先使用iptables去擋掉頻繁try account/pass的request IP後,在檢查設定發現問題出在logpath,設定成/var/log/asterisk/security這個設定不能說錯,不過ASTERISK的LogFile得同步設定,改成本來就有的messages就擋到了。
不過在過濾的正則表示式原使用的版本式asterisk 1.8設定,恩恩...不太符合所使用版本的格式,後又看到較進階版本(更精簡)設定,還是量身訂造的設定比較好(如下所示),做個備忘囉。
後記: 當初架設好的服務搭配fail2ban也是測試OK的,用久了版本更新沒再回來檢查,所以bot就再次發會打不死的精神進來,疏忽不得。
fail2ban-client status asterisk-iptables
Status for the jail: asterisk-iptables
|- Filter
| |- Currently failed: 1
| |- Total failed: 34
| `- File list: /var/log/asterisk/messages
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: XXX.XXX.XXX.XXX
vim /etc/fail2ban/jail.local
[asterisk-iptables]
enabled = true
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
sendmail[name=ASTERISK, dest=myaccount@xxx.xxx, sender=srvaccount@xxx.xxx.]
logpath = /var/log/asterisk/messages
maxretry = 6
findtime = 21600
bantime = 86400
vim /etc/fail2ban/filter.d/asterisk.conf
# Fail2Ban configuration file
# Author: Xavier Devlamynck
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT
#
log_prefix= \[\]\s*(?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[\S+\d*\])? \S+:\d*
failregex = ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - Wrong password$
^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - No matching peer found$
^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - Username/auth name mismatch$
^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - Device does not match ACL$
^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - Peer is not supposed to register$
^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - ACL error \(permit/deny\)$
^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - Not a local domain$
^%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension not found in context 'default'\.$
^%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$
^%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$
^%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
^%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$
^%(log_prefix)s (?:handle_request_subscribe: )?Sending fake auth rejection for (device|user) \d*<sip:[^@]+@<HOST>>;tag=\w+\S*$
^%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d+",SessionID="0x[\da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UD|TC)P/<HOST>/\d+"(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
後記:
最近又發現一堆機器人Try Password的LOG,結果fail2ban GG惹...原因在於message file太大造成記憶體太小就服務終止。後來在Message LOG 設定只儲存NOTICE跟SECURITY就好,因為FULL LOG已經都包含其他的,這樣設定也OK
另外fail2ban的Log儲存預設是SYSLOG,這樣在檢視時會造成混淆也不好找,因此修改
另外fail2ban的Log儲存預設是SYSLOG,這樣在檢視時會造成混淆也不好找,因此修改
fail2ban.conf的logtarget設定。
搜尋:logtarget = SYSLOG
改為:logtarget = /var/log/fail2ban.log