Menu
homeTelephone

Protecting asterisk from unauthorized connections. Improving Asterisk security. Disable notification about incorrect password

Nowadays, we very often have to deal with various types of attacks on Asterisk and analogues. Incorrect configuration and ignorance of simple rules entail financial losses for an enterprise that uses PBX Asterisk.

In this article, we will look at the initial security mechanisms of Asterisk 13 after installation and will not cover Linux security mechanisms. Below we will describe a number of rules that will help secure your system:

1. Hack-resistant passwords and logins on all network devices (Asterisk, IP phones, VoIP gateways).

Passwords for SIP accounts, administrators, Asterisk managers and for network devices must consist of at least 13 characters (letters, numbers, special characters, change case). Do not use logins in the system such as admin, administrator, manager, etc.

2. Correct SIP configuration in Asterisk – sip.conf.

To protect against scanners, you should change the standard SIP port, prohibit guest calls and registrations, overlap dialing, subscription to channel status information, etc. A full description of the general sip.conf parameters is described in the article. Below is the sip.conf I configured for the Asterisk server with comments:

Context=default ;Assign an unused context for outgoing calls by default allowguest=no ;Prohibit guest (without authentication) connections match_auth_username=no ;Prohibit the use of the "username" field instead of "from" allowoverlap=no ;Prohibit single-digit dialing;allowtransfer= no ;We prohibit the use of forwarding realm=CUCM11.5(1)SU3 ;We use our server domain name (we hide that Asterisk) ;domainsasrealm=no ;recordonfeature=automixmon bindport=9050 ;Change the SIP signaling port udpbindaddr=0.0.0.0 ;UDP address by -default tcpenable=yes ;Enable TCP support (in case you have Avaya) tcpbindaddr=0.0.0.0 ;Default TCP address;tlsenable=no ;tlsbindaddr=0.0.0.0 ;tcpauthtimeout = 30 ;tcpauthlimit = 100 ;websocket_enabled = true ; websocket_write_timeout = 100 transport=udp ;Default transport srvlookup=yes ;Allow calls to DNS names;pedantic=yes ;tos_sip=cs3 ;tos_audio=ef ;tos_video=af41 ;tos_text=af41 ;cos_sip=3 ;cos_audio=5 ;cos_video=4 ;cos_text=3 ;maxexpiry=3600 ;minexpiry=60 ;defaultexpiry=120 ;submaxexpiry=3600 ;subminexpiry=60 ;mwiexpiry=3600 ;maxforwards=70 qualifyfreq=60 ;Set the host availability check to 60 seconds;qualifygap= 100 ;qualifypeers=1 ;keepalive=60 ;notifymimetype=text/plain ;buggymwi=no ;mwi_from=asterisk ;vmexten=voicemail ;preferred_codec_only=yes disallow=all ;Disallow all codecs allow=alaw ;Allow Alaw allow=ulaw ;Allow Ulaw ;autoframing=yes ;mohinterpret=default ;mohsuggest=default ;parkinglot=plaza language=ru ;Make Russian the default language in the system tonezone=ru ;Determine the global tonezone in Ru relaxdtmf=yes ;Enable recognition of poorly recognized DTMF signals;trustrpid = no ;sendrpid = yes rpid_update=yes ;Immediate notification of the oncoming server about changes in the line state;trust_id_outbound = no ;prematuremedia=no ;progressinband=no callerid=CUCM11.5(1)SU3 ;If we don’t have CallerID installed somewhere, do it its symbolic useragent=Cisco-SIPGateway/IOS-12.x ;And as a PBX we have Cisco-SIPGateway ;promiscredir = no ;usereqphone = no dtmfmode=rfc2833 ;Set the tone for pressing buttons on the telephone;compactheaders = yes videosupport=yes ; We enable video call support; textsupport=no maxcallbitrate=2048 ;Maximum bitrate of video communication authfailureevents=yes ;Set the Peer status if it cannot log in=rejected alwaysauthreject=yes ;If the authentication request was rejected, then the response will NOT say that the user entered incorrectly, user name search protection auth_options_requests=yes ;Require authorization when sending OPTION and INVITE ;accept_outofcall_message = no ;outofcall_message_context = messages auth_message_requests=yes ;Enable authentication of MESSAGE requests ;g726nonstandard = yes ;outboundproxy=proxy.provider.domain:8080 ;supportpath =yes ;rtsavepath=yes ;matchexternaddrlocally = yes ;dynamic_exclude_static = yes ;contactdeny=0. 0.0.0/0.0.0.0 ;contactpermit=172.16.0.0/255.255.0.0 ;contactacl=named_acl_example ;rtp_engine=asterisk ;regcontext=sipregistrations regextenonqualify=yes ;If quality is enabled for a peer and it fails, then * kills this extension from the regcontext ; legacy_useroption_parsing=yes ;send_diversion=no ;shrinkcallerid=yes ;use_q850_reason = no ;refer_addheaders=yes autocreatepeer=no ;Disable UAC registration without authentication t1min=200 ;Minimum delay for messages passing to the host and back;timert1=500 ;timerb=32000 rtptimeout= 600 ;Abort the call if there is no activity of RTP media streams after 600 seconds rtpholdtimeout=300 ;Abort the call if there is no activity of RTP media streams in Hold mode after 300 seconds;rtpkeepalive= ;session-timers=originate ;session-expires=600 ;session-minse=90 ;session-refresher=uac ;sipdebug = yes ;recordhistory=yes ;dumphistory=yes ;allowsubscribe=no ;subscribecontext = default ;notifyringing = no ;notifyhold = yes ;notifycid = yes callcounter=yes ;Activate the call counter t38pt_udptl=yes ;Enable support for T.38 with FEC error correction faxdetect=yes ;Enable detection of CNG and T.38 nat=auto_force_rport,auto_comedia ;Find Nat automatically and media data on the port from which Asterisk received it and not what it received in SDP ;media_address = 172.16.42.1 ;subscribe_network_change_event = yes ;icesupport = yes directmedia=no ;We forward RTP traffic directly between peers, bypassing Asterisk ;directrtpsetup=yes ;directmediadeny=0.0.0.0/0 ;directmediapermit=172.16.0.0/16 ;directmediaacl=acl_example ;ignoresdpversion=yes sdpsession=SIP Call ;Changing the name of the SDP session sdpowner=CiscoSystemsSIP-GW-UserAgent ;Changing the user fields in SDP owner string ;encryption=no ;encryption_taglen=80 ;avpf=yes ;force_avp=yes ;rtcachefriends=yes ;rtsavesysname=yes ;rtupdate =yes ;rtautoclear=yes ;ignoreregexpire=yes ;domain=customer.com,customer-context ;allowexternaldomains=no ;allowexternaldomains=no ;fromdomain=mydomain.tld ;snom_aoc_enabled = yes jbenable=yes ;Activate the use of the RTP buffer to compensate for delays; jbforce = no jbmaxsize=200 ;Set the maximum RTP buffer size to 200 ms;jbresyncthreshold = 1000 ;jbimpl = fixed ;jbtargetextra = 40 ;jblog = no

3. We use non-standard IAX port.

To do this in the file /etc/asterisk/iax.conf in section change the parameter bindport=4569 per parameter bindport=9069

4. Asterisk must be launched as a different user (not root). How to do this is written in.

5. Set allowed IP addresses or networks for SIP Extensions.

deny=0.0.0.0/0.0.0.0 ;Deny everything permit=10.0.0.0/255.0.0.0 ;Allow the known permit=172.20.0.0/255.255.0.0 ;Allow the known permit=192.168.0.0/16 ;Allow the known

6. Set a limit for simultaneous calls.

call-limit=2 ;Set the value to 2 so that the user can make a transfer

7. Set different outgoing routing rules for each user.

It is necessary to remove all default routes and assign your own, distinguished by contexts:

  • Local sets
  • Local calls
  • Zone calls
  • Long distance calls
  • International calls

A complete list of ABC, DEF codes can be taken from the official Rossvyaz resource.
For the default route, do

Exten => _X.,1,Hangup()

8.

9.

10. We connect all telephone devices to a separate Voice VLAN. Here we need to strain the networkers.

11. We pay special attention to the international direction 8-10.

We establish only the directions used in the organization and add (expand) them as necessary. We also send an email notification if a user or attacker has used an unknown international destination and set a limit on each connection and on the simultaneous number of calls. A ready-made solution for protecting directions 8-10 is described in the article.

12. Disable unused channels and services.

For example, if you are not using MGCP or Skinny, disable these modules in the file /etc/asterisk/modules.conf:

Noload => pbx_gtkconsole.so noload => chan_alsa.so noload => chan_console.so noload => res_ari.so noload => chan_dahdi.so noload => codec_dahdi.so noload => res_ari_device_states.so noload => res_ari_applications.so noload = > res_ari_channels.so noload => res_ari_events.so noload => res_ari_playbacks.so noload => res_ari_endpoints.so noload => res_ari_recordings.so noload => res_ari_bridges.so noload => res_ari_asterisk.so noload => res_ari_sounds.so noload => res_pjsip .so noload => cdr_mysql.so noload => res_phoneprov.so noload => cdr_odbc.so noload => cdr_pgsql.so ;======================= ===== ; PBX -- noload => pbx_ael.so ; Channels -- noload => chan_mgcp.so noload => chan_skinny.so noload => chan_unistim.so noload => chan_pjsip.so noload => chan_modem.so noload => chan_modem_aopen.so noload => chan_modem_bestdata.so noload => chan_modem_i4l. so noload => chan_alsa.so noload => chan_oss.so ; Codecs -- noload => codec_lpc10.so ; Formats -- noload => format_au.so noload => format_gsm.so noload => format_h263.so noload => format_ilbc.so noload => format_jpeg.so ; Applications -- noload => app_image.so noload => app_zapateller.so noload => app_zapbarge.so noload => app_zapscan.so noload => res_config_ldap.so

13. We restrict remote access to IP-PBX using Firewall.

If you plan to provide remote access to authorized employees, it is best to organize it using a VPN server (for example, Open VPN).

14. Set limited rights to directories.

Any use of site materials is possible only with the permission of the author and with the obligatory indication of the source.

Telephony can be cheap
and functional!

The IT KUB company provides a wide range of services for installation, integration and configuration of IP telephony

IT services can be of high quality!

chmod 755 install_apf_bfd.sh

./install_apf_bfd.sh

The APF config is located in /etc/apf/conf.apf

To start editing the file, use the following command:

nano /etc/apf/conf.ap f

Set the IFACE_IN and IFACE_OUT for the network interface facing the Internet. For the network interface facing the local network, set IFACE_TRUSTED.

SET_TRIM="0"

APF has the ability to support QoS. For SIP and IAX you need to install the following:

T.O.S. _8="21,20,80,4569,5060,10000_20000"

If you changed the SSH port, you would need to edit the conf.apf file to match that new port.

HELPER_SSH_PORT="2222"

Make sure to replace 2222 with the correct port number on which you choose to run SSH.

Inbound filtering is used to open ports for access; TCP and UDP have separate settings. For Asterisk (Trixbox), the following ports must be open; both TCP and UDP are listed. If you are not using TFTP, then do not open port 69. Don't forget to change the SSH port. Otherwise, you will not be able to gain access; here we are using port 2222 from our last example. We did not include IAX ports in this installation. There is an easy way to ensure that only certain hosts can use IAX, which we'll cover later. This is convenient if you use IAX to put up interstation trunks that are invisible to the outside world.

IG_TCP_CPORTS="2222,69,80,5060,6600,10000_20000"
IG_UDP_CPORTS="69,5060,10000_20000"

I do not use outbound filtering, so it is not covered in this article. It is set to EGF="0", disabled by default.

To see a list of command line options, run apf without the flags.

#apf
apf(3402): (glob) status log not found, created
APF version 9.6< This email address is being protected from spambots. You need JavaScript enabled to view it. >
Copyright (C) 1999-2007, R-fx Networks< This email address is being protected from spambots. You need JavaScript enabled to view it. >
Copyright (C) 2007, Ryan MacDonald< This email address is being protected from spambots. You need JavaScript enabled to view it. >
This program may be freely redistributed under the terms of the GNU GPL
usage /usr/local/sbin/apf
-s|--start ........................... load all firewall rules
-r|--restart ...................... stop (flush) & reload firewall rules
-f|--stop...... ................. stop (flush) all firewall rules
-l|--list ........................... list all firewall rules
-t|--status ........................ output firewall status log
-e|--refresh ........................... refresh & resolve dns names in trust
rules
-a HOST CMT|--allow HOST COMMENT ... add host (IP/FQDN) to
allow_hosts.rules and immediately load new rule into firewall
-d HOST CMT|--deny HOST COMMENT .... add host (IP/FQDN) to
deny_hosts.rules and immediately load new rule into firewall
-u|--remove HOST ................... remove host from
*_hosts.rules and immediately remove rule from firewall
-o|--ovars ........................... output all configuration options

To start APF we use the following commands:

# apf -s
apf(3445): (glob) activating firewall
apf(3489): (glob) determined (IFACE_IN) eth0 has address 192.168.1.31
apf(3489): (glob) determined (IFACE_OUT) eth0 has address 192.168.1.31
apf(3489): (glob) loading preroute.rules http://r-fx.ca/downloads/reserved http://feeds.dshield.org/top10-2.txt
http://www.spamhaus.org/drop/drop.lasso
apf(3489): (sdrop) parsing drop.lasso into /etc/apf/sdrop_hosts.rules
apf(3489): (sdrop) loading sdrop_hosts.rules
apf(3489): (glob) loading common drop ports
..........trimmed for this document.........
apf(3489): (glob) default (ingress) input drop
apf(3445): (glob) firewall initialized
apf(3445): (glob) !!DEVELOPMENT MODE ENABLED!! - firewall will flush
every 5 minutes.

We can see that APF has started, downloaded several rules from dshield.org and spamhaus.org. Now let’s test logging into the Asterisk (Trixbox) server via SSH to make sure that you have configured everything correctly. If you cannot connect, you must wait 5 minutes and then APF will remove the block. Once you are sure that you can log in via SSH, we can change conf.apf DEVEL_MODE = "1" to DEVEL_MODE = "0" and restart APF. APF will start and not issue a warning that it is in DEVELOPMETN_MODE.

APF: additional tuning

The setup doesn’t end there if you want to connect your Asterisk (Trixbox) servers over IAX. To do this you will need to add IAX ports to conf.apf. This option will work with static IP addresses or DynDNS. The apf -a command allows access for a specific IP address. This will globally allow the host to connect to Asterisk (Trixbox) by bypassing firewall rules.

apf -a 192.168.1.216

This will allow system 192.168.1.216 to connect to any port on the firewalled server, thus bypassing the firewall rules. If you are running APF on both Asterisk (Trixbox), be sure to do the same thing on the other host using the correct IP address.

APF also allows the system administrator to block a host or an entire subnet. This is convenient if you see that someone is trying to connect to your machine via FTP, Telnet, SSH, and so on. To block a specific host, use the following: make sure to use the IP address you want to block.

apf -d 192.168.1.216

To block a complete subnet (CIDR):

apf -d 202.86.128.0/24

APF does not support QoS for UDP packets. TCP only. There is an easy way to fix this. There is a functions.apf file in /etc/apf/internals. We have to edit this file manually. There are several places where we need to add a single line. We are looking for the TOS_ section in the functions.apf file. It will look like this:

if [! "$TOS_0" == "" ]; then
for i in `echo $TOS_0 | tr "," " "`; do
i=`echo $i | tr "_" ":"`
$IPT -t mangle -A PREROUTING -p tcp --sport $i -j TOS --set-tos 0
$IPT -t mangle -A PREROUTING -p udp --sport $i -j TOS --set-tos 0
done
fi

This extra line must be made for all TOS bits you use.

B.F.D.

Brute force (dictionary attack) detection is used to detect unauthorized login attempts.

The configuration file for BFD is located in /usr/local/bfd and is named conf.bfd. This file, like the APF file, contains many comments. We'll look at just a few of the settings.

The first configuration variable we'll look at is TRIG; this is the number of failed attempts before the attacker is blocked. The default is 15. Keep in mind that this is the number of attempts not from one account, but from one IP address. So, if there are 15 unsuccessful login attempts from 1 IP address using different accounts, it will still be blocked.

BFD has a nice feature - it sends emails when a brute force is detected. To enable this option, set EMAIL_ALERTS to 1; do not forget to indicate the address to which you want to receive notifications - EMAIL_ADRESS.

BFD is launched by cron every 3 minutes and is located in /etc/cron.d.

You can get a list of banned IP addresses using the command:

To start BFD use the following command:

bfd -s

Summary

This completes our review of Asterisk (Trixbox) security.

This article discusses only the basic principles of Asterisk (Trixbox) protection. Naturally, building secure VoIP systems is not limited to this.

You can read the original article at the link

Date: 09:56 07/28/2018

There are many stories on the Internet about hacking of asterisk and subsequent punishment from the operator. Somewhere there was a story about a certain small company in Australia that managed to lose $15,000-20,000. I don't think anyone wants to be in a situation like this. It is much better, without waiting for trouble, to carry out a certain set of measures that will significantly reduce the number of hacking options and minimize the danger.

Non-standard port instead of 5060

If technically possible, ALWAYS change the standard port 5060 to any other one. The more different it is from the standard one, the better. Attackers will very quickly find your asterisk by simply scanning ports using a range of addresses. This will happen very quickly - the first attempts to guess my password were detected within 3 days after asterisk was launched on the Internet.
The port is configured in the sip.conf file in the section:

Bindport=5060 => bindport=5172

After such actions, the number of pickers will decrease to almost zero.

Setting up a firewall

We prohibit connecting to the Asterisk port from outside - this will disable the ability to guess passwords. However, some SIP telephony providers do not work if they cannot reach your port 5060 themselves - in this case, you must allow access to this port from the server of this provider. So one day I thought for several days why there was no connection with Beeline, then I opened their IP access to my port 5060 and the connection appeared.

Disable guest calls

If you do not need to receive calls without registration, be sure to disable the following option in sip.conf:
allowguest=yes => allowguest=no ; Allow or reject guest calls (default is yes)

Disable notification about incorrect password

Almost everyone has asterisk accounts of the type 100, 200, 700, etc. By default, Asterisk generates one error about an incorrect password for an existing account and another for a non-existent account. With the help of special password guessing software, an attacker can quickly try all short numbers and guess passwords only for existing accounts that responded “incorrect password.” To prevent this, change the option in sip.conf:
alwaysauthreject = no => alwaysauthreject = yes
After this configuration, Asterisk will give the same response for any incorrect authorizations.

We use complex passwords for accounts

Any password can be guessed, the only question is time. Since setting up SIP devices is done once and for a long time, do not skimp on complex passwords. For myself, I use long passwords with combinations of large and small letters + numbers like this: secret=f64GCD74ssdZ42

BE SURE to remove all passwords that match logins. These are the first passwords used for passwords.

We use deny/permit for accounts

A must! We indicate the following lines for all accounts that do not require an Internet connection:

Deny=0.0.0.0/0.0.0.0 permit=10.1.1.1/24 permit=10.1.2.1/24

Where 10.1.1.1,10.1.2.1 are the ranges of local addresses from which the connection will be made. asterisk will not accept connections from other addresses.

Setting a call limit

Call-limit=1

We don’t use the default extension unnecessarily

We don’t need it. Everything that should be in default:

Exten => _X.,1,Hangup

We do not make one universal rule for all calls

Let's say no to rules like:

Exten => _X.,1,Dial(SIP/$(EXTEN)@operator)

We clearly write down all the necessary combinations of numbers transmitted to the operator. If there is no need to use international communication, do not describe the rules for it at all. Almost all cases of hacking are used to make calls abroad.

;Emergency services exten => _0X,1, Dial(SIP/$(EXTEN)@operator) exten => _0X,n, Hangup ;Moscow exten => _8495XXXXXXX,1, Dial(SIP/$(EXTEN)@operator) exten => _8495XXXXXXX,n, Hangup exten => _8499XXXXXXX,1, Dial(SIP/$(EXTEN)@operator) exten => _8499XXXXXXX,n, Hangup exten => _XXXXXXX,1, Dial(SIP/$(EXTEN)@operator ) exten => _XXXXXXX,n, Hangup ;Intercity Russia/Mobile exten => _8XXXXXXXXXX,1, Dial(SIP/$(EXTEN)@operator) exten => _8XXXXXXXXXX,n, Hangup

In today’s article we’ll talk about how to protect an IP PBX from unauthorized access and give some simple tips, following which you can significantly increase the security of your telephone exchange. The examples that will be given in this article relate to Asterisk-based IP-PBXs, but many of them apply to all VoIP-PBXs without exception.

First, let's figure out what security holes threaten and what consequences a business faces if an attacker gains access to an IP PBX.

Hacking threat

Unlike hacking a personal computer or mail, hacking a PBX means free calls for the hacker, for which the owner of the PBX will have to pay. There are many cases where hackers spent enormous amounts of money after spending only a few hours on a hacked PBX.

As a rule, the targets of attackers are IP PBXs that are accessible from the public network. Using various SIP scanners and examining system vulnerabilities, they choose places to attack. Default passwords, open SIP ports, an improperly managed firewall or its absence - all this can cause unauthorized access.

Fortunately, all these vulnerabilities can be fixed and completely free of charge.

Simple steps to improve security

As you can see, protecting an IP-PBX from external intrusions is not so difficult; by following the suggested tips, you can significantly increase the security and reliability of the system.

As you know, asterisk is an application (server) for IP telephony. That is, it allows clients connected to it to call each other and to the outside world, using (among other things) telephone lines. This poses the following risks:

  1. clients are identified by login/password, and also (as a rule) by IP address. At the same time, it is possible to select a password (sooner or later, depending on its complexity, but in any case it is possible), and very often the restrictions on IP addresses are far from being as strict as we would like (ideally, each client should have its own unique IP address)
  2. incoming calls from the Internet (for example, from other asterisk servers). With these connections, everything is more complicated, since asterisk (in the basic configuration) does not provide for displaying the IP addresses from which the connection is made.

The fail2ban program in conjunction with a firewall (for example, iptables) and properly configured asterisk (displaying full information in the logs, including IP addresses of clients and other servers) allows you to effectively block connection attempts and password guessing.

Before you start setting up, you need to install iptables and fail2ban. In addition, iptables must already be configured (and allow connections to asterisk) before configuring fail2ban! You can read how to configure iptables here: setting up iptables for asterisk. You can also install fail2ban before installing asterisk itself, in which case (at least in theory) during the installation process, the latest versions of asterisk will detect that fail2ban is installed and configure it automatically. However:

  1. The issue of IP telephony security is not always considered before installing asterisk. That is, most likely, you will want to install fail2ban on a system with an asterisk already installed (and configured).
  2. Not in all cases will auto-config work at all, let alone work correctly (and start blocking all attacks against asterisk).

Setting up asterisk logging

First of all, it makes sense to set up asterisk logging so that information immediately begins to be collected in the format and form we need. To do this, in the asterisk configuration directory (/etc/asterisk by default), find the logger.conf file and make the following changes to it: uncomment (remove the semicolon at the beginning of the line):

Dateformat=%F %T ; ISO 8601 date format

This is necessary so that asterisk writes the date in the logs in the correct format:
year-month-day hours:minutes:seconds

Starting from version 10 of asterisk, you can enable the Asterisk Security Framework. To do this, in the logger.conf file, find and uncomment (or add) the line:

Security => security

This line, on the left side of the arrow, specifies the name of the file in which the events will be saved, and on the right side, the levels (types of events) that will be saved. In this example, events related to the security level (and only them) will be saved to a file called security in the asterisk log folder.
Of course, after making changes, it is necessary for asterisk to re-read the configuration. To do this, you can either reload the asterisk service, or just the log configuration (logger reload from asterisk CLI).

After this, a file named security will appear in the asterisk log folder (by default /var/log/asterisk). Don't forget to set up log rotation for this file (the same as for other asterisk logs)!

Setting up filtering rules

Now we need to create a filter that will extract potentially dangerous events from the general asterisk message flow (incorrect login/password, login attempt from an unauthorized IP address, etc., etc.). At the same time, we need to not only detect such potentially dangerous events, but also isolate from there the IP address from which the action was performed. That is, we don’t just look for specific lines in the asterisk event files, but set up filtering rules.
Filtering rules can be written in the /etc/fail2ban/filter.d/asterisk.conf file. Here is a sample of the contents of this file:

# Fail2Ban configuration file # # # $Revision: 250 $ # # Read common prefixes. If any customizations available -- read them from # common.local #before = common.conf #_daemon = asterisk # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag " " can # be used for standard IP/hostname matching and is only an alias for # (?:::f(4,6):)?(?P \S+) # Values: TEXT # # Asterisk 1.8 uses Host:Port format which is reflected here failregex = NOTICE.* .*: Registration from ".*" failed for " :.*" - Wrong password NOTICE.* .*: Registration from ".*" failed for " :.* " - No matching peer found NOTICE.* .*: Registration from ".*" failed for " :.*" - Username/auth name mismatch NOTICE.* .*: Registration from ".*" failed for " :.*" - Device does not match ACL NOTICE.* .*: Registration from ".*" failed for " :.*" - Not a local domain NOTICE.* .*: Registration from ".*" failed for " :.*" - Peer is not supposed to register NOTICE.* .*: Registration from ".*" failed for " :.*" - ACL error (permit/deny) NOTICE.* .*: Registration from ".*" failed for " " - Wrong password NOTICE.* .*: Registration from ".*" failed for " " - No matching peer found NOTICE.* .*: Registration from ".*" failed for " " - Username/auth name mismatch NOTICE.* .* : Registration from ".*" failed for " " - Device does not match ACL NOTICE.* .*: Registration from ".*" failed for " " - Not a local domain NOTICE.* .*: Registration from ".*" failed for " " - Peer is not supposed to register NOTICE.* .*: Registration from ".*" failed for " " - ACL error (permit/deny) NOTICE.* .*: Registration from "\".*\" .*" failed for " :.*" - No matching peer found NOTICE.* .*: Registration from "\".*\".*" failed for " :.*" - Wrong password NOTICE.* .*: No registration for peer ".*" \(from \) NOTICE.* .*: Host failed MD5 authentication for ".*" (.*) NOTICE.* .*: Failed to authenticate user .*@ .* NOTICE.* failed to authenticate as ".*"$ NOTICE.* .*: Sending fake auth rejection for device .*\<.>

The earliest versions use lines like aviabove lines because starting with the version there was information in the logs about the port number that is not in the above version takes into account the same as the old and new versions so you do not need to change anything in it

For versions and higher, if you have enabled logging, do not forget to specify filtering rules for these logs

Filtering rules can be written in a file. Here is a sample of the contents of this file

Setting up isolators for

Now we need to create descriptions of the so-called isolators so that we can link our filters to explain in which files these lines should be searched and then what to do

To do this, open the file

  1. Make sure that there are no other rules associated with this, just search for the file by name without quotes and make sure that if there are such rules for each of them, the property is set
  2. If the version is smaller or you do not want to use logs, using logs is highly not recommended, then you will only need to create one rule, otherwise you will need to create rules

Rule No.

This rule must be created for all versions. You can create a new rule or modify any of the existing ones, but disabled. The new rule, since in our example is used in conjunction with will be called and will be applied to the file in which all the main types of events are saved. Asterisk By default, this main log file is called, but for example, this will be a file called as appears in the file VASSM settingsasterisk in the file Itaksamrule

configure isolators for the main events of the rules is enabled the filter that will be used is called the name of the filter this is the name of the file in the directory which log master file to apply the filter to search for potentially dangerous events the number of potentially dangerous events found by the filter to trigger the action at what period of time in seconds to apply the action for what period of time in seconds to search for potentially dangerous events what to do if the filter detected an attack period seconds in logs detected potentially dangerous actions from one address we block all ports for this and send a letter for a list of subnet addresses for which all potentially dangerous events are ignored

Rule No.

This rule will only work if the version is newer and also if logging is enabled above. You can also create a new rule or modify any existing one but disabled. The new rule, since in our example it is used in conjunction with will be called and this rule will use for analysis the file in the log directory.

configure isolators for security events rules enabled the filter that will be used is called the filter name this file name in the directory which log master file to apply the filter to search for potentially dangerous events the number of potentially dangerous events found by the filter to trigger the action at what period of time in seconds apply the action for what period of time in seconds to search for potential potentially dangerous events what to do if the filter detected an attack period seconds in logs detected potentially dangerous actions from one address we block all ports for this and send a letter for a list of subnet addresses for which all potentially dangerous events are ignored

Launch

Now you need to start or restart and if necessary, for example has not yet been started

To run it you need to run it first, run the following command

To restart run the following command

To check that it started successfully and the rule is loaded, run the following command

and if there is a second rule

To display a list of rules, run the following command

If you have just installed, do not forget to make sure that it is configured for you to start automatically when you boot the system

Checking the work

The main thing during the verification process is to have another computer or local access to the server at hand, so that in case your address is blocked, you can connect and remove this blocking

It is necessary to check the operation of the link, because even if you have configured or copied everything correctly, it is possible that many combinations of events will result in the locks you have set up not working.

Sequence of actions to check the operation of the link

  1. Make sure you have your computer set to start at startup.
  2. If you have configured rules for, we strongly recommend that you check the operation of each of them separately. To do this, disable one of the rules, for example
  3. restart your computercheck that
    1. services are running
    2. one of the rules is on and the other is off

      In this case, a message will appear for the disabled rule

      and for the included message of the form

  4. Be sure to start the client from the server itself from another computer and specifying incorrect data for authorization. The connection address must be the server address. Try to log in once or the most number of authorizations after which the address is blocked is specified in the parameter for each rule separately. As a test client, you can use a program that runs from the command line
  5. If you started the client on the same computer to which you connected to the server and if the settings were configured correctly, your address is currently blocked and you cannot connect to the server on this computer, check this Connect to another computer or locally and continue executing commands
  6. Run the command like

    for the enabled rule and make sure that the address to which the client connected is in the blocked list

  7. Now, similar to the actions from the paragraph, unlock the second rule, for example, and block the first
  8. Follow the steps in paragraph only instead of rebooting the computer, which can also be done by simply rebooting the service. After this, the address of the computer on which you started will immediately unlock the client. seconds and then restart the service again
  9. After you have checked the operation of both rules separately, do not forget to enable them both for and for the parameter. After that, of course, do not forget to restart the service
  10. And the last point, if you completed the previous points quickly enough within a few minutes, it may turn out that after turning on both rules, the subsequent reboot will block you again from the address of which you started the client
    Be careful

Rule management

Temporarily disabling address blocking

To do this, you need to use the service. First, we will display a list of rules on the console, then select the ones you need to remove them from the ban.

To view the list of rules, enter the command

You will see a message like the following

We are interested in removing from the ban the address, which, as we see, is in the chain of rules called Dial a command

If the command executes successfully, no messages will appear and if we now run the command again

then we see that the address has disappeared from the blocking, although it remains blocked. At the same time, we can connect to the server again

Permanently disable address blocking

In order to not block a specific address or several addresses, regardless of how many unsuccessful attempts to guess the password and other illegal actions they performed, it is necessary to make additional settings in the file

Each file rule may contain a parameter that specifies the list of addresses included in the white list for this rule. Since there can be two rules, please note that you must be specified in both rules

The parameter has the following form

That is, you can register individual addresses as subnets in this case and get into the white list

Unblocking the address where testing was carried out

While checking the correctness of the settings, you will repeatedly run the client to test the work of blocking future attacks on the Internet, and in the process of subsequent work, you may also need to from time to time perform actions on the consequences of which there may be blocking from the outside. at least for a day at least for a year

There are ways to solve this problem

  1. Add the address to the rules in the list, but sometimes it may not be desirable to, for example, carry out periodic testing of the work
  2. Typically, the time is the duration of the interval in seconds during which the password guessing attack event must be repeated once, after which the ban will take effect much less than this ban time in seconds after which the address is removed from the list of blocked ones. banning your address and then rebooting the service. When the service is rebooted, all blockings are canceled. However, upon subsequent loading, the logs are analyzed again if the logs are drained during unsuccessful connection attempts. One will be banned again immediately after launch

Configuration testing

You can check how the filter will be applied to this or that person. To do this, you can run the command

Where is this example path file with logs which will be filtered and the filter itself which contains fragments of error messages that should be in the log in order to ban attacker addresses

Finally, instead of rebooting, you can run the following command

Links to sources

Materials taken in particular from the official website of the regexp and rules for asterisk taken from the section