Engineer Tim » iptables http://engineertim.com Engineers Blog Thu, 10 Jun 2010 16:53:43 +0000 http://wordpress.org/?v=2.9.2 en hourly 1 asterisk bfd (brute force detection) rules for sip and iax http://engineertim.com/linux/asterisk-bfd-brute-force-detection-rules-for-sip-and-iax/ http://engineertim.com/linux/asterisk-bfd-brute-force-detection-rules-for-sip-and-iax/#comments Tue, 21 Jul 2009 23:44:54 +0000 Engineer Tim http://engineertim.com/?p=114

Thank you to a couple users who pointed out that my bfd rules were a little less than perfect. They worked great for me on a older version of bfd, but I believe a update to the bfd application caused them to stop working. Either way, new rules have been created.

This one is for SIP wrong passwords. Save this as asterisksip

# failed logins from a single address before ban
# uncomment to override conf.bfd trig value
TRIG="5"

# file must exist for rule to be active
REQ="/usr/sbin/asterisk"

if [ -f "$REQ" ]
then
LP="/var/log/asterisk/full"
TLOG_TF="asterisk.sip"
TMP="/usr/local/bfd/tmp"

## ASTERISK: SIP wrong password
ARG_VAL=`$TLOG_PATH $LP $TLOG_TF | grep -i "wrong password" | grep chan_sip | awk '{NF=NF-3} {print $NF}'| tr -d '\'\' `
fi

This rule is for wrong or non existent extension. Save this as asterisksip2

# failed logins from a single address before ban
# uncomment to override conf.bfd trig value
TRIG="5"

# file must exist for rule to be active
REQ="/usr/sbin/asterisk"

if [ -f "$REQ" ]
then
LP="/var/log/asterisk/full"
TLOG_TF="asterisk.sip2"
TMP="/usr/local/bfd/tmp"

## ASTERISK: SIP no extension
ARG_VAL=`$TLOG_PATH $LP $TLOG_TF | grep -i "No matching peer found" | grep chan_sip | awk '{NF=NF-5} {print $NF}'| tr -d '\'\' `
fi

This rule is for IAX. Save this as asteriskiax.

# failed logins from a single address before ban
# uncomment to override conf.bfd trig value

TRIG="5"
# file must exist for rule to be active
REQ="/usr/sbin/asterisk"


if [ -f "$REQ" ]
then
LP="/var/log/asterisk/full"
TLOG_TF="asterisk.iax"
TMP="/usr/local/bfd/tmp"

## ASTERISK: IAX2 auth failed

ARG_VAL=`$TLOG_PATH $LP $TLOG_TF | grep -i "failed MD5 authentication" | grep chan_iax2 | awk '{NF=NF-8} {print $NF}'`
fi

Special thanks goes to Ioan Indreias and Gonzalo Gonzalez.
If it looks like the code is missing, try to highlight it all and copy/paste it into a text document. Hopefully this will show the entire rule without issue.
Make sure these rules are stored in /usr/local/bfd/rules/ Then rerun bfd with bfd -q and see if the new rules are in place by checking for the files in /usr/local/bfd/tmp/ .

Thank you,
Engineer Tim

]]> http://engineertim.com/linux/asterisk-bfd-brute-force-detection-rules-for-sip-and-iax/feed/ 2