asterisk 與 fail2ban小記

下午用戶反映說總機掛了不能用，檢查SIP註冊是OK的，不過FreePBX記憶體顯示紅燈，SERVER看fail2ban的process CPU用量逼近100%，記憶體大多也是被這服務吃掉。ASTERISK的Console顯示大量的register fail事件。

先使用iptables去擋掉頻繁try account/pass的request IP後，在檢查設定發現問題出在logpath，設定成/var/log/asterisk/security這個設定不能說錯，不過ASTERISK的LogFile得同步設定，改成本來就有的messages就擋到了。

不過在過濾的正則表示式原使用的版本式asterisk 1.8設定，恩恩...不太符合所使用版本的格式，後又看到較進階版本(更精簡)設定，還是量身訂造的設定比較好(如下所示)，做個備忘囉。

後記: 當初架設好的服務搭配fail2ban也是測試OK的，用久了版本更新沒再回來檢查，所以bot就再次發會打不死的精神進來，疏忽不得。

fail2ban-client status asterisk-iptables
Status for the jail: asterisk-iptables
|- Filter
|  |- Currently failed: 1
|  |- Total failed:     34
|  `- File list:        /var/log/asterisk/messages
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:   XXX.XXX.XXX.XXX

vim /etc/fail2ban/jail.local

[asterisk-iptables]
enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
           sendmail[name=ASTERISK, dest=myaccount@xxx.xxx, sender=srvaccount@xxx.xxx.]
logpath  = /var/log/asterisk/messages
maxretry = 6
findtime = 21600
bantime = 86400

vim /etc/fail2ban/filter.d/asterisk.conf

# Fail2Ban configuration file
# Author: Xavier Devlamynck
 
[INCLUDES]
 
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
 
[Definition]
 
# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile.
# Values:  TEXT
#
log_prefix= \[\]\s*(?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[\S+\d*\])? \S+:\d*
 
failregex = ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - Wrong password$
            ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - No matching peer found$
            ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - Username/auth name mismatch$
            ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - Device does not match ACL$
            ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - Peer is not supposed to register$
            ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - ACL error \(permit/deny\)$
            ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - Not a local domain$
            ^%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension not found in context 'default'\.$
            ^%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$
            ^%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$
            ^%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
            ^%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$
            ^%(log_prefix)s (?:handle_request_subscribe: )?Sending fake auth rejection for (device|user) \d*<sip:[^@]+@<HOST>>;tag=\w+\S*$
            ^%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d+",SessionID="0x[\da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UD|TC)P/<HOST>/\d+"(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?$
 
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex = 

後記:

最近又發現一堆機器人Try Password的LOG，結果fail2ban GG惹...原因在於message file太大造成記憶體太小就服務終止。後來在Message LOG 設定只儲存NOTICE跟SECURITY就好，因為FULL LOG已經都包含其他的，這樣設定也OK

另外fail2ban的Log儲存預設是SYSLOG，這樣在檢視時會造成混淆也不好找，因此修改

fail2ban.conf的logtarget設定。

搜尋:logtarget = SYSLOG

改為:logtarget = /var/log/fail2ban.log

Asterisk check file exist example

之前透過 system() 來判斷，結果若單一資料夾內有多個符合條件的檔案則不回覆success造成誤判，其實system()的回覆狀態success也只是表示執行成功。

節錄:
FAILURE Could not execute the specified command
SUCCESS Specified command successfully executed
APPERROR Triggered for example when you try to delete a file but the file was not there.
NOTE - not documented, but can also return APPERROR
NOTE - I don't seem to be able to create a situation when FAILURE will be returned. 
※當然他在已知具體檔名的狀態下，確實能有判斷檔案是否存在的功用在。

之前的寫法...
exten => _99888,1,System(test -e /tmp/*87${EXTEN:3:3}*.call)
exten => _99888,n,NoOp(${SYSTEMSTATUS})
exten => _99888,n,GotoIf($["${SYSTEMSTATUS}" = "SUCCESS"]?start:end)

現在的寫法...

exten => _99888,1,Set(result=${SHELL(ls -rt /tmp/*87${EXTEN:2:3}*.call | head -1)})
exten => _99888,n,NoOp(${result})
exten => _99888,n,GotoIf($["${result}" = ""]?end:start)

若是有檔案存在result會存有檔案路徑，所以判斷是否為空值就可以了。

補充說明...
SYSTEM() 跟 SHELL()都有其方便的地方，看所需的功能用哪個比較不會出錯即可。

Asuswrt-Merlin SIP單邊通話設定備忘

SIP通話穩定性很重要，尤其是處於NAT環境中，市面上的AP選擇很多，這邊挑了ASUS系列的AP來刷Asuswrt-Merlin韌體實測運行狀況還不賴，做個MEMO。

1.首先...韌體要先拿的到，別傻傻到ASUS官網上抓，那是功能不算多。
韌體下載網站:https://www.mediafire.com/folder/bkfq2a6aebq68/Asuswrt-Merlin

2. 開啟防火牆。這是一定要的...沒必要拿安全開玩笑。

3. 設定虛擬伺服器。實測外網5060對內網5060最穩，可是用了5060那security warring的LOG暴增。

4. 下圖記得設關閉。從字面上來看啟動會減少SIP使用的障礙，ㄚ不知是哪種SIP總之跟ASTERISK不合，不關在NAT環境下可能會有一定機率單向通話狀況。

PS. 為什麼不挑DD-WRT或Tomato哩，實測後均有殘念的地方，而且在AP上架LAMP+PBX系統支援上Asuswrt-Merlin最為激賞(...可惜之前被BOT攻破被當跳板(=.= 接到種花電信的通知，不砍掉就封網)，就放棄這條路回到NAT打洞。