Upgrade Fail2Ban NOW... see page 3 of this thread - Page 2

wardmundy · #11 10-07-08, 09:24 AM

Thanks for clarification. I stand corrected.

My apologies. I still think we'd better give this a good workout in the lab before people start depending upon it.

TDF · #12 10-07-08, 09:42 AM

Originally Posted by wardmundy

I still think we'd better give this a good workout in the lab before people start depending upon it.

For sure, I'm glad (but not surprised) you see the value in it though, over on Trixbox they have been a bit slow on the uptake.

There have been a fair few threads (on trix.org) in the last month or so and 3 in a 36 period a few days back by people suffering these attacks, I would say theres probably a whole lot of people who have no idea that they are under or have been under attack. I am sure this problem will only get worse and even if you use passwords that should take months/years to crack you dont really want the unnecessary traffic hammering away at you.

Like you pointed out a lot of the guides show examples of 3 or 4 character extension passwords, Kerrys very own 2.6.1 guide on asterisk tutorials shows examples of password 200 for extension 200 and so on, people follow these guides at a time when they have little understanding and are being left with their arses hanging in the wind lol.

cosmicwombat · #13 10-07-08, 10:18 AM

Is that TB thinks it is OK to run certain (Package Manager and restart/shutdown) things sudo as root.

That makes it worse.

So should we be trying out the additions to Fail2Ban?

TomS · #14 10-07-08, 10:46 AM

I printed the information for the asterisk setup for fail2ban.
Since it is already installed on the PiaF 1.2 system, I moved on to the configuration area.
I tried to find the filterd directory - not found:
'find / -name filter.d -print'
I tried to go to the /etc/fail2ban directory but there is none. I did find the .conf file there.
From 'find / -name fail2ban -print':
/usr/src/fail2ban (directory with rpm's, etc.)
/usr/lib/fail2ban (directory - no filter.d)
/usr/bin/fail2ban (executable program and /usr/bin/faillog)
/etc/rc.d/init.d/fail2ban (startup script)
/root/fail2ban (executable program)
were found.
Where do you add the filter.d/asterisk.conf information?
or is this necessary on PiaF 1.2, etc.
Thanks
TomS

jroper · #15 10-07-08, 10:51 AM

I tried:-

root@pbx:~ $ find / -name fail2ba* -print
/var/pbx_load/fail2ban-required.tgz
/var/log/fail2ban.log
/var/run/fail2ban.pid
/etc/fail2ban.conf
/etc/rc.d/init.d/fail2ban
/usr/bin/fail2ban
/usr/lib/fail2ban
/usr/lib/fail2ban/fail2ban.py
/usr/lib/fail2ban/fail2ban.pyc
/usr/src/fail2ban
/usr/src/fail2ban/fail2ban-0.6.1-2jik.src.rpm
/usr/src/fail2ban/fail2ban.conf
/usr/src/fail2ban/fail2ban-0.6.1-2jik.noarch.rpm
/usr/share/doc/fail2ban-0.6.1

So I reckon what you are looking for is in /etc/fail2ban.conf

Joe

TDF · #16 10-07-08, 10:53 AM

TomS

If you read my posts you would realise the voip-info guide is for a version of fail2ban that is very different to the one used by PiaF, it is structured completely differently so has no real relevance, one of my posts has some info that *may* get it working though.

cosmicwombat · #17 10-07-08, 11:02 AM

But I concur with Joe. /etc/fail2ban.conf

wardmundy · #18 10-07-08, 12:34 PM

Originally Posted by TDF

I didn't say it will work for certain, I said it might, I didn't pay it that much attention. I know your old version is set out different to the info in the wiki article, I *think* my instructions are relevant to your version though.

After some additional testing, the approach suggested does not appear to work with version 0.6.1 which currently is installed in PBX in a Flash systems.

mmodahl · #19 10-07-08, 01:31 PM

Originally Posted by wardmundy

After some additional testing, the approach suggested does not appear to work with version 0.6.1 which currently is installed in PBX in a Flash systems.

I'm sorry to send you guys chasing the wrong goose. I completely forgot I had reinstalled fail2ban from source after the initial PiaF install.

I think TDF has the correct formatting for the PiaF version, but you might add "No matching peer found" as an additional regex test to prevent people fishing for extensions.

compuguy · #20 10-07-08, 02:07 PM

I would concur that fail2ban is probably the best way to go. I don't agree that it is only people with tftp servers exposed etc.

Thinking it through most probably nearly every one who has external extensions and does not use a vpn will have port 5060 exposed to the internet and are probably using 3 digit extension numbers I (i use more than 3 digits) so it would be pretty easy to write a script that went through all extensions from 100 to 999 with passwords matching the extensions to find a weakness.

You can use something like slping to see if there is something listening on a specific port such as 5060.

Lets face it all ITSP's have port 5060 open to the internet for customers to connect and I presume it would be the same for IAX.

Putting stong passwords in will help but as there is not an easy way to change password from a single source on a regular basis which would automatically update the password in the phones then another method has to be used in conjunction with a strong password.

Unfortunately for mobile users a vpn is not always an option because of the overhead put on by the vpn connection and of course there are some hotels who purposely block vpn ports.