Asterisk + fail2ban + PF

cheshirrrrre

New Member


Messages: 3

Hello!

I've a strange problem with PF's rules. So, here it is:

I've configured fail2ban to guard my asterisk service and added 1 table and 2 rules for PF:

Code:
table <fail2ban> persist
block drop in quick on em1 proto {tcp udp} from <fail2ban> to any
block drop in quick on em1 proto {tcp udp} from any to <fail2ban>

I've started asterisk, fail2ban and the PF rules.

Aaaaaand the asterisk log is full of a bruteforcer trying his/her hardest.

Code:
[Feb 25 16:59:56] NOTICE[10297]: chan_sip.c:17045 handle_request_register: Registration from '"163870"<sip:163870@blahblah>' failed for 'xxx.xxx.xxx.xxx' - No matching peer found
[Feb 25 16:59:56] NOTICE[10297]: chan_sip.c:17045 handle_request_register: Registration from '"163871"<sip:163871@blahblah>' failed for 'xxx.xxx.xxx.xxx' - No matching peer found
[Feb 25 16:59:56] NOTICE[10297]: chan_sip.c:17045 handle_request_register: Registration from '"163872"<sip:163872@blahblah>' failed for 'xxx.xxx.xxx.xxx' - No matching peer found
[Feb 25 16:59:56] NOTICE[10297]: chan_sip.c:17045 handle_request_register: Registration from '"163873"<sip:163873@blahblah>' failed for 'xxx.xxx.xxx.xxx' - No matching peer found
[Feb 25 16:59:56] NOTICE[10297]: chan_sip.c:17045 handle_request_register: Registration from '"163874"<sip:163874@blahblah>' failed for 'xxx.xxx.xxx.xxx' - No matching peer found

The IP of the bruteforcer is already in the <fail2ban> table, as the output below shows.

Code:
blahblah# pfctl -t fail2ban -T show
No ALTQ support in kernel
ALTQ related functions disabled
   xxx.xxx.xxx.xxx
blahblah#

Here's the output of pfctl -vvv -s rules:

Code:
blahblah# pfctl -vvv -s rules
No ALTQ support in kernel
ALTQ related functions disabled
@0 block drop in quick on em1 proto tcp from <fail2ban:1> to any
  [ Evaluations: 27837     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 10518 ]
@1 block drop in quick on em1 proto udp from <fail2ban:1> to any
  [ Evaluations: 261       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 10518 ]
@2 block drop in quick on em1 proto tcp from any to <fail2ban:1>
  [ Evaluations: 5968      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 10518 ]
@3 block drop in quick on em1 proto udp from any to <fail2ban:1>
  [ Evaluations: 261       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 10518 ]
@4 block return out log quick on ! lo0 inet from 127.0.0.0/8 to any
  [ Evaluations: 27837     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 10518 ]
@5 block return in log quick on ! lo0 inet from any to 127.0.0.0/8
  [ Evaluations: 26999     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 10518 ]
@6 pass out on lo0 all flags S/SA keep state (if-bound)
  [ Evaluations: 27837     Packets: 13571     Bytes: 20462531    States: 31    ]
  [ Inserted: uid 0 pid 10518 ]
@7 pass in on lo0 all flags S/SA keep state (if-bound)
  [ Evaluations: 838       Packets: 13569     Bytes: 20462427    States: 31    ]
  [ Inserted: uid 0 pid 10518 ]
@8 pass in on em1 inet proto udp from any to blahblah port = 1194 keep state (if-bound)
  [ Evaluations: 27417     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 10518 ]
@9 pass in on em1 inet proto udp from 9xx.xxx.xxx.xxx to blahblah port = sip keep state (if-bound)
  [ Evaluations: 256       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 10518 ]
@10 pass in on em1 inet proto udp from 1xx.xxx.xxx.xxx to blahblah port = sip keep state (if-bound)
  [ Evaluations: 256       Packets: 121       Bytes: 65574       States: 1     ]
  [ Inserted: uid 0 pid 10518 ]
@11 pass in quick on em1 inet proto tcp from 6xx.xxx.xxx.xxx to blahblah port = ssh flags S/SA keep state (if-bound)
  [ Evaluations: 5968      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 10518 ]
@12 pass in quick on em1 inet proto tcp from 8xx.xxx.xxx.xxx to blahblah port = ssh flags S/SA keep state (if-bound)
  [ Evaluations: 5707      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 10518 ]
@13 pass in quick on em1 inet proto tcp from 7xx.xxx.xxx.xxx to blahblah port = ssh flags S/SA keep state (if-bound)
  [ Evaluations: 5707      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 10518 ]
@14 pass in quick on em1 inet proto tcp from 4xx.xxx.xxx.xxx to blahblah port = ssh flags S/SA keep state (if-bound)
  [ Evaluations: 5707      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 10518 ]
@15 pass in quick on em1 inet proto tcp from 8xx.xxx.xxx.xxx to blahblah port = ssh flags S/SA keep state (if-bound)
  [ Evaluations: 5707      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 10518 ]
@16 pass in quick on em1 inet proto tcp from 1xx.xxx.xxx.xxx to blahblah port = http flags S/SA keep state (if-bound)
  [ Evaluations: 5707      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 10518 ]
@17 pass in quick on em1 inet proto tcp from 1xx.xxx.xxx.xxx to blahblah port = http flags S/SA keep state (if-bound)
  [ Evaluations: 5707      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 10518 ]
@18 pass in quick on em1 inet proto tcp from 4xx.xxx.xxx.xxx to blahblah port = http flags S/SA keep state (if-bound)
  [ Evaluations: 5707      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 10518 ]
@19 pass in quick on em1 inet proto tcp from 8xx.xxx.xxx.xxx to blahblah port = http flags S/SA keep state (if-bound)
  [ Evaluations: 5707      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 10518 ]
@20 pass in quick on em1 inet proto tcp from 4xx.xxx.xxx.xxx to blahblah port = ssh flags S/SA keep state (if-bound)
  [ Evaluations: 5709      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 10518 ]
@21 pass in quick on em1 inet proto tcp from 8xx.xxx.xxx.xxx to blahblah port = ssh flags S/SA keep state (if-bound)
  [ Evaluations: 5709      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 10518 ]
@22 pass in quick on em1 inet proto tcp from 6xx.xxx.xxx.xxx to blahblah port = ssh flags S/SA keep state (if-bound)
  [ Evaluations: 5709      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 10518 ]
@23 block return in quick on em1 inet proto tcp from any to blahblah port = ssh
  [ Evaluations: 5709      Packets: 1         Bytes: 40          States: 0     ]
  [ Inserted: uid 0 pid 10518 ]
@24 block return in quick on em1 inet proto tcp from any to blahblah port = imap
  [ Evaluations: 5708      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 10518 ]
@25 block return in quick on em1 inet proto tcp from any to blahblah port = pop3s
  [ Evaluations: 5708      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 10518 ]
@26 block return in quick on em1 inet proto tcp from any to blahblah port = ftp-data
  [ Evaluations: 5708      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 10518 ]
@27 block return in quick on em1 inet proto tcp from any to blahblah port = 3128
  [ Evaluations: 5708      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 10518 ]
blahblah#

I've replaced the IP of the asterisk server with 'blahblah' and the other IP with xx.xxx.xxx.xxx. Evaluations are there, but there are no matches.

Here's my pf.conf:
Code:
ext_if="em1"
external_addr="blahblah"

# Options: tune the behavior of pf, default values are given.
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 100000, frags 5000 }
set loginterface em1
set optimization normal
set block-policy return
set require-order yes
set fingerprints "/etc/pf.os"
set state-policy if-bound

table <fail2ban> persist

block drop in quick on em1 proto {tcp udp} from <fail2ban> to any
block drop in quick on em1 proto {tcp udp} from any to <fail2ban>

##LO0 Protect
block out quick log on !lo0 from 127.0.0.0/8 to any
block in quick log on !lo0 from any to 127.0.0.0/8
pass out on lo0 all
pass in on lo0 all

pass in on $ext_if proto udp from any to $external_addr port 1194

pass in on $ext_if proto udp from 9xx.xxx.xxx.xxx to $external_addr port 5060
pass in on $ext_if proto udp from 1xx.xxx.xxx.xxx to $external_addr port 5060

pass in quick on $ext_if proto tcp from 6xx.xxx.xxx.xxx to $external_addr port 22
pass in quick on $ext_if proto tcp from 8xx.xxx.xxx.xxx to $external_addr port 22
pass in quick on $ext_if proto tcp from 7xx.xxx.xxx.xxx to $external_addr port 22
pass in quick on $ext_if proto tcp from 4xx.xxx.xxx.xxx to $external_addr port 22
pass in quick on $ext_if proto tcp from 8xx.xxx.xxx.xxx to $external_addr port 22
pass in quick on $ext_if proto tcp from 1xx.xxx.xxx.xxx to $external_addr port 80
pass in quick on $ext_if proto tcp from 1xx.xxx.xxx.xxx to $external_addr port 80
pass in quick on $ext_if proto tcp from 4xx.xxx.xxx.xxx to $external_addr port 80
pass in quick on $ext_if proto tcp from 8xx.xxx.xxx.xxx to $external_addr port 80
pass in quick on $ext_if proto tcp from 4xx.xxx.xxx.xxx to $external_addr port 22
pass in quick on $ext_if proto tcp from 8xx.xxx.xxx.xxx to $external_addr port 22
pass in quick on $ext_if proto tcp from 6xx.xxx.xxx.xxx to $external_addr port 22

block in quick on $ext_if proto tcp from any to $external_addr port 22
block in quick on $ext_if proto tcp from any to $external_addr port 143
block in quick on $ext_if proto tcp from any to $external_addr port 995
block in quick on $ext_if proto tcp from any to $external_addr port 20
block in quick on $ext_if proto tcp from any to $external_addr port 3128

Code:
FreeBSD blahblah 8.2-RELEASE-p9 FreeBSD 8.2-RELEASE-p9 #0: Mon Jun 11 23:00:11 UTC 2012

So what the hell is wrong?
 
OP
cheshirrrrre

cheshirrrrre

New Member


Messages: 3

Hello, SirDice!

Yes, i am fully aware that 8.2 is not supported any more, but that machine is a VDS and by providers rules i can't upgrade it to recent version.

As for the "http://www.fail2ban.org/wiki/index.php/Asterisk" matter - yes, i have followed that article and nothing happened (by nothing i mean 'the problem was not solved').

Strangely, but today i have seen in ouptut of "pfctl -vvv -s rules" that the rule for blocking udp traffic for the IPs in table "fail2ban" actually works:

Code:
@1 block drop in quick on em1 proto udp from <fail2ban:5> to any
  [ Evaluations: 761906    Packets: 31519     Bytes: 13465479    States: 0     ]
  [ Inserted: uid 0 pid 10518 ]

There's no overwhelming activity of bruteforcers in asterisk log either. Will conduct further investigation of this matter and report here in this topic.

Thanks for your help and attention!
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 12,031
Messages: 38,480

cheshirrrrre said:
Yes, i am fully aware that 8.2 is not supported any more, but that machine is a VDS and by providers rules i can't upgrade it to recent version.
Switch providers or get them to support it. You're running something that's vulnerable to attacks. There have been several security issues and none of them will be fixed.
 
Top