Uploaded image for project: 'FreePBX'
  1. FreePBX
  2. FREEPBX-18876

Fail2ban is missing obvious hacking

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: 14
    • Component/s: Fail2Ban
    • Labels:
      None
    • ToDo:
    • Asterisk Version:
      15.5.0
    • Distro Version:
      14.0.5.15
    • Distro:
      FreePBX Distro

      Description

      Here is a common example:

      
      [2019-01-02 22:19:40] SECURITY[13452] res_security_log.c: SecurityEvent="FailedACL",EventTV="2019-01-02T22:19:40.659-0500",Severity="Error",Service="PJSIP",EventVersion="1",AccountID="anonymous",SessionID="dFh7t2Rb2Rz7g4UY3VZCVQ..",LocalAddress="IPV4/TLS/10.0.10.15/5061",RemoteAddress="IPV4/TLS/46.166.151.160/50145",ACLName="registrar_attempt_without_configured_aors"

      The problem appears to be that /etc/fail2ban/filter.d/asterisk.conf is missing the TLS selector in both the LocalAddress and RemoteAddress.

      
      ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s SecurityEvent="FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="(\d*|<unknown>)",SessionID=".+",LocalAddress="IPV[46]/(UDP|TCP|WS|WSS)/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UDP|TCP|WS|WSS)/<HOST>/\d+"(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",ExpectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$
      

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                Basildane Basildane
              • Votes:
                1 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:

                  NextupJiraPlusStatus

                  Error rendering 'slack.nextup.jira:nextup-jira-plus-status'. Please contact your Jira administrators.