實作Fail2Ban作為阻擋針對Asterisk VoIP的攻擊

如果 Asterisk VoIP 是有連接 Public Internet 公海,又有對外提 VoIP 服務的話,fail2ban好多時你的 Asterisk 會被駭客騷擾。駭客通常會用暴力測試密碼的方式(brute force)去嘗試攻入 Asterisk,看看有什麼 Extension可以被攻入。又或者他們不在乎攻入與否,他們只是想DDoS(Distributed Denial of Service) 你的系統,從而消耗你的Asterisk 的資源,用光頻寛,從而癱瘓網路和你的系統。如果你的 Asterisk 是你的業務一部份,而同時連接 IDA-P 或街線撥打到 IDD 國際長途電話的話,你會面對因為被偷撥打大量IDD而引致巨大損失的風險。

網路保安除了用硬體防火牆作基本防護外,我們應該經常檢查日誌 Log 有否異樣。用人力方式去檢查 Log 然後設定防火牆確實有點累。Fail2Ban 這工具這時便可以派上用場了。

Fail2Ban 是免費的開源軟件,可以監視你的系統日誌LOG,然後根據日誌LOG的錯誤資訊執行相應的阻擋動作,一般情況下是使用 iptables 防火墻阻擋,例如:當有人在試探你的FTP密碼,只要達到你預設的次數,fail2ban就會自動設定iptables防火墻阻擋這個IP,而且可以發送e-mail通知系統管理員。

安裝 Fail2Ban 前,系統需要安裝 iptables 防火墻。然後你便可以用yum 經EPEL (http://fedoraproject.org/wiki/EPEL) 下載安裝 Fail2Ban。

安裝Fail2Ban 完成後,我們便可設定Fail2Ban 監視我們的Asterisk 日誌LOG和阻擋攻擊IP的相應動作。

新的 Fail2Ban 預設已經加上了針對保護 Asterisk 的規則。我們只是作最後設定而已。

在 /etc/fail2ban/jail.conf 內,請enable 這兩項:

[asterisk-tcp]
enabled  = true
filter   = asterisk
action   = iptables-multiport[name=asterisk-tcp, port=”5060,5061″, protocol=tcp]
           sendmail-whois[name=Asterisk, dest=you@mydomain.com, sender=fail2ban@mydomain.com]
logpath  = /var/log/asterisk/messages
maxretry = 10

[asterisk-udp]
enabled  = true
filter   = asterisk
action   = iptables-multiport[name=asterisk-udp, port=”5060,5061″, protocol=udp]
           sendmail-whois[name=Asterisk, dest=you@mydomain.com, sender=fail2ban@mydomain.com]
logpath  = /var/log/asterisk/messages
maxretry = 10

解釋如下:
filter   = asterisk => 過濾規則filter的名字,對應filter.d目錄下的asterisk.conf
-action   = iptables-multiport[name=asterisk-tcp, port=”5060,5061″, protocol=tcp]  => 動作的相關參數
sendmail-whois[name=Asterisk, dest=you@mydomain.com, sender=fail2ban@mydomain.com] => 觸發報告的收件人
logpath  = /var/log/asterisk/messages  =>  檢測的系統的日誌Log
-maxretry = 10 => 最大嘗試次數

 

然後在 /etc/fail2ban/filter.d 內新增 asterisk.conf 的檔案。這是一組檢查 Log 的規則。

[INCLUDES]

before = common.conf

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named “host”. The tag “<HOST>” can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
failregex = NOTICE%(__pid_re)s [^:]+: Registration from ‘[^’]*’ failed for ‘<HOST>(:[0-9]+)?’ – Wrong password$
            NOTICE%(__pid_re)s [^:]+: Registration from ‘[^’]*’ failed for ‘<HOST>(:[0-9]+)?’ – No matching peer found$
            NOTICE%(__pid_re)s [^:]+: Registration from ‘[^’]*’ failed for ‘<HOST>(:[0-9]+)?’ – Username/auth name mismatch$
            NOTICE%(__pid_re)s [^:]+: Registration from ‘[^’]*’ failed for ‘<HOST>(:[0-9]+)?’ – Device does not match ACL$
            NOTICE%(__pid_re)s [^:]+: Registration from ‘[^’]*’ failed for ‘<HOST>(:[0-9]+)?’ – Peer is not supposed to register$
            NOTICE%(__pid_re)s [^:]+: Registration from ‘[^’]*’ failed for ‘<HOST>(:[0-9]+)?’ – ACL error \(permit/deny\)$
            NOTICE%(__pid_re)s [^:]+: Registration from ‘[^’]*’ failed for ‘<HOST>(:[0-9]+)?’ – Not a local domain$
            NOTICE%(__pid_re)s\[[^:]+\] [^:]+: Call from ‘[^’]*’ \(<HOST>:[0-9]+\) to extension ‘[0-9]+’ rejected because extension not found in context ‘default’.$
            NOTICE%(__pid_re)s [^:]+: Host <HOST> failed to authenticate as ‘[^’]*’$
            NOTICE%(__pid_re)s [^:]+: No registration for peer ‘[^’]*’ \(from <HOST>\)$
            NOTICE%(__pid_re)s [^:]+: Host <HOST> failed MD5 authentication for ‘[^’]*’ \([^)]+\)$
            NOTICE%(__pid_re)s [^:]+: Failed to authenticate user [^@]+@<HOST>\S*$
            SECURITY%(__pid_re)s [^:]+: SecurityEvent=”InvalidAccountID”,EventTV=”[0-9-]+”,Severity=”[a-zA-Z]+”,Service=”[a-zA-Z]+”,EventVersion=”[0-9]+”,AccountID=”[0-9]+”,SessionID=”0x[0-9a-f]+”,LocalAddress=”IPV[46]/(UD|TC)P/[0-9a-fA-F:.]+/[0-9]+”,RemoteAddress=”IPV[46]/(UD|TC)P/<HOST>/[0-9]+”$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

設定 fail2ban 開機時自動啟動,指令為

chkconfig fail2ban on

啟動 fail2ban 的服務,指令為
service fail2ban start

禮成。

Leave a Reply