«

»

Jul 21

asterisk bfd (brute force detection) rules for sip and iax

Edit: I have uploaded a .tar file of the rules that can be downloaded.
rules.tar

Thank you to a couple users who pointed out that my bfd rules were a little less than perfect. They worked great for me on a older version of bfd, but I believe a update to the bfd application caused them to stop working. Either way, new rules have been created.

This one is for SIP wrong passwords. Save this as asterisksip

# failed logins from a single address before ban
# uncomment to override conf.bfd trig value
TRIG="5"

# file must exist for rule to be active
REQ="/usr/sbin/asterisk"

if [ -f "$REQ" ]
then
LP="/var/log/asterisk/full"
TLOG_TF="asterisk.sip"
TMP="/usr/local/bfd/tmp"

## ASTERISK: SIP wrong password
ARG_VAL=`$TLOG_PATH $LP $TLOG_TF | grep -i "wrong password" | grep chan_sip | awk '{NF=NF-3} {print $NF}'| tr -d '\'\' `
fi

This rule is for wrong or non existent extension. Save this as asterisksip2

# failed logins from a single address before ban
# uncomment to override conf.bfd trig value
TRIG="5"

# file must exist for rule to be active
REQ="/usr/sbin/asterisk"

if [ -f "$REQ" ]
then
LP="/var/log/asterisk/full"
TLOG_TF="asterisk.sip2"
TMP="/usr/local/bfd/tmp"

## ASTERISK: SIP no extension
ARG_VAL=`$TLOG_PATH $LP $TLOG_TF | grep -i "No matching peer found" | grep chan_sip | awk '{NF=NF-5} {print $NF}'| tr -d '\'\' `
fi

This rule is for IAX. Save this as asteriskiax.

# failed logins from a single address before ban
# uncomment to override conf.bfd trig value

TRIG="5"
# file must exist for rule to be active
REQ="/usr/sbin/asterisk"

if [ -f "$REQ" ]
then
LP="/var/log/asterisk/full"
TLOG_TF="asterisk.iax"
TMP="/usr/local/bfd/tmp"

## ASTERISK: IAX2 auth failed

ARG_VAL=`$TLOG_PATH $LP $TLOG_TF | grep -i "failed MD5 authentication" | grep chan_iax2 | awk '{NF=NF-8} {print $NF}'`
fi

Special thanks goes to Ioan Indreias and Gonzalo Gonzalez.
If it looks like the code is missing, try to highlight it all and copy/paste it into a text document. Hopefully this will show the entire rule without issue.
Make sure these rules are stored in /usr/local/bfd/rules/ Then rerun bfd with bfd -q and see if the new rules are in place by checking for the files in /usr/local/bfd/tmp/ .

Thank you,
Engineer Tim