Upgrade Fail2Ban NOW... see page 3 of this thread

[compuguy]

Just came accross this on the Trixbox site:-

http://www.trixbox.org/devblog/severe-security-warning-extensions-matching-secret

Not quit sure if this is the corect place to post it!!

 

[titodj]

Thanks... I know that it is a very common mistake to use the password = to the extension number...

 

[jroper]

Hi

Clearly only a problem if you expose your system to the internet, but either way, you've only yourself to blame if you use weak passwords and you do get hacked. The last time I looked at Trixbox, they had got the FOP panel exposed to the internet, which of course makes life a little easier for the hacker in as much as you now know the extensions, apart from allowing the ability to wreak lawnmower man style havoc on the company phone system.

Additionally, it the post mentions t*f*t*p, so presumably if you have the t*f*t*p server exposed to the internet, then the phone config files may well offer the password.

Within Webmin, we have the Linux Firewall, (IPTables) which allows very granular control over what is allowed in and what is not. This is relatively easy to use and understand via Webmin, and although we have a default config in there which is a balance between security and usability, it is expected that you modify it to suit your own environment.

Joe

 

[wardmundy]

I wonder if this isn't another area in which our Fail2Ban implementation could be helpful. It would prevent brute force password hacks on extensions... which are fairly easily accomplished since traditional wisdom has been to use four-digit passwords.

 

[mmodahl]

Looks like the voip-info.org wiki includes a configuration that might do the trick...

http://www.voip-info.org/wiki/view/Fail2Ban+(with+iptables)+And+Asterisk

 

[wardmundy]

Great find! We'll get to work on it.

 

[jehowe]

Awesome! Thanks for the link!

 

[TDF]

I setup fail2ban to look for sip registration failures, but then you knew that already didnt you.

I didn't pay yours very much attention once I realised it was old (has a critical security advisory on it ?), but I'm sure its different to the guide on voip-info, this might do you though

Add this to fail2ban.conf:

[SIP]
# Option: enabled
# Notes.: enable monitoring for this section.
# Values: [true | false] Default: true
#
enabled = true

# Option: logfile
# Notes.: logfile to monitor.
# Values: FILE Default: /var/log/secure
#
logfile = /var/log/asterisk/full

# Option: timeregex
# Notes.: regex to match timestamp in SSH logfile. For TAI64N format,
# use timeregex = @[0-9a-f]{24}
# Values: [Mar 7 17:53:28]
# Default: \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
#
timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}

# Option: timepattern
# Notes.: format used in "timeregex" fields definition. Note that '%' must be
# escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule).
# For TAI64N format, use timepattern = tai64n
# Values: TEXT Default: %%b %%d %%H:%%M:%%S
#
timepattern = %%b %%d %%H:%%M:%%S

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT Default: Authentication failure|Failed password|Invalid user
#
failregex = Wrong password|Username/auth name mismatch

 

[wardmundy]

Sorry, but this won't block any SIP attacks for a whole host of reasons that are covered in the article above. For openers, the fail2ban.conf file currently is configured to only monitor tcp traffic, not udp. You're also missing the port to monitor. And there are problems with the Asterisk log format and the log message syntax which have to be addressed. We wouldn't want anyone to get a false sense of security by implementing this incorrectly. That's almost worse than no security at all.

 

[TDF]

Sorry, but this won't block any SIP attacks for a whole host of reasons that are covered in the article above. For openers, the fail2ban.conf file currently is configured to only monitor tcp traffic, not udp. You're also missing the port to monitor. And there are problems with the Asterisk log format and the log message syntax which have to be addressed. We wouldn't want anyone to get a false sense of security by implementing this incorrectly. That's almost worse than no security at all.

I'm not sure I follow you tbh Ward, thats if you were referring to my post.

fail2ban in this instance is not monitoring any protocol or any port, it is looking in the log /var/log/asterisk/full for messages containing the words Wrong password or Username/auth name mismatch, then banning that IP for X amount of time.

I didn't say it will work for certain, I said it might, I didn't pay it that much attention. I know your old version is set out different to the info in the wiki article, I *think* my instructions are relevant to your version though.

I use fail2ban 0.8.3 as setup in the voip-info guide and it works, although I do have a issue with the timestamps that needs sorting out, whether you will have the same problem or if you can work it out is in your hands.

 

[wardmundy]

Thanks for clarification. I stand corrected. My apologies. I still think we'd better give this a good workout in the lab before people start depending upon it.

 

[TDF]

I still think we'd better give this a good workout in the lab before people start depending upon it.

For sure, I'm glad (but not surprised) you see the value in it though, over on Trixbox they have been a bit slow on the uptake.

There have been a fair few threads (on trix.org) in the last month or so and 3 in a 36 period a few days back by people suffering these attacks, I would say theres probably a whole lot of people who have no idea that they are under or have been under attack. I am sure this problem will only get worse and even if you use passwords that should take months/years to crack you dont really want the unnecessary traffic hammering away at you.

Like you pointed out a lot of the guides show examples of 3 or 4 character extension passwords, Kerrys very own 2.6.1 guide on asterisk tutorials shows examples of password 200 for extension 200 and so on, people follow these guides at a time when they have little understanding and are being left with their arses hanging in the wind lol.

 

[cosmicwombat]

What is worse...

Is that TB thinks it is OK to run certain (Package Manager and restart/shutdown) things sudo as root.

That makes it worse.

So should we be trying out the additions to Fail2Ban?

 

[TomS]

The Voip-Info.org fail2ban setup

I printed the information for the asterisk setup for fail2ban.
Since it is already installed on the PiaF 1.2 system, I moved on to the configuration area.
I tried to find the filterd directory - not found:
'find / -name filter.d -print'
I tried to go to the /etc/fail2ban directory but there is none. I did find the .conf file there.
From 'find / -name fail2ban -print':
/usr/src/fail2ban (directory with rpm's, etc.)
/usr/lib/fail2ban (directory - no filter.d)
/usr/bin/fail2ban (executable program and /usr/bin/faillog)
/etc/rc.d/init.d/fail2ban (startup script)
/root/fail2ban (executable program)
were found.
Where do you add the filter.d/asterisk.conf information?
or is this necessary on PiaF 1.2, etc.
Thanks
TomS

 

[jroper]

I tried:-

root@pbx:~ $ find / -name fail2ba* -print
/var/pbx_load/fail2ban-required.tgz
/var/log/fail2ban.log
/var/run/fail2ban.pid
/etc/fail2ban.conf
/etc/rc.d/init.d/fail2ban
/usr/bin/fail2ban
/usr/lib/fail2ban
/usr/lib/fail2ban/fail2ban.py
/usr/lib/fail2ban/fail2ban.pyc
/usr/src/fail2ban
/usr/src/fail2ban/fail2ban-0.6.1-2jik.src.rpm
/usr/src/fail2ban/fail2ban.conf
/usr/src/fail2ban/fail2ban-0.6.1-2jik.noarch.rpm
/usr/share/doc/fail2ban-0.6.1

So I reckon what you are looking for is in /etc/fail2ban.conf

Joe

 

[TDF]

TomS

If you read my posts you would realise the voip-info guide is for a version of fail2ban that is very different to the one used by PiaF, it is structured completely differently so has no real relevance, one of my posts has some info that *may* get it working though.

 

[cosmicwombat]

Tom, I am just starting to look at this...

But I concur with Joe. /etc/fail2ban.conf

 

[wardmundy]

I didn't say it will work for certain, I said it might, I didn't pay it that much attention. I know your old version is set out different to the info in the wiki article, I *think* my instructions are relevant to your version though.

After some additional testing, the approach suggested does not appear to work with version 0.6.1 which currently is installed in PBX in a Flash systems.

 

[mmodahl]

After some additional testing, the approach suggested does not appear to work with version 0.6.1 which currently is installed in PBX in a Flash systems.

I'm sorry to send you guys chasing the wrong goose. I completely forgot I had reinstalled fail2ban from source after the initial PiaF install.

I think TDF has the correct formatting for the PiaF version, but you might add "No matching peer found" as an additional regex test to prevent people fishing for extensions.

 

[compuguy]

I would concur that fail2ban is probably the best way to go. I don't agree that it is only people with t*f*t*p servers exposed etc.

Thinking it through most probably nearly every one who has external extensions and does not use a vpn will have port 5060 exposed to the internet and are probably using 3 digit extension numbers I (i use more than 3 digits) so it would be pretty easy to write a script that went through all extensions from 100 to 999 with passwords matching the extensions to find a weakness.

You can use something like slping to see if there is something listening on a specific port such as 5060.

Lets face it all ITSP's have port 5060 open to the internet for customers to connect and I presume it would be the same for IAX.

Putting stong passwords in will help but as there is not an easy way to change password from a single source on a regular basis which would automatically update the password in the phones then another method has to be used in conjunction with a strong password.

Unfortunately for mobile users a vpn is not always an option because of the overhead put on by the vpn connection and of course there are some hotels who purposely block vpn ports.