Fail2Ban

What is a Fail2Ban?

Fail2Ban is an intrusion prevention framework, it protects you sip devices from brute force registration attacks

How can I install Fail2Ban?

Just run the script /usr/src/mor/sh_scripts/fail2ban_install_vX.sh, where X is the script version number, to install this software.

/usr/src/mor/sh_scripts/fail2ban_install_vX.sh

How Fail2Ban works?

Fail2Ban checks Asterisk log: /var/log/asterisk/messages and counts unsuccessful sip registration attempts. When it counts to 5 - bans the abusive user for a specified amount of time (600 seconds by default).

These settings can be adjusted in /etc/fail2ban/jail.conf:

[asterisk-iptables]
enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, port=5060, protocol=udp]
logpath  = /var/log/asterisk/messages
maxretry = 5
bantime = 600

maxretry - maximum number of retries allowed

bantime - ban time is seconds

You will also find a section [DEFAULT] in jail.conf. In this section you will find variable ignoreip here mor install script places addresses that are ignored and will not be banned. Add here additional addresses if you find you need to do this.

[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 192.168.0.1/16 10.0.0.0/8 127.0.0.1/8 172.16.0.0/12 213.197.141.162  192.168.0.158

213.197.141.162 is the address of KolmiSoft support office. Please leave it here.