]

enabled = false
filter  = uwimap-auth
action  = iptables-multiport[name=uwimap-auth,port="110,143,993,995"]
logpath = /var/log/maillog

[osx-ssh-ipfw]

enabled  = false
filter   = sshd
action   = osx-ipfw
logpath  = /var/log/secure.log
maxretry = 5

[ssh-apf]

enabled = false
filter  = sshd
action  = apf[name=SSH]
logpath = /var/log/secure
maxretry = 5

[osx-ssh-afctl]

enabled  = false
filter   = sshd
action   = osx-afctl[bantime=600]
logpath  = /var/log/secure.log
maxretry = 5

[webmin-auth]

enabled = false
filter  = webmin-auth
action  = iptables-multiport[name=webmin,port="10000"]
logpath = /var/log/auth.log

# dovecot defaults to logging to the mail syslog facility
# but can be set by syslog_facility in the dovecot configuration.
[dovecot]

enabled = false
filter  = dovecot
action  = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps,submission,465,sieve", protocol=tcp]
logpath = /var/log/mail.log

[dovecot-auth]

enabled = false
filter  = dovecot
action  = iptables-multiport[name=dovecot-auth, port="pop3,pop3s,imap,imaps,submission,465,sieve", protocol=tcp]
logpath = /var/log/secure

[solid-pop3d]

enabled = false
filter  = solid-pop3d
action  = iptables-multiport[name=solid-pop3, port="pop3,pop3s", protocol=tcp]
logpath = /var/log/mail.log

[selinux-ssh]
enabled  = false
filter   = selinux-ssh
action   = iptables[name=SELINUX-SSH, port=ssh, protocol=tcp]
logpath  = /var/log/audit/audit.log
maxretry = 5

# See the IMPORTANT note in action.d/blocklist_de.conf for when to
# use this action
#
# Report block via blocklist.de fail2ban reporting service API
# See action.d/blocklist_de.conf for more information
[ssh-blocklist]

enabled  = false
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"]
           blocklist_de[email="fail2ban@example.com", apikey="xxxxxx", service=%(filter)s]
logpath  = /var/log/sshd.log
maxretry = 20

# consider low maxretry and a long bantime
# nobody except your own Nagios server should ever probe nrpe
[nagios]
enabled  = false
filter   = nagios
action   = iptables[name=Nagios, port=5666, protocol=tcp]
           sendmail-whois[name=Nagios, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"]
logpath  = /var/log/messages     ; nrpe.cfg may define a different log_facility
maxretry = 1

/etc/fail2ban/filter.d/asterisk.conf Generico

# Fail2Ban filter for asterisk authentication failures
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = asterisk

__pid_re = (?:\[\d+\])

# All Asterisk log messages begin like this:
log_prefix= (?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])? \S+:\d*( in \w+:)?

failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension not found in context 'default'\.$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s (?:handle_request_subscribe: )?Sending fake auth rejection for (device|user) \d*<sip:[^@]+@<HOST>>;tag=\w+\S*$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d*",SessionID="0x[\da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UD|TC)P/<HOST>/\d+"(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$
            ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )Ext\. s: "Rejecting unknown SIP connection from <HOST>"$

ignoreregex =

# Author: Xavier Devlamynck / Daniel Black
#
# General log format - main/logger.c:ast_log
# Address format - ast_sockaddr_stringify
#
# First regex: channels/chan_sip.c
#
# main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in syslog