1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
  2. If you had a PIAF Forum account in the vBulletin days, log in with your old credentials. Otherwise, sign up again and we'll get you back in business as soon as we can.
  3. A serious FreePBX vulnerability has been reported. Update your Framework Module immediately. Click here for details.

Upgrade Fail2Ban NOW... see page 3 of this thread

Discussion in 'Bug Reporting and Fixes' started by compuguy, Oct 6, 2008.

  1. compuguy Member

  2. titodj Member

    Thanks... I know that it is a very common mistake to use the password = to the extension number...
  3. jroper Guru


    Clearly only a problem if you expose your system to the internet, but either way, you've only yourself to blame if you use weak passwords and you do get hacked. The last time I looked at Trixbox, they had got the FOP panel exposed to the internet, which of course makes life a little easier for the hacker in as much as you now know the extensions, apart from allowing the ability to wreak lawnmower man style havoc on the company phone system.

    Additionally, it the post mentions t*f*t*p, so presumably if you have the t*f*t*p server exposed to the internet, then the phone config files may well offer the password.

    Within Webmin, we have the Linux Firewall, (IPTables) which allows very granular control over what is allowed in and what is not. This is relatively easy to use and understand via Webmin, and although we have a default config in there which is a balance between security and usability, it is expected that you modify it to suit your own environment.

  4. wardmundy Nerd Uno

    I wonder if this isn't another area in which our Fail2Ban implementation could be helpful. It would prevent brute force password hacks on extensions... which are fairly easily accomplished since traditional wisdom has been to use four-digit passwords.
  5. mmodahl New Member

  6. wardmundy Nerd Uno

    Great find! We'll get to work on it.
  7. jehowe Guru

    Awesome! Thanks for the link!
  8. TDF New Member

    I setup fail2ban to look for sip registration failures, but then you knew that already didnt you.

    I didn't pay yours very much attention once I realised it was old (has a critical security advisory on it ?), but I'm sure its different to the guide on voip-info, this might do you though

    Add this to fail2ban.conf:

    # Option: enabled
    # Notes.: enable monitoring for this section.
    # Values: [true | false] Default: true
    enabled = true

    # Option: logfile
    # Notes.: logfile to monitor.
    # Values: FILE Default: /var/log/secure
    logfile = /var/log/asterisk/full

    # Option: timeregex
    # Notes.: regex to match timestamp in SSH logfile. For TAI64N format,
    # use timeregex = @[0-9a-f]{24}
    # Values: [Mar 7 17:53:28]
    # Default: \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
    timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}

    # Option: timepattern
    # Notes.: format used in "timeregex" fields definition. Note that '%' must be
    # escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule).
    # For TAI64N format, use timepattern = tai64n
    # Values: TEXT Default: %%b %%d %%H:%%M:%%S
    timepattern = %%b %%d %%H:%%M:%%S

    # Option: failregex
    # Notes.: regex to match the password failures messages in the logfile.
    # Values: TEXT Default: Authentication failure|Failed password|Invalid user
    failregex = Wrong password|Username/auth name mismatch
  9. wardmundy Nerd Uno

    Sorry, but this won't block any SIP attacks for a whole host of reasons that are covered in the article above. For openers, the fail2ban.conf file currently is configured to only monitor tcp traffic, not udp. You're also missing the port to monitor. And there are problems with the Asterisk log format and the log message syntax which have to be addressed. We wouldn't want anyone to get a false sense of security by implementing this incorrectly. That's almost worse than no security at all. :wink5:
  10. TDF New Member

    I'm not sure I follow you tbh Ward, thats if you were referring to my post.

    fail2ban in this instance is not monitoring any protocol or any port, it is looking in the log /var/log/asterisk/full for messages containing the words Wrong password or Username/auth name mismatch, then banning that IP for X amount of time.

    I didn't say it will work for certain, I said it might, I didn't pay it that much attention. I know your old version is set out different to the info in the wiki article, I *think* my instructions are relevant to your version though.

    I use fail2ban 0.8.3 as setup in the voip-info guide and it works, although I do have a issue with the timestamps that needs sorting out, whether you will have the same problem or if you can work it out is in your hands.

  11. wardmundy Nerd Uno

    Thanks for clarification. I stand corrected.:smash: My apologies. I still think we'd better give this a good workout in the lab before people start depending upon it.
  12. TDF New Member

    For sure, I'm glad (but not surprised) you see the value in it though, over on Trixbox they have been a bit slow on the uptake.

    There have been a fair few threads (on trix.org) in the last month or so and 3 in a 36 period a few days back by people suffering these attacks, I would say theres probably a whole lot of people who have no idea that they are under or have been under attack. I am sure this problem will only get worse and even if you use passwords that should take months/years to crack you dont really want the unnecessary traffic hammering away at you.

    Like you pointed out a lot of the guides show examples of 3 or 4 character extension passwords, Kerrys very own 2.6.1 guide on asterisk tutorials shows examples of password 200 for extension 200 and so on, people follow these guides at a time when they have little understanding and are being left with their arses hanging in the wind lol.
  13. What is worse...

    Is that TB thinks it is OK to run certain (Package Manager and restart/shutdown) things sudo as root.

    That makes it worse.

    So should we be trying out the additions to Fail2Ban?
  14. TomS Guru

    The Voip-Info.org fail2ban setup

    I printed the information for the asterisk setup for fail2ban.
    Since it is already installed on the PiaF 1.2 system, I moved on to the configuration area.
    I tried to find the filterd directory - not found:
    'find / -name filter.d -print'
    I tried to go to the /etc/fail2ban directory but there is none. I did find the .conf file there.
    From 'find / -name fail2ban -print':
    /usr/src/fail2ban (directory with rpm's, etc.)
    /usr/lib/fail2ban (directory - no filter.d)
    /usr/bin/fail2ban (executable program and /usr/bin/faillog)
    /etc/rc.d/init.d/fail2ban (startup script)
    /root/fail2ban (executable program)
    were found.
    Where do you add the filter.d/asterisk.conf information?
    or is this necessary on PiaF 1.2, etc.
  15. jroper Guru

    I tried:-

    root@pbx:~ $ find / -name fail2ba* -print

    So I reckon what you are looking for is in /etc/fail2ban.conf

  16. TDF New Member


    If you read my posts you would realise the voip-info guide is for a version of fail2ban that is very different to the one used by PiaF, it is structured completely differently so has no real relevance, one of my posts has some info that *may* get it working though.
  17. Tom, I am just starting to look at this...

    But I concur with Joe. /etc/fail2ban.conf
  18. wardmundy Nerd Uno

    After some additional testing, the approach suggested does not appear to work with version 0.6.1 which currently is installed in PBX in a Flash systems.
  19. mmodahl New Member

    I'm sorry to send you guys chasing the wrong goose. I completely forgot I had reinstalled fail2ban from source after the initial PiaF install.

    I think TDF has the correct formatting for the PiaF version, but you might add "No matching peer found" as an additional regex test to prevent people fishing for extensions.
  20. compuguy Member

    I would concur that fail2ban is probably the best way to go. I don't agree that it is only people with t*f*t*p servers exposed etc.

    Thinking it through most probably nearly every one who has external extensions and does not use a vpn will have port 5060 exposed to the internet and are probably using 3 digit extension numbers I (i use more than 3 digits) so it would be pretty easy to write a script that went through all extensions from 100 to 999 with passwords matching the extensions to find a weakness.

    You can use something like slping to see if there is something listening on a specific port such as 5060.

    Lets face it all ITSP's have port 5060 open to the internet for customers to connect and I presume it would be the same for IAX.

    Putting stong passwords in will help but as there is not an easy way to change password from a single source on a regular basis which would automatically update the password in the phones then another method has to be used in conjunction with a strong password.

    Unfortunately for mobile users a vpn is not always an option because of the overhead put on by the vpn connection and of course there are some hotels who purposely block vpn ports.

Share This Page