Fail2ban no Asterisk 1.8

Bom,

Quem usava o fail2ban no asterisk 1.6 (ou abaixo) ao migrar para a versão 1.8 deve ter tido problemas como fail2ban que parou de bloquear os ataques isso porque o asterisk 1.8 envia nos logs além do IP a porta e o fail2ban estava configurado apenas para receber o ip. Bom de qualquer forma segue o tutorial completo

aptitude install fail2ban

Adicione as linhas abaixo ao arquivo /etc/fail2ban/jail.conf (o comando abaixo já faz automatico):

echo "[asterisk-iptables]

enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
 #          sendmail-whois[name=ASTERISK, dest=root, sender=fail2ban@fail2ban]
logpath  = /var/log/asterisk/messages
maxretry = 10
bantime = 259200" >> /etc/fail2ban/jail.conf

As linhas acima vão acrescentar a regra do asterisk e caso seja encontrada nos logs 10 vezes consecutivos a mesma string ele vai bloquear por 2 dias o IP. Deixei comentada a linha do sendmail caso não queira enviar um e-mail (lembrando que precisa ter um servidor de e-mail, como o exim4)

Após isso crie o arquivo asterisk.conf dentro de /etc/fail2ban/filter.d com o seguinte conteudo:

vim /etc/fail2ban/filter.d/asterisk.conf

############################
# Fail2Ban configuration file

#
#
# $Revision: 251 $
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf


[Definition]

#_daemon = asterisk

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P\S+)
# Values:  TEXT
#

failregex = NOTICE.* .*: Registration from '.*' failed for ':.*' - Wrong password
            NOTICE.* .*: Registration from '.*' failed for ':.*' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for ':.*' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for ':.*' - Username/auth name mismatch
            NOTICE.* .*: Registration from '.*' failed for ':.*' - Device does not match ACL
            NOTICE.* .*: Registration from '.*' failed for ':.*' - Peer is not supposed to register
            NOTICE.* .*: Registration from '.*' failed for ':.*' - ACL error (permit/deny)
            NOTICE.* .*: Registration from '.*' failed for ':.*' - Device does not match ACL
            NOTICE.* .*: Registration from '\".*\".*' failed for ':.*' - No matching peer found
            NOTICE.* .*: Registration from '\".*\".*' failed for ':.*' - Wrong password
            NOTICE.* failed to authenticate as '.*'$
            NOTICE.* .*: No registration for peer '.*' \(from \)
            NOTICE.* .*: Host failed MD5 authentication for '.*' (.*)
            NOTICE.* .*: Failed to authenticate user .*@.*
            NOTICE.* .*: failed to authenticate as '.*'
            NOTICE.* .*: tried  to authenticate with nonexistent user '.*'
            VERBOSE.*SIP/-.*Received incoming SIP connection from unknown peer

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

##############################################

Pronto é ó isso, agora reinicie o fail2ban e faça seus testes:

service fail2ban restart

Fuiiiiiiiiiiiiii