How to setup fail2ban on an Asterisk server

^{Created: 2019-02-19 08:56:54 | Last modified: 2022-03-13 00:22:47} ^{| By: Nova}
^{Access: Read}^{| Visibility: Public}^{| Views: 499}^{| Rating: N/A}^{| Tags: asterisk linux}
When using an Asterisk server, especially when it is public, you will receive a lot of hack attempts. To block these the best way is to use fail2ban.

When using an Asterisk server, especially when it is public, you will receive a lot of hack attempts. To block these the best way is to us fail2ban.

The Setup

Install Fail2Ban

yum install epel-release
yum install fail2ban

Set fail2ban to log to the /var/log/ directory

vim /etc/fail2ban/fail2ban.conf

#Change
logtarget = SYSLOG
to
logtarget = /var/log/fail2ban.log

Create a jail.local file in the /etc/fail2ban/ directory

vim /etc/fail2ban/jail.local

#Paste the following info, changing relevant parameters
#The 111.111.111.111 listed below is a range you might want to exclude from being banned
#The 3600 is the time to ban in seconds - In this example, 1 hour. We set ours to one week (604800)

# Fail2Ban configuration file
#
# This file is Generated from your sysadmin module on your PBX
# DO NOT HAND EDIT THIS FILE
 
[DEFAULT]
ignoreip = 127.0.0.0/8 111.111.111.111/24
bantime  = 3600
findtime  = 3600
maxretry = 5
backend = auto

#Ban time is in seconds currently set at 1 hour 
[asterisk-iptables]
enabled  = true
filter   = asterisk
action   = iptables-allports[name=SIP, protocol=all]
logpath  = /var/log/asterisk/full
bantime  = 3600
maxretry = 5

Restart/start the fail2ban service

service fail2ban restart

The following command should show the jail list running on the server, in this example asterisk and ssh

service fail2ban status

Check banned IP addresses run the following command, you should see the following (note SSH bans are also included here)

iptables -L -v

To view the fail2ban log

tail -f /var/log/fail2ban.log

Notes

Asterisk debugging level needs to be set to show notices/log notices to the /var/log/asterisk/full log so fail2ban can pick them up.

vim /etc/asterisk/logger.conf

#Edit the file so full looks like the following
full => notice,warning,error,debug,verbose

If you are using other jail/ban methods, one thing to look out for is the email notifications. It is worth either changing or removing the line item so you are/aren't notified about a ban. Using the default will end up with a whole lot of undelivered email in your postfix queue.

This is done in /etc/fail2ban/jail.conf