Sunshine Networks Pty Ltd

Install Fail2Ban on Elastix 1.6



Welcome to Sunshine Networks, the professional VoIP company in Brisbane, Australia.

If you like this article, be sure to read our other great security article which allows external phones to register without opening port 5060:
http://www.sunshinenetworks.com.au/how-to/91-secure-your-voip-server-with-the-sunshinenetworks-knock.html

Last updated on : 8 August 2010

Your VoIP server, just like any other server that is accessible through the internet, is a potential target to hackers. Today's blog is about securing your Elastix 1.6 installation so that hackers don't get to play with your VoIP server. I won't state the obvious like setting strong passwords or changing default passwords, this is purely aimed at countering the most common way to hack SIP servers at the moment : Brute-forcing SIP passwords

Disclaimer : This technique involves the use of the Fail2Ban script. The Fail2Ban script is not created or maintained by us. The use of any blog item on our website is purely at your own risk. Like always, think before you do.

Securing Elastix 1.6 using Fail2Ban scripts :

SSH to your VoIP server and login as root , then type the following commands :

# yum -y install jwhois
# cd /usr/src/
# wget http://sourceforge.net/projects/fail2ban/files/fail2ban-stable/fail2ban-0.8.4/fail2ban-0.8.4.tar.bz2/download
# tar -jxf fail2ban-0.8.4.tar.bz2
# cd fail2ban-0.8.4
# python setup.py install
# cp /usr/src/fail2ban-0.8.4/files/redhat-initd /etc/init.d/fail2ban
# chmod 755 /etc/init.d/fail2ban
# cd /etc/fail2ban/filter.d
# touch asterisk.conf

Copy these contents into the new file /etc/fail2ban/filter.d/asterisk.conf  :

# /etc/fail2ban/filter.d/asterisk.conf
# Fail2Ban configuration file
#
#
# $Revision: 250 $
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf


[Definition]

#_daemon = asterisk

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#

failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL
            NOTICE.* .*: <HOST> failed to authenticate as '.*'$
            NOTICE.* .*: No registration for peer '.*' (from <HOST>)
            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
            NOTICE.* .*: Failed to authenticate user .*@<HOST>.*

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
#

Modify the [default] ignoreip section and Add the [asterisk-iptables] section to your /etc/fail2ban/jail.conf file :

# /etc/fail2ban/jail.conf

[DEFAULT]
ignoreip = 127.0.0.1 192.168.0.0/16 10.0.0.0/8 172.16.0.0/16

[asterisk-iptables]
enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
           sendmail-whois[name=ASTERISK, dest=you@company.com, sender=fail2ban@company.com]
logpath  = /var/log/asterisk/fail2ban
maxretry = 5
bantime = 600

We'll backup the logger.conf file to logger.conf.bak and create a new one
# mv /etc/asterisk/logger.conf /etc/asterisk/logger.conf.bak
# touch /etc/asterisk/logger.conf

Copy these contents into the new file /etc/asterisk/logger.conf :

[general]
dateformat=%F %T
[logfiles]
full => notice,warning,error,debug,verbose
fail2ban => notice

Reload logger module in Asterisk :

# asterisk -rx "module reload logger"

Add Fail2ban to the list of startup services :

# chkconfig fail2ban on 

Start Fail2ban :

# /etc/init.d/fail2ban start

Check if fail2ban is showing up in iptables :

# iptables -L -v

You should see "fail2ban-ASTERISK" in your iptables output.

Any hackers that try to brute-force your SIP passwords will now be banned after 5 attempts for 600 seconds ( see jail.conf if you want to change these values )

How to test if your security is working correctly.

Download a software SIP client and try to connect to your Elastix box using false credentials. Make sure you don't try this from an IP address that is on the "ignoreip" list ( 192.168.1.0/24 for instance ). If your client gets blocked after 5 attempts and you receive an email saying your IP has been blocked, then you can safely assume that your configuration is working correctly.

Credits

Thanks to Dicko @ Elastix forums.
 

Testimonials

My new VoIP system far exceeds my expectations. As an Accountant it is my opinion that a regular phone system costs more initially and also in the long run. The VoIP solution provided by Sunshine Networks, the customer service and quality of calls is second to none
Karen Tolley - Director, My Accountant QLD
Read all our customers testimonials

VoIP Solutions

View all solutions
©2009-2011 Sunshine Networks Pty Ltd . All rights reserved ABN: 30551064911 ACN: 140331246