Why?


Search This Blog

Thursday, August 20, 2015

Centos 7 and Asterisk using fail2ban



Centos 7 and Asterisk using fail2ban

I punched holes in my firewall for SIP and RTP so I could get to my asterisk server off net on my softphone. I quickly noticed I was getting attacked. Although I am using very cryptic passwords for my extensions, best practices is to not let this go on, and I have limited bandwidth at my house with COX home service 50/5.

At the time of this post I am behind a Linksys EA5400 router. I have a new pfSense I built the other day on a fanless mini ITX platform but I want to play with it more before I move it in front of my COX MTA. Yes I have COX home as well J

Replacing the router will not affect my network or Asterisk setup as I will use the same IP’s as the Linksys when I replace it, and yes, add the port forward rules for SIP and RTP.

Install iptables

# systemctl stop firewalld
# systemctl mask firewalld
# yum –y install iptables-services
# systemctl enable iptables

Edit the /etc/sysconfig/iptables file. Below is mine. Very basic allowing for web, ssh, SIP, and RTP.

# vi /etc/sysconfig/iptables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [214:43782]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m udp --dport 5060 -j ACCEPT
-A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
-A INPUT -i lo -j ACCEPT
COMMIT

Start iptables with:

# systemctl restart iptables

Make sure it is running with:

# systemctl status iptables

Check your rules with:

# iptables –L

Install fail2ban

Make sure you have the epel for Centos 7 installed for use in yum. As user root:

# yum –y install fail2ban

Setup conf file. Don’t use jail.conf, but rather jail.local
 
# vi /etc/fail2ban/jail.local
[DEFAULT]
bantime = 3600
findtime = 21600
maxretry = 3
backend = auto
 
[asterisk-iptables]
# if more than 4 attempts are made within 6 hours, ban for 24 hours
enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
              sendmail[name=ASTERISK, dest=you@yourmail.co.uk, sender=fail2ban@local.local]
logpath  = /var/log/asterisk/messages
maxretry = 4
findtime = 21600
bantime = 86400
 
Make sure your logpath is correct under the [asterisk-iptables] context above. If not it will not be able to read log and ban the bad guys.

Enable fail2ban and start service:

# systemctl enable fail2ban
# systemctl start fail2ban
# systemctl status fail2ban

Log file is /var/log/fail2ban.log

Enjoy!

No comments:

Post a Comment