Upgrade Fail2Ban NOW... see page 3 of this thread

[TDF]

Oops my mistake, I was in a rush and set the extension to a non existent one, with the right extension number I get the MD5 message too.

You could leave that regex in though and it will block anyone hunting for extension numbers. edit/ or maybe not, it doesnt seem to be right.

 

[Hat]

Ok, after trial and error, this is what I came up with for IAX extensions that works for my system. I say trial and error because I am a rank linux beginner and was using the existing entries as a guideline.

NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)

Tom

 

[TDF]

Nice one, I tried about 100 variables without success, yours works.

 

[wardmundy]

I've added the two mods to the download script. Thanks.

 

[tshif]

Have these improvements been added to the PBXIAF fail2ban install scripts? If so, what is the correct procedure to apply the improvements?

 

[wardmundy]

They've been added to the update script referenced in my instructions above. We'll replace the current fail2ban script as soon as we're sure we've got all of the bases covered with the new Asterisk functionality.

The original fail2ban stuff gets installed as part of a new install or by running update-fixes. This update has to be applied manually for the moment.

 

[james]

Resistance is futile......

Playing devils advocate here is what I would do if I wanted to compromise your phone system.

Step 1 assume someone is watching and don't use my own ip.

Step 2 load up my proxy list giving me about 10,000 ip addresses

Step 3 Assume you have some sort of software in place like fail to ban but you wanna leave your threshold high enough for accidents so I set my script to use each proxy 3 times Max.

Step 4. have my way with your system....


You see this is not a bug it is poor security practices. I am not saying dont use fail2ban I am saying don't rely on it or any other singular method.

 

[boynas]

Password Complexity

How complex can the SECRET value be?

I can't find documentation about the chars that asterisk will digest as a secret.

I know that sometimes Asterisk have problems with some "Special characters". Is there any official info about this?

So far I know that it can digest digits, lower and capital.

I am also aware that the password specs could be different for a softphone or a polycom phone or asterisk.

I agree that the best way to avoid this unauthorized logins is to implement complex passwords.

 

[wardmundy]

In response to James, no security is perfect. However, using 7-digit or more passwords and the current implementation of Fail2Ban, it would take YEARS to crack into your server with the technique James suggests. 3 attempts actually locks you out in the default configuration for any time limit set by the administrator. Hopefully, within that time frame, most folks will take a look at their logs AND their email.

 

[jroper]

I saw a post on A2Billing which I cannot find now, which suggested that the passwords should only be numbers or letters.

In terms of security, the point of it, most of the time, is to make someone who is trying to hack a system go and find an easier target, and I'm sure there are easier targets available.

Joe

 

[tshif]

Which PBX sent the email?

With more than one PBX running fail2ban - I was looking to alter the jail emails so that the sending PBX was more obvious.

I was poking around in the /etc/fail2ban/jail.conf and tried a few things - but the changes didnt actually show up in the email.

So - what did I fail to notice and understand?

 

[jrglass]

I just got hacked

Over the weekend my system got hacked. Made about 500 calls fishing for credit cards. I have since ran update-scripts and update fixes. Changed all ext pw to 7 digits. What else do I need to do?

Thanks,

Jeff

 

[TheShniz]

Change NAT to never in all of your extensions, and set Allow anonymous connections to No in General Settings. Only extensions that you want to be able to operate as remote extensions should have NAT = yes under Extensions.

 

[merlyn]

Over the weekend my system got hacked. Made about 500 calls fishing for credit cards. I have since ran update-scripts and update fixes. Changed all ext pw to 7 digits. What else do I need to do?

since you have been hacked you can never feel safe.. your system just feels dirty yeah know what i mean?

Think seriously about a reinstall of the entire system. Yeah i know egads the horror of a total reinstall. but you never really know what they changed while they were looking around. did they have full access to the machine and for how long ...

update fail2ban while you are here in this thread

merlyn

 

[jrglass]

Per the form I ran ps aux | grep fail2ban what does this mean?

root@pbx:~/fail2ban $ ps aux | grep fail2ban
root 5306 0.0 0.0 3892 680 pts/0 S+ 17:55 0:00 grep fail2ban

 

[wardmundy]

Follow the tutorial and repeat the process 'til you get a display matching what's shown in the sample.

 

[gbb0330]

issues after updating fail2ban

Ward, All
Great forum guys.

I have 2 systems, 1 of them got haxed. Updated fail2ban on both of them following Ward's instructions from 10-12-08, and changed the passwords, also set nat to never for all extensions on the local network.

the system that I am having problems with did NOT get hacked - it is PIAF with Cent os 5.2 with all fixes and updates installed as of Dec 04 2008.

After I updated fail2ban i noticed that sometimes the web interface will not open, until i click refresh on my browser.

Also when trying to connect with SSH sometimes it will simply time out [network error: connection timed out] - it seems completely random, happens maybe 1 out of 5 attempts.

any help will be appreciated

 

[gbb0330]

disregard my previous post

one of our field techs came in with his laptop, and his ip address was the same as the pbx's ip address.

 

[dghundt]

Does the dell sc440 orgasmatron have the most recent fail2ban update here?

 

[wardmundy]

I think so, but I wouldn't swear to it. If there's an /etc/fail2ban directory, then it has the most recent version of fail2ban.