To install fail2ban you can refer to http://wiki.fusionpbx.com/index.php?title=CentOS_Install#Fail2ban and http://wiki.freeswitch.org/wiki/Fail2ban.
Unfortunately though, if you are installing on an existing system as I was, you'll run into problems following those instructions, so here is a summary.
Use cat /etc/redhat-release to find out the release version of your system. In my case it was CentOS release 5.4 (Final) and if you installed from the same ISO as me then you'll have the same release. You need to know this for the next instruction
rpm -ivh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm
If you aren't using version 5.4 like me then you would need to modify that last instruction for your release. Next we download the fail2ban package.
yum install fail2ban
If you get an error like this:
Could not retrieve mirrorlist http://mirrors.fedoraproject.org/mirrorlist?repo=epel-5&arch=i386 error was[Errno 4] IOError: urlopen error (101, 'Network is unreachable')
Then check that your DNS information is correct in system-network-config. I changed my DNS to the Google DNS of 8.8.8.8 and then tried yum again and it worked properly.
After it is sucessfully installed:
cd /etc/init.d
/sbin/chkconfig fail2ban on
Then you have to configure fail2ban. The instructions for configuring it to protect your system against hacking login attempts to the fusionpbx administrative web interface are: http://wiki.fusionpbx.com/index.php?title=Fail2Ban
Note that if you find that there are no files in /etc/fail2ban/ just re-run the yum command. I have seen this once but couldn't work out why.
In brief, to configure fail2ban to protect fusionpbx you need to add the following to /etc/fail2ban/jail.local
[fusionpbx]
enabled = true
port = 80,443
protocol = tcp
filter = fusionpbx
logpath = /var/log/auth.log
action = iptables-allports[name=fusionpbx, protocol=all]
# sendmail-whois[name=FusionPBX, dest=root, sender=fail2ban@example.org] #no smtp server installed
enabled = true
port = 80,443
protocol = tcp
filter = fusionpbx
logpath = /var/log/auth.log
action = iptables-allports[name=fusionpbx, protocol=all]
# sendmail-whois[name=FusionPBX, dest=root, sender=fail2ban@example.org] #no smtp server installed
Note that unless you are running release 794 of FusionPBX you will not get anything logged in /var/log/auth.log and therefore fail2ban will not be able to protect your FusionPBX webpage.
You also need to create the file /etc/fail2ban/filter.d/fusionpbx.conf containing the following lines:
# Fail2Ban configuration file
#
# Author: soapee01
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT
#
#failregex = [hostname] FusionPBX: \[\] authentication failed
#[hostname] variable doesn't seem to work in every case. Do this instead:
failregex = .* FusionPBX: \[< HOST>\] authentication failed for
= .* FusionPBX: \[ < HOST>\] provision attempt bad password for
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
#
# Author: soapee01
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "
Ensure you also follow the instructions to prevent you banning yourself too! In brief, you need to add the following to /etc/fail2ban/jail.local
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1 X.X.X.X
bantime = 600
maxretry = 3
# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1 X.X.X.X
bantime = 600
maxretry = 3
Note that you can put as many IP addresses as you want to ignore on that ignoreip line but at a minimum you need to put the address of the client you are using to administer the server instead of X.X.X.X
The instructions for configuring it to protect your system against hacking login attempts and denial of service attacks for the SIP interfaces on your system are: http://wiki.freeswitch.org/wiki/Fail2ban
In brief, to configure fail2ban to protect the SIP ports on your server you need to add the following to /etc/fail2ban/jail.local
[freeswitch-tcp]
enabled = true
port = 5060,5061,5080,5081
protocol = tcp
filter = freeswitch
logpath = /usr/local/freeswitch/log/freeswitch.log
action = iptables-allports[name=freeswitch-tcp, protocol=all]
# sendmail-whois[name=FreeSwitch, dest=root, sender=fail2ban@example.org]
[freeswitch-udp]
enabled = true
port = 5060,5061,5080,5081
protocol = udp
filter = freeswitch
logpath = /usr/local/freeswitch/log/freeswitch.log
action = iptables-allports[name=freeswitch-udp, protocol=all]
# sendmail-whois[name=FreeSwitch, dest=root, sender=fail2ban@example.org]
enabled = true
port = 5060,5061,5080,5081
protocol = tcp
filter = freeswitch
logpath = /usr/local/freeswitch/log/freeswitch.log
action = iptables-allports[name=freeswitch-tcp, protocol=all]
# sendmail-whois[name=FreeSwitch, dest=root, sender=fail2ban@example.org]
[freeswitch-udp]
enabled = true
port = 5060,5061,5080,5081
protocol = udp
filter = freeswitch
logpath = /usr/local/freeswitch/log/freeswitch.log
action = iptables-allports[name=freeswitch-udp, protocol=all]
# sendmail-whois[name=FreeSwitch, dest=root, sender=fail2ban@example.org]
You also need to create the file /etc/fail2ban/filter.d/freeswitch.conf containing the following lines:
# Fail2Ban configuration file
#
# Author: Rupa SChomaker
# [Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P[\w\-.^_]+)
# Values: TEXT
# failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(REGISTER\) on sofia profile \'\w+\' for \[.*\] from ip < HOST>
\[WARNING\] sofia_reg.c:\d+ SIP auth failure \(INVITE\) on sofia profile \'\w+\' for \[.*\] from ip < HOST>
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
#
# Author: Rupa SChomaker
# [Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "
To configure fail2ban to protect the SIP ports against a denial of service attack on your server you need to create the file /etc/fail2ban/filter.d/freeswitch-dos.conf containing the following lines:
# Fail2Ban configuration file
#
# Author: soapee01
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P[\w\-.^_]+)
# Values: TEXT
#
failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(REGISTER\) on sofia profile \'\w+\' for \[.*\] from ip< HOST>
\[WARNING\] sofia_reg.c:\d+ SIP auth failure \(INVITE\) on sofia profile \'\w+\' for \[.*\] from ip < HOST>
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
#
# Author: soapee01
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "
failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(REGISTER\) on sofia profile \'\w+\' for \[.*\] from ip
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
Now you need to add the following to /etc/fail2ban/jail.local
[freeswitch-dos]
enabled = true
port = 5060,5061,5080,5081
protocol = udp
filter = freeswitch-dos
logpath = /usr/local/freeswitch/log/freeswitch.log
action = iptables-allports[name=freeswitch-dos, protocol=all]
maxretry = 50
findtime = 30
bantime = 6000
enabled = true
port = 5060,5061,5080,5081
protocol = udp
filter = freeswitch-dos
logpath = /usr/local/freeswitch/log/freeswitch.log
action = iptables-allports[name=freeswitch-dos, protocol=all]
maxretry = 50
findtime = 30
bantime = 6000
If you refer to http://wiki.freeswitch.org/wiki/Fail2ban you will see that they also suggest you consider an O'Reilly script to add as well. I haven't done this yet.
Now edit /etc/fail2ban/fail2ban.conf and set logtarget = /var/log/fail2ban.log
Unless you do this all the instructions on those websites that tell you to look at the fail2ban log will be irrelevant as you won't get any log created!
Then you can look at /var/log/fail2ban to see what fail2ban is doing. Also you can use the following commands to see the current status of IP addresses that are blocked.
iptables -n -L fail2ban-fusionpbx
iptables -n -L fail2ban-freeswitch-tcp
iptables -n -L fail2ban-freeswitch-udp
Presumably you can use a client with an IP address that is not configured as unable to be banned and fail to log in successfully to the fusionpbx web interface more than 3 times to see if it gets banned. To test that SIP banning works you can configure a SIP client with an invalid login and let it try connecting and you can see if it gets banned. As for testing the denial of service attack I'm not sure how you would do that so you might just have to trust the people that created those instructions that they got it right and you'll be protected!
No comments:
Post a Comment