Sokolov blog » sip http://blog.sokolov.me всякие заметки, в-основном freebsd,linux Wed, 14 Dec 2011 16:39:52 +0000 en hourly 1 http://wordpress.org/?v=3.3.1 защита sip от перебора http://blog.sokolov.me/2010/10/20/%d0%b7%d0%b0%d1%89%d0%b8%d1%82%d0%b0-sip-%d0%be%d1%82-%d0%bf%d0%b5%d1%80%d0%b5%d0%b1%d0%be%d1%80%d0%b0/ http://blog.sokolov.me/2010/10/20/%d0%b7%d0%b0%d1%89%d0%b8%d1%82%d0%b0-sip-%d0%be%d1%82-%d0%bf%d0%b5%d1%80%d0%b5%d0%b1%d0%be%d1%80%d0%b0/#comments Wed, 20 Oct 2010 18:29:04 +0000 kfx http://blog.sokolov.me/?p=732  

fail2ban — достаточно удобный способ защиты сервисов от перебора паролей и других атак на основе анализа log файлов приложений.
представляет собой набор скриптов на phyton

имеется в портах freebsd и пекетах debian,ubuntu

настройки специфичные для asterisk:

The contents of /etc/fail2ban/filter.d/asterisk.conf should be the following:

 

# Fail2Ban configuration file
#
#
# $Revision: 250 $
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf

[Definition]

#_daemon = asterisk

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#

failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Peer is not supposed to register
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - ACL error (permit/deny)
NOTICE.* <HOST> failed to authenticate as '.*'$
NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
NOTICE.* .*: Failed to authenticate user .*@<HOST>.*

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

</code>
Next edit /etc/fail2ban/jail.conf to include the following section so that it uses the new filter. This does a 3-day ban on the IP that performed the attack. It is recommend to set the bantime in the [DEFAULT] section so if affects all attacks. It is also recommend to turn on an iptables ban for ssh, httpd/apache, and ftp if they are running on the system. Be sure to edit the sendmail-whois action to send notifications to an appropriate address:

[asterisk-iptables]
enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
mail-whois[name=ASTERISK, dest=root, sender=sip3@unetcom.ru]
logpath  = /var/log/asterisk/full
maxretry = 4
bantime = 259200

To change this format, open /etc/asterisk/logger.conf and add the following line under [general] section (You may have to create this before the [logfiles] section). This causes the date and time to be formatted as Year-Month-Day Hour:Minute:Second, [2008-10-01 13:40:04] is an example.

[general]
dateformat=%F %T

для применения изменений перезапустим логгер
asterisk -rx "logger reload"

]]> http://blog.sokolov.me/2010/10/20/%d0%b7%d0%b0%d1%89%d0%b8%d1%82%d0%b0-sip-%d0%be%d1%82-%d0%bf%d0%b5%d1%80%d0%b5%d0%b1%d0%be%d1%80%d0%b0/feed/ 0 Установка и настройка Asterisk 1.6 + PostgreSQL на Debian http://blog.sokolov.me/2009/10/09/%d1%83%d1%81%d1%82%d0%b0%d0%bd%d0%be%d0%b2%d0%ba%d0%b0-%d0%b8-%d0%bd%d0%b0%d1%81%d1%82%d1%80%d0%be%d0%b9%d0%ba%d0%b0-asterisk-1-6-postgresql-%d0%bd%d0%b0-debian/ http://blog.sokolov.me/2009/10/09/%d1%83%d1%81%d1%82%d0%b0%d0%bd%d0%be%d0%b2%d0%ba%d0%b0-%d0%b8-%d0%bd%d0%b0%d1%81%d1%82%d1%80%d0%be%d0%b9%d0%ba%d0%b0-asterisk-1-6-postgresql-%d0%bd%d0%b0-debian/#comments Thu, 08 Oct 2009 23:46:50 +0000 pavel http://blog.sokolov.me/?p=48 Установка и настройка Asterisk 1.6 + PostgreSQL на Debian » Все для системного администратора. Софт. Мануалы..

]]> http://blog.sokolov.me/2009/10/09/%d1%83%d1%81%d1%82%d0%b0%d0%bd%d0%be%d0%b2%d0%ba%d0%b0-%d0%b8-%d0%bd%d0%b0%d1%81%d1%82%d1%80%d0%be%d0%b9%d0%ba%d0%b0-asterisk-1-6-postgresql-%d0%bd%d0%b0-debian/feed/ 0 Asterisk RealTime (вместо конфигов БД) http://blog.sokolov.me/2009/10/09/asterisk-realtime-%d0%b2%d0%bc%d0%b5%d1%81%d1%82%d0%be-%d0%ba%d0%be%d0%bd%d1%84%d0%b8%d0%b3%d0%be%d0%b2-%d0%b1%d0%b4/ http://blog.sokolov.me/2009/10/09/asterisk-realtime-%d0%b2%d0%bc%d0%b5%d1%81%d1%82%d0%be-%d0%ba%d0%be%d0%bd%d1%84%d0%b8%d0%b3%d0%be%d0%b2-%d0%b1%d0%b4/#comments Thu, 08 Oct 2009 23:41:34 +0000 pavel http://blog.sokolov.me/?p=46 Asterisk RealTime | База знаний | asterisk.ru.

]]> http://blog.sokolov.me/2009/10/09/asterisk-realtime-%d0%b2%d0%bc%d0%b5%d1%81%d1%82%d0%be-%d0%ba%d0%be%d0%bd%d1%84%d0%b8%d0%b3%d0%be%d0%b2-%d0%b1%d0%b4/feed/ 0