FusionPBX for ex-Trixbox users

This blog is intended to be read in sequential order as it is a series of steps that I followed to build a fully functioning fusionpbx phone system. However you might just need to find out how to do a particular thing so you might want to use the search box below to find that specific step. Please give feedback - if you know a better way to do something share it!

Tuesday, August 2

fail2ban

To install fail2ban you can refer to http://wiki.fusionpbx.com/index.php?title=CentOS_Install#Fail2ban and http://wiki.freeswitch.org/wiki/Fail2ban.

Unfortunately though, if you are installing on an existing system as I was, you'll run into problems following those instructions, so here is a summary.

Use cat /etc/redhat-release to find out the release version of your system.  In my case it was CentOS release 5.4 (Final) and if you installed from the same ISO as me then you'll have the same release.  You need to know this for the next instruction
rpm -ivh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm


If you aren't using version 5.4 like me then you would need to modify that last instruction for your release.  Next we download the fail2ban package.
yum install fail2ban

If you get an error like this:
Could not retrieve mirrorlist http://mirrors.fedoraproject.org/mirrorlist?repo=epel-5&arch=i386 error was[Errno 4] IOError: urlopen error (101, 'Network is unreachable')

Then check that your DNS information is correct in system-network-config.  I changed my DNS to the Google DNS of 8.8.8.8 and then tried yum again and it worked properly.

After it is sucessfully installed:
cd /etc/init.d
/sbin/chkconfig fail2ban on

Then you have to configure fail2ban.  The instructions for configuring it to protect your system against hacking login attempts to the fusionpbx administrative web interface are: http://wiki.fusionpbx.com/index.php?title=Fail2Ban

Note that if you find that there are no files in /etc/fail2ban/ just re-run the yum command.  I have seen this once but couldn't work out why.

In brief, to configure fail2ban to protect fusionpbx you need to add the following to /etc/fail2ban/jail.local
[fusionpbx]  
enabled = true 
port = 80,443 
protocol = tcp 
filter = fusionpbx 
logpath = /var/log/auth.log 
action = iptables-allports[name=fusionpbx, protocol=all] 
# sendmail-whois[name=FusionPBX, dest=root, sender=fail2ban@example.org] #no smtp server installed

Note that unless you are running release 794 of FusionPBX you will not get anything logged in /var/log/auth.log and therefore fail2ban will not be able to protect your FusionPBX webpage.

You also need to create the file /etc/fail2ban/filter.d/fusionpbx.conf containing the following lines:
# Fail2Ban configuration file 

# Author: soapee01 
#  
[Definition]  
# Option: failregex 
# Notes.: regex to match the password failures messages in the logfile. The 
# host must be matched by a group named "host". The tag "" can 
# be used for standard IP/hostname matching and is only an alias for 
# (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT 

#failregex = [hostname] FusionPBX: \[\] authentication failed 
#[hostname] variable doesn't seem to work in every case. Do this instead: 
failregex = .* FusionPBX: \[<HOST>\] authentication failed for
= .* FusionPBX: \[<HOST>\] provision attempt bad password for  
# Option: ignoreregex 
# Notes.: regex to ignore. If this regex matches, the line is ignored. 
# Values: TEXT 

ignoreregex =

Ensure you also follow the instructions to prevent you banning yourself too!  In brief, you need to add the following to /etc/fail2ban/jail.local
[DEFAULT]  
# "ignoreip" can be an IP address, a CIDR mask or a DNS host 
ignoreip = 127.0.0.1 X.X.X.X 
bantime = 600 
maxretry = 3
Note that you can put as many IP addresses as you want to ignore on that ignoreip line but at a minimum you need to put the address of the client you are using to administer the server instead of X.X.X.X

The instructions for configuring it to protect your system against hacking login attempts and denial of service attacks for the SIP interfaces on your system are: http://wiki.freeswitch.org/wiki/Fail2ban

In brief, to configure fail2ban to protect the SIP ports on your server you need to add the following to /etc/fail2ban/jail.local
[freeswitch-tcp]  
enabled = true 
port = 5060,5061,5080,5081 
protocol = tcp 
filter = freeswitch 
logpath = /usr/local/freeswitch/log/freeswitch.log 
action = iptables-allports[name=freeswitch-tcp, protocol=all]
#   sendmail-whois[name=FreeSwitch, dest=root, sender=fail2ban@example.org]  


[freeswitch-udp]  
enabled = true 
port = 5060,5061,5080,5081 
protocol = udp 
filter = freeswitch 
logpath = /usr/local/freeswitch/log/freeswitch.log 
action = iptables-allports[name=freeswitch-udp, protocol=all]
# sendmail-whois[name=FreeSwitch, dest=root, sender=fail2ban@example.org]

You also need to create the file /etc/fail2ban/filter.d/freeswitch.conf containing the following lines:
# Fail2Ban configuration file 

# Author: Rupa SChomaker 
# [Definition]  
# Option: failregex 
# Notes.: regex to match the password failures messages in the logfile. The 
# host must be matched by a group named "host". The tag "" can 
# be used for standard IP/hostname matching and is only an alias for 
# (?:::f{4,6}:)?(?P[\w\-.^_]+) 
# Values: TEXT 
# failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(REGISTER\) on sofia profile \'\w+\' for \[.*\] from ip <HOST>
\[WARNING\] sofia_reg.c:\d+ SIP auth failure \(INVITE\) on sofia profile \'\w+\' for \[.*\] from ip <HOST>


# Option: ignoreregex 
# Notes.: regex to ignore. If this regex matches, the line is ignored. 
# Values: TEXT 

ignoreregex =


To configure fail2ban to protect the SIP ports against a denial of service attack on your server you need to create the file /etc/fail2ban/filter.d/freeswitch-dos.conf containing the following lines:
# Fail2Ban configuration file 

# Author: soapee01 
#  
[Definition] 
# Option: failregex 
# Notes.: regex to match the password failures messages in the logfile. The 
# host must be matched by a group named "host". The tag "" can 
# be used for standard IP/hostname matching and is only an alias for 
# (?:::f{4,6}:)?(?P[\w\-.^_]+) 
# Values: TEXT 

failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(REGISTER\) on sofia profile \'\w+\' for \[.*\] from ip <HOST>
\[WARNING\] sofia_reg.c:\d+ SIP auth failure \(INVITE\) on sofia profile \'\w+\' for \[.*\] from ip <HOST>
# Option: ignoreregex 
# Notes.: regex to ignore. If this regex matches, the line is ignored. 
# Values: TEXT 

ignoreregex =


Now you need to add the following to /etc/fail2ban/jail.local
[freeswitch-dos] 
enabled = true 
port = 5060,5061,5080,5081 
protocol = udp 
filter = freeswitch-dos 
logpath = /usr/local/freeswitch/log/freeswitch.log 
action = iptables-allports[name=freeswitch-dos, protocol=all] 
maxretry = 50 
findtime = 30 
bantime = 6000

If you refer to http://wiki.freeswitch.org/wiki/Fail2ban you will see that they also suggest you consider an O'Reilly script to add as well.  I haven't done this yet.

Now edit /etc/fail2ban/fail2ban.conf and set logtarget = /var/log/fail2ban.log 
Unless you do this all the instructions on those websites that tell you to look at the fail2ban log will be irrelevant as you won't get any log created!

Once it is all configured you need to reboot your system or /etc/init.d/fail2ban start

Then you can look at /var/log/fail2ban to see what fail2ban is doing.  Also you can use the following commands to see the current status of IP addresses that are blocked.
iptables -n -L fail2ban-fusionpbx
iptables -n -L fail2ban-freeswitch-tcp
iptables -n -L fail2ban-freeswitch-udp

Presumably you can use a client with an IP address that is not configured as unable to be banned and fail to log in successfully to the fusionpbx web interface more than 3 times to see if it gets banned.  To test that SIP banning works you can configure a SIP client with an invalid login and let it try connecting and you can see if it gets banned.  As for testing the denial of service attack I'm not sure how you would do that so you might just have to trust the people that created those instructions that they got it right and you'll be protected!

No comments:

Post a Comment