Настройка iptables + fail2ban, правильная настройка ?

[maza11]

Настраивали нам asterisk другие ребята, в качестве защиты сказали, что настроили iptables и fail2ban
на данный момент файлы выглядят так

/etc/fail2ban/jail.conf

Код: Выделить всё

[DEFAULT]
ignoreip = 127.0.0.1/8
bantime  = 600
findtime  = 600
maxretry = 5

[asterisk]
port     = 5060,5061
action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
           %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
logpath  = /var/log/asterisk/messages
maxretry = 10 

/etc/fail2ban/filter.d/asterisk.conf

Код: Выделить всё

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = asterisk

__pid_re = (?:\[\d+\])

iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4}

# All Asterisk log messages begin like this:
log_prefix= (?:NOTICE|SECURITY|WARNING)%(__pid_re)s:?(?:\[C-[\da-f]*\])? [^:]+:\d*(?:(?: in)? \w+:)?

failregex = ^%(__prefix_line)s%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
            ^%(__prefix_line)s%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '[^']*' rejected because extension not found in context
            ^%(__prefix_line)s%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$
            ^%(__prefix_line)s%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$
            ^%(__prefix_line)s%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
            ^%(__prefix_line)s%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$
            ^%(__prefix_line)s%(log_prefix)s hacking attempt detected '<HOST>'$
            ^%(__prefix_line)s%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="(\d*|<unknown>)",SessionID=".+",LocalAddress="IPV[46]/(UDP|TCP|WS)/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UDP|TCP|WS)/<HOST>/\d+"(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",ExpectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$
            ^%(__prefix_line)s%(log_prefix)s "Rejecting unknown SIP connection from <HOST>"$
            ^%(__prefix_line)s%(log_prefix)s Request (?:'[^']*' )?from '[^']*' failed for '<HOST>(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching endpoint found|Not match Endpoint(?: Contact)? ACL|(?:Failed|Error) to authenticate)\s*$

ignoreregex = 

iptables.rules (IP адреса скрыл маской XXX)

Код: Выделить всё

# Generated by iptables-save v1.6.0 on Wed Sep  9 16:34:07 2020
*filter
:INPUT ACCEPT [48:8022]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [46:17707]
:f2b-asterisk-tcp - [0:0]
:f2b-asterisk-udp - [0:0]
:f2b-sshd - [0:0]
-A INPUT -p udp -m multiport --dports 5060,5061 -j f2b-asterisk-udp
-A INPUT -p tcp -m multiport --dports 5060,5061 -j f2b-asterisk-tcp
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A f2b-asterisk-tcp -s 217.24.XXX.XXX/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-asterisk-tcp -s 91.203.XXX.XXX/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-asterisk-tcp -s 185.108.XXX.XXX/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-asterisk-tcp -j RETURN
-A f2b-asterisk-udp -s 217.24.XXX.XXX/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-asterisk-udp -s 91.203.XXX.XXX/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-asterisk-udp -s 185.108.XXX.XXX/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-asterisk-udp -j RETURN
-A f2b-sshd -j RETURN
COMMIT
# Completed on Wed Sep  9 16:34:07 2020 

Выглядит это все как то мало, достаточно ли таких настроек и правил для обеспечения безопасности или нужно требовать от них еще что-то ?
Если есть готовые примеры правильных настроек конфигов, прошу посоветовать.

[ded]

Неважно как выглядят эти файлы, главное - работает, или нет? Ребята настраивали за спасибо, или за деньги?
Проверить работу надо в любом случае, тестирование - это важная часть полноценного проекта инсталляции/внедрения.

Тестируйте с внешки, как результат - атакующий адрес должен попадать в правила fail2ban и будет виден через вывод команды
iptables-save
и вам на почту должно приходить вот такое -

PRIME_BBCODE_SPOILER_SHOW PRIME_BBCODE_SPOILER:

Hi,

The IP 156.96.156.154 has just been banned by Fail2Ban after
1 attempts against asterisk.


Here is more information about 156.96.156.154 :


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry ... reporting/
#
# Copyright 1997-2020, American Registry for Internet Numbers, Ltd.
#


NetRange: 156.96.0.0 - 156.96.255.255
CIDR: 156.96.0.0/16
NetName: NEWTREND
NetHandle: NET-156-96-0-0-1
Parent: NET156 (NET-156-0-0-0-0)
NetType: Direct Assignment
OriginAS:
Organization: NEWTREND (NEWTRE)
RegDate: 1991-12-23
Updated: 1998-11-20
Ref: https://rdap.arin.net/registry/ip/156.96.0.0


OrgName: NEWTREND
OrgId: NEWTRE
Address: FastLink Network - Newtrend Division
Address: P.O. Box 17295
City: Encino
StateProv: CA
PostalCode: 91416
Country: US
RegDate: 1991-12-23
Updated: 2011-09-24
Ref: https://rdap.arin.net/registry/entity/NEWTRE


OrgAbuseHandle: KT87-ARIN
OrgAbuseName: Thompson, Keith
OrgAbusePhone: +1-818-908-8900
OrgAbuseEmail: keith@fastlink.net
OrgAbuseRef: https://rdap.arin.net/registry/entity/KT87-ARIN

OrgTechHandle: KT87-ARIN
OrgTechName: Thompson, Keith
OrgTechPhone: +1-818-908-8900
OrgTechEmail: keith@fastlink.net
OrgTechRef: https://rdap.arin.net/registry/entity/KT87-ARIN

RTechHandle: KT87-ARIN
RTechName: Thompson, Keith
RTechPhone: +1-818-908-8900
RTechEmail: keith@fastlink.net
RTechRef: https://rdap.arin.net/registry/entity/KT87-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry ... reporting/
#
# Copyright 1997-2020, American Registry for Internet Numbers, Ltd.
#

Regards,

Fail2Ban

Hi,

The IP 141.98.10.209 has just been banned by Fail2Ban after
2 attempts against SSH.


Here are more information about 141.98.10.209:

[Querying whois.arin.net]
[Redirected to whois.ripe.net]
[Querying whois.ripe.net]
[whois.ripe.net]
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '141.98.10.0 - 141.98.10.255'

% Abuse contact for '141.98.10.0 - 141.98.10.255' is 'admin@serveroffer.lt'

inetnum: 141.98.10.0 - 141.98.10.255
netname: LT-HOSTBALTIC-10
country: LT
admin-c: PV7242-RIPE
tech-c: PV7242-RIPE
status: ASSIGNED PA
mnt-by: mnt-lt-hostbaltic-1
created: 2019-01-10T13:11:38Z
last-modified: 2019-01-10T13:11:38Z
source: RIPE

person: Paulius Vancugovas
address: Draugystes g. 19
address: 51230
address: Kaunas
address: LITHUANIA
phone: +37067358624
nic-hdl: PV7242-RIPE
mnt-by: mnt-lt-hostbaltic-1
created: 2019-01-08T13:14:38Z
last-modified: 2019-01-09T13:14:40Z
source: RIPE

% Information related to '141.98.10.0/24AS209605'

route: 141.98.10.0/24
origin: AS209605
mnt-by: mnt-lt-hostbaltic-1
created: 2019-01-23T11:43:09Z
last-modified: 2019-01-23T11:43:09Z
source: RIPE

% This query was served by the RIPE Database Query Service version 1.97.2 (HEREFORD)

[maza11]

в консоли почти каждую секунду валят вот такие сообщения

Код: Выделить всё

[Sep 10 20:06:38] WARNING[775]: chan_sip.c:4071 retrans_pkt: Retransmission timeout reached on transmission 873803175464118949813469 for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 32000ms with no response
[Sep 10 20:06:39] WARNING[775]: chan_sip.c:4071 retrans_pkt: Retransmission timeout reached on transmission 1260768003-1350377326-448294450 for seqno 2 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 32000ms with no response
[Sep 10 20:06:39] NOTICE[775]: chan_sip.c:28499 handle_request_register: Registration from '<sip:425@217.24.ХХХ.XXX>' failed for '185.147.215.14:55512' - Wrong password
[Sep 10 20:06:42] WARNING[775]: chan_sip.c:4130 retrans_pkt: Timeout on 421431579-1884412789-314282804 on non-critical invite transaction.
[Sep 10 20:06:42] WARNING[775]: chan_sip.c:4130 retrans_pkt: Timeout on 1351424876-2060156436-844312840 on non-critical invite transaction.
[Sep 10 20:06:43] WARNING[775]: chan_sip.c:4130 retrans_pkt: Timeout on 1474587606-1405287506-1919306947 on non-critical invite transaction.
[Sep 10 20:06:43] WARNING[775]: chan_sip.c:4130 retrans_pkt: Timeout on 1048717179-730587226-941074481 on non-critical invite transaction.
[Sep 10 20:06:44] NOTICE[775][C-0000ac7e]: chan_sip.c:26179 handle_request_invite: Failed to authenticate device <sip:5601@217.24.161.98>;tag=264959152

вывод команды
iptables-save
выдает

Код: Выделить всё

root@voip:/etc/asterisk# iptables-save
# Generated by iptables-save v1.6.0 on Thu Sep 10 20:13:12 2020
*filter
:INPUT ACCEPT [302:40160]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [134:63792]
:f2b-asterisk-tcp - [0:0]
:f2b-asterisk-udp - [0:0]
:f2b-sshd - [0:0]
-A INPUT -p udp -m multiport --dports 5060,5061 -j f2b-asterisk-udp
-A INPUT -p tcp -m multiport --dports 5060,5061 -j f2b-asterisk-tcp
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A f2b-asterisk-tcp -s 46.98.123.249/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-asterisk-tcp -s 185.108.ХХХ.ХХХ/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-asterisk-tcp -s 91.203.XXX.XXX/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-asterisk-tcp -s 212.83.140.205/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-asterisk-tcp -s 217.24.ХХХ.ХХХ/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-asterisk-tcp -j RETURN
-A f2b-asterisk-udp -s [b]46.98.123.249[/b]/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-asterisk-udp -s 185.108.ХХХ.ХХХ/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-asterisk-udp -s 91.203.ХХХ.ХХХ/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-asterisk-udp -s 212.83.140.205/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-asterisk-udp -s 217.24.ХХХ.ХХХ/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-asterisk-udp -j RETURN
-A f2b-sshd -j RETURN
COMMIT
# Completed on Thu Sep 10 20:13:12 2020
root@voip:/etc/asterisk#

где 46.98.123.249 это IP мой домашний с него я пытался 10 раз подключиться с неправильным паролем
собственно такое количество ошибок 4130 и наталкивает меня на мысль, а все ли нам правильно настроили
настраивали за деньги, но договора как такого го нет, и теперь на вопросы почему не настроенна переадресация, перехват и т.д. он говорят ,а вы этого не просили
поэтому фиг его знает что они тут настроили

[ded]

Хотели без проработанного ТЗ, без договора, и подешевле, так?
Вот так и получилось.
'<sip:425@217.24.ХХХ.XXX>' failed for '185.147.215.14:55512' - Wrong password
при этом 185.147.215.14 не попадает в fail2ban, и вам сообщения на мыло не приходят.
Передайте привет ребятам, которые за тарелку каши вам настраивали. Вам сдали с недоделками, вам доп. гимор, и себе такая же репутация.
Идите уже в бизнес-суппорт.

[maza11]

При моих попытках регистрации в консоли были записи

Код: Выделить всё

[Sep 10 21:44:20] NOTICE[775]: chan_sip.c:28499 handle_request_register: Registration from '"101" <sip:101@91.203.ХХХ.ХХХ>' failed for '46.98.123.249:43445' - Device does not match ACL

какими правилами убрать эти нотисы и варнинги, их слишком много

Код: Выделить всё

[Sep 10 22:21:55] WARNING[775]: chan_sip.c:4130 retrans_pkt: Timeout on 1548910838-727244077-98438031 on non-critical invite transaction.
[Sep 10 22:21:55] WARNING[775]: chan_sip.c:4130 retrans_pkt: Timeout on 2089216742-1078319498-1330519446 on non-critical invite transaction.
[Sep 10 22:21:56] WARNING[775]: chan_sip.c:4130 retrans_pkt: Timeout on 1220912915-660934724-205755131 on non-critical invite transaction.
[Sep 10 22:21:56] WARNING[775]: chan_sip.c:4130 retrans_pkt: Timeout on 1939212538-1344869665-1377174084 on non-critical invite transaction.
[Sep 10 22:21:58] NOTICE[775][C-0000b6d9]: acl.c:715 ast_apply_acl: SIP Peer ACL: Rejecting '13.72.85.163' due to a failure to pass ACL '(BASELINE)'
[Sep 10 22:21:58] NOTICE[775][C-0000b6d9]: chan_sip.c:26179 handle_request_invite: Failed to authenticate device <sip:101@91.203.60.67>;tag=2097930171
[Sep 10 22:21:59] WARNING[775]: chan_sip.c:4130 retrans_pkt: Timeout on 1955240059-1633295751-1077793400 on non-critical invite transaction.
[Sep 10 22:21:59] WARNING[775]: chan_sip.c:4130 retrans_pkt: Timeout on 1989600922-1737858717-2016041405 on non-critical invite transaction.
[Sep 10 22:22:03] WARNING[775]: chan_sip.c:4071 retrans_pkt: Retransmission timeout reached on transmission 2139935357-792808356-1947262419 for seqno 2 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 32000ms with no response
[Sep 10 22:22:06] NOTICE[775][C-0000b6dc]: chan_sip.c:26179 handle_request_invite: Failed to authenticate device <sip:6405@217.24.XXX.XXX>;tag=2120343046
[Sep 10 22:22:11] WARNING[775]: chan_sip.c:4130 retrans_pkt: Timeout on 446038143-1617892577-1070040588 on non-critical invite transaction.
[Sep 10 22:22:11] WARNING[775]: chan_sip.c:4130 retrans_pkt: Timeout on 612792592-747789579-1785258350 on non-critical invite transaction.
[Sep 10 22:22:14] WARNING[775]: chan_sip.c:4071 retrans_pkt: Retransmission timeout reached on transmission 699995816-1279621881-1137604564 for seqno 2 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 32000ms with no response
[Sep 10 22:22:16] WARNING[775]: chan_sip.c:4130 retrans_pkt: Timeout on 824946645-1700712846-2084712249 on non-critical invite transaction.
[Sep 10 22:22:16] WARNING[775]: chan_sip.c:4130 retrans_pkt: Timeout on 2124460790-1514820127-616407862 on non-critical invite transaction.
[Sep 10 22:22:17] WARNING[775]: chan_sip.c:4130 retrans_pkt: Timeout on 2091352808-2089855207-1027263151 on non-critical invite transaction.
[Sep 10 22:22:17] WARNING[775]: chan_sip.c:4130 retrans_pkt: Timeout on 162197108-1150238885-1397229831 on non-critical invite transaction.
[Sep 10 22:22:18] NOTICE[775][C-0000b6e2]: chan_sip.c:26179 handle_request_invite: Failed to authenticate device <sip:6405@217.24.XXX.XXX>;tag=216721452
[Sep 10 22:22:26] NOTICE[775]: chan_sip.c:28499 handle_request_register: Registration from '<sip:642@91.203.XXX.XXX>' failed for '185.147.212.14:50769' - Wrong password

со своего IP делаю 10 попыток, потом у меня прекращает подключаться и мой IP есть в iptables

Код: Выделить всё

7001' - Wrong password
[Sep 11 00:11:04] NOTICE[775]: chan_sip.c:28499 handle_request_register: Registration from '"101" <sip:456@91.203.XXX.XXX>' failed for '46.98.123.249:47001' - Wrong password
[Sep 11 00:11:05] NOTICE[775]: chan_sip.c:28499 handle_request_register: Registration from '"101" <sip:456@91.203.XXX.XXX>' failed for '46.98.123.249:47001' - Wrong password
[Sep 11 00:11:05] WARNING[775]: chan_sip.c:4130 retrans_pkt: Timeout on 921758765-867699942-775295841 on non-critical invite transaction.
[Sep 11 00:11:05] WARNING[775]: chan_sip.c:4130 retrans_pkt: Timeout on 495833057-1492650755-96737760 on non-critical invite transaction.
[Sep 11 00:11:07] WARNING[775]: chan_sip.c:4130 retrans_pkt: Timeout on 1843085357-902044104-941443191 on non-critical invite transaction.
[Sep 11 00:11:07] WARNING[775]: chan_sip.c:4130 retrans_pkt: Timeout on 1131874246-1912459927-848028137 on non-critical invite transaction.
[Sep 11 00:11:10] WARNING[775]: chan_sip.c:4071 retrans_pkt: Retransmission timeout reached on transmission 853845258-1889486598-2083527561 for seqno 2 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 32000ms with no response
[Sep 11 00:11:11] WARNING[775]: chan_sip.c:4130 retrans_pkt: Timeout on 974473480-34204510-1559922548 on non-critical invite transaction.
[Sep 11 00:11:11] WARNING[775]: chan_sip.c:4130 retrans_pkt: Timeout on 903192665-1961736479-684843163 on non-critical invite transaction.
[Sep 11 00:11:13] WARNING[775]: chan_sip.c:4130 retrans_pkt: Timeout on 361224833-1675730092-482878362 on non-critical invite transaction.
[Sep 11 00:11:13] WARNING[775]: chan_sip.c:4130 retrans_pkt: Timeout on 277106599-63245692-1829237002 on non-critical invite transaction.
[Sep 11 00:11:13] NOTICE[775][C-0000bfe9]: chan_sip.c:26179 handle_request_invite: Failed to authenticate device <sip:7206@217.24.XXX.XXX>;tag=314472853
[Sep 11 00:11:19] NOTICE[775]: chan_sip.c:28499 handle_request_register: Registration from '<sip:766@217.24.XXX.XXX>' failed for '185.147.215.14:61313' - Wrong password
[Sep 11 00:11:21] WARNING[775]: chan_sip.c:4071 retrans_pkt: Retransmission timeout reached on transmission 635450-1516095431-1872402886 for seqno 2 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 32000ms with no response
[Sep 11 00:11:22] WARNING[775]: chan_sip.c:4071 retrans_pkt: Retransmission timeout reached on transmission 794350664-1755415621-1961513009 for seqno 2 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 32000ms with no response
voip*CLI>
Disconnected from Asterisk server
Asterisk cleanly ending (0).
Executing last minute cleanups
root@voip:/etc/asterisk# iptables-save
# Generated by iptables-save v1.6.0 on Fri Sep 11 00:11:26 2020
*filter
:INPUT ACCEPT [102:22982]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [152:69167]
:f2b-asterisk-tcp - [0:0]
:f2b-asterisk-udp - [0:0]
:f2b-sshd - [0:0]
-A INPUT -p udp -m multiport --dports 5060,5061 -j f2b-asterisk-udp
-A INPUT -p tcp -m multiport --dports 5060,5061 -j f2b-asterisk-tcp
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A f2b-asterisk-tcp -s 46.98.123.249/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-asterisk-tcp -s 91.203.XXX.XXX/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-asterisk-tcp -s 217.24.XXX.XXX/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-asterisk-tcp -s 185.108.106.251/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-asterisk-tcp -s 212.83.140.205/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-asterisk-tcp -j RETURN
-A f2b-asterisk-udp -s 46.98.123.249/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-asterisk-udp -s 91.203.XXX.XXX/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-asterisk-udp -s 217.24.XXX.XXX/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-asterisk-udp -s 185.108.106.251/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-asterisk-udp -s 212.83.140.205/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-asterisk-udp -j RETURN
-A f2b-sshd -j RETURN
COMMIT
# Completed on Fri Sep 11 00:11:26 2020
root@voip:/etc/asterisk#

[MrRomka]

Уважаемый ded, может подскажете, есть ли какой-нибудь способ добавить в fail2ban вот такого рода запросы?

Код: Выделить всё

[Nov  6 15:01:55] NOTICE[7763]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '"509" <sip:509@91.216.150.5>' failed for '80.94.93.3:5943' (callid: 3991277266) - No matching endpoint found
[Nov  6 15:01:55] NOTICE[7763]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '"509" <sip:509@91.216.150.5>' failed for '80.94.93.3:5943' (callid: 3991277266) - Failed to authenticate
[Nov  6 15:01:55] NOTICE[7763]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '"509" <sip:509@91.216.150.5>' failed for '80.94.93.3:5943' (callid: 4244511274) - No matching endpoint found
[Nov  6 15:01:55] NOTICE[7763]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '"509" <sip:509@91.216.150.5>' failed for '80.94.93.3:5943' (callid: 4244511274) - Failed to authenticate
[Nov  6 15:01:55] NOTICE[7763]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '"509" <sip:509@91.216.150.5>' failed for '80.94.93.3:5943' (callid: 4244511274) - No matching endpoint found
[Nov  6 15:01:55] NOTICE[7763]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '"509" <sip:509@91.216.150.5>' failed for '80.94.93.3:5943' (callid: 4244511274) - Failed to authenticate
[Nov  6 15:01:55] NOTICE[7763]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '"509" <sip:509@91.216.150.5>' failed for '80.94.93.3:5943' (callid: 3991277266) - No matching endpoint found
[Nov  6 15:01:55] NOTICE[7763]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '"509" <sip:509@91.216.150.5>' failed for '80.94.93.3:5943' (callid: 3991277266) - Failed to authenticate
[Nov  6 15:01:55] NOTICE[7763]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '"509" <sip:509@91.216.150.5>' failed for '80.94.93.3:5943' (callid: 3991277266) - No matching endpoint found
[Nov  6 15:01:55] NOTICE[7763]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '"509" <sip:509@91.216.150.5>' failed for '80.94.93.3:5943' (callid: 3991277266) - Failed to authenticate
[Nov  6 15:01:55] NOTICE[7763]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '"509" <sip:509@91.216.150.5>' failed for '80.94.93.3:5943' (callid: 4244511274) - No matching endpoint found
[Nov  6 15:01:55] NOTICE[7763]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '"509" <sip:509@91.216.150.5>' failed for '80.94.93.3:5943' (callid: 4244511274) - Failed to authenticate
[Nov  6 15:01:55] NOTICE[7763]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '"509" <sip:509@91.216.150.5>' failed for '80.94.93.3:5943' (callid: 4244511274) - No matching endpoint found
[Nov  6 15:01:55] NOTICE[7763]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '"509" <sip:509@91.216.150.5>' failed for '80.94.93.3:5943' (callid: 4244511274) - Failed to authenticate
[Nov  6 15:01:55] NOTICE[7763]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '"509" <sip:509@91.216.150.5>' failed for '80.94.93.3:5943' (callid: 3991277266) - No matching endpoint found

fail2ban минимально настроен.
jail.conf

Код: Выделить всё

[asterisk-iptables]
enabled = true
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
sendmail-whois[name=ASTERISK, dest=root@localhost, sender=fail2ban@localhost]
logpath = /var/log/asterisk/messages
maxretry = 10
findtime = 86400
bantime = 864000

Попытки логина ловит хорошо, но хотелось бы эти шумы тоже добавлять в iptables.
Я читал, что есть еще модуль recent, который может считать пакеты, но к сожалению пока практики не хватает...
Заранее спасибо.

[ded]

Google => Регулярные выражения (reg exp)
https://fail2ban.readthedocs.io/en/latest/filters.html

Проверяете правило
./fail2ban-regex "Nov 6 15:01:55:log_failed_request: Request 'REGISTER'" "<HOST>"

[BorisTheBlade]

И да, советую читать логи не из /var/log/messages, а отдельного файла для fail2ban, куда не пишется VERBOSE, DEBUG.
Тк когда лог файл для fail2ban становится слишком большой, то fail2ban перестает файлтубанить
Я также добавляю logrotate для это файла , который по крону каждые 10 минут его архивит, если размер вышел за 10Мб.

[MrRomka]

Я включил security и лог беру из /var/log/asterisk/security. Ошибку в выражении исправил. Ловит все теперь отлично.
Спасибо за помощь.