[AsteriskBrasil] Fail2Ban bloqueia após muitas tentativas.

João Marcelo Queiroz jmbq em bol.com.br
Terça Fevereiro 8 10:23:24 BRST 2011 

Com a ajuda de vários amigos aqui da lista, finalmente meu fail2ban está bloqueando os constantes ataques que venho sofrendo. Mas apesar de ter configurado o jail.conf para banir o IP após 2 tentativas o que vejo é que às vezes preciso de 100 tentativas ou mais para que o f2b bloqueie o IP. O que consegui perceber é que o bloqueio é efetuado após 1 segundo, ou seja, se em 1 segundo o atacante fizer 1000 tentativas ou 10 tentativas, não importa, o bloqueio será feito apenas após esse tempo. Pelo menos é o que pude constatar pelos logs.

Já alterei o valor do maxretry de 3 para 2 e do findtime de 60 para 30 e 1000, sem efeito perceptível. 

Algo mais que possa fazer? Reforço que todos os ataques são barrados pelo F2B, ou seja, o F2B está funcionando, mas somente após várias tentativas.

Abaixo exemplo de um ataque.

_________________________

[Feb  8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"1790833979"<sip:1790833979 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found
[Feb  8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"100"<sip:100 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found
[Feb  8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"200"<sip:200 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found
[Feb  8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"300"<sip:300 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found
[Feb  8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"400"<sip:400 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found
[Feb  8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"500"<sip:500 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found
[Feb  8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"600"<sip:600 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found
[Feb  8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"700"<sip:700 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found
[Feb  8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"800"<sip:800 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found
[Feb  8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"900"<sip:900 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found
[Feb  8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"1000"<sip:1000 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found
[Feb  8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"2000"<sip:2000 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found
[Feb  8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"3000"<sip:3000 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found
[Feb  8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"4000"<sip:4000 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found
[Feb  8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"5000"<sip:5000 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found
[Feb  8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"6000"<sip:6000 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found
[Feb  8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"7000"<sip:7000 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found
[Feb  8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"8000"<sip:8000 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found
[Feb  8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"9000"<sip:9000 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found
[Feb  8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"0000"<sip:0000 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found
[Feb  8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"123"<sip:123 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found
[Feb  8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"1234"<sip:1234 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found
[Feb  8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"12345"<sip:12345 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found
[Feb  8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"123456"<sip:123456 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found
[Feb  8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"123123"<sip:123123 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found
[Feb  8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"12341234"<sip:12341234 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found
[Feb  8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"1234512345"<sip:1234512345 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found
[Feb  8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"105"<sip:105 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found
[Feb  8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"205"<sip:205 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found
[Feb  8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"305"<sip:305 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found
[Feb  8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"405"<sip:405 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found
[Feb  8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"505"<sip:505 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found
[Feb  8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"605"<sip:605 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found
[Feb  8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"705"<sip:705 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found
[Feb  8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"805"<sip:805 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found
[Feb  8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"905"<sip:905 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found
[Feb  8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"test"<sip:test em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found
[Feb  8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"noauth"<sip:noauth em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found
[Feb  8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"101"<sip:101 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found
[Feb  8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"202"<sip:202 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found
[Feb  8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"303"<sip:303 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found
[Feb  8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"404"<sip:404 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found
[Feb  8 02:18:21] NOTICE[3196] chan_sip.c: Registration from '"505"<sip:505 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found
[Feb  8 02:18:21] NOTICE[3196] chan_sip.c: Registration from '"606"<sip:606 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found
[Feb  8 02:18:21] NOTICE[3196] chan_sip.c: Registration from '"707"<sip:707 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found
[Feb  8 02:18:21] NOTICE[3196] chan_sip.c: Registration from '"808"<sip:808 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found
[Feb  8 02:18:21] NOTICE[3196] chan_sip.c: Registration from '"909"<sip:909 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found
__________________________

Segue parte do log do fail2ban:

__________________________
2011-02-04 17:39:28,126 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4
2011-02-04 17:39:28,127 fail2ban.jail   : INFO   Creating new jail 'ssh-iptables'
2011-02-04 17:39:28,127 fail2ban.jail   : INFO   Jail 'ssh-iptables' uses poller
2011-02-04 17:39:28,141 fail2ban.filter : INFO   Added logfile = /var/log/iptables
2011-02-04 17:39:28,141 fail2ban.filter : INFO   Set maxRetry = 5
2011-02-04 17:39:28,142 fail2ban.filter : INFO   Set findtime = 1000
2011-02-04 17:39:28,142 fail2ban.actions: INFO   Set banTime = 518400
2011-02-04 17:39:28,185 fail2ban.jail   : INFO   Creating new jail 'asterisk-iptables'
2011-02-04 17:39:28,186 fail2ban.jail   : INFO   Jail 'asterisk-iptables' uses poller
2011-02-04 17:39:28,186 fail2ban.filter : INFO   Added logfile = /var/log/asterisk/fail2ban
2011-02-04 17:39:28,187 fail2ban.filter : INFO   Set maxRetry = 2
2011-02-04 17:39:28,188 fail2ban.filter : INFO   Set findtime = 1000
2011-02-04 17:39:28,188 fail2ban.actions: INFO   Set banTime = 518400
2011-02-04 17:39:28,204 fail2ban.jail   : INFO   Creating new jail 'ssh-tcpwrapper'
2011-02-04 17:39:28,204 fail2ban.jail   : INFO   Jail 'ssh-tcpwrapper' uses poller
2011-02-04 17:39:28,205 fail2ban.filter : INFO   Added logfile = /var/log/iptables
2011-02-04 17:39:28,205 fail2ban.filter : INFO   Set maxRetry = 2
2011-02-04 17:39:28,207 fail2ban.filter : INFO   Set findtime = 1000
2011-02-04 17:39:28,207 fail2ban.actions: INFO   Set banTime = 518400
2011-02-04 17:39:28,225 fail2ban.jail   : INFO   Creating new jail 'apache-tcpwrapper'
2011-02-04 17:39:28,225 fail2ban.jail   : INFO   Jail 'apache-tcpwrapper' uses poller
2011-02-04 17:39:28,225 fail2ban.filter : INFO   Set maxRetry = 6
2011-02-04 17:39:28,226 fail2ban.filter : INFO   Set findtime = 1000
2011-02-04 17:39:28,227 fail2ban.actions: INFO   Set banTime = 518400
2011-02-04 17:39:28,232 fail2ban.jail   : INFO   Creating new jail 'proftpd-iptables'
2011-02-04 17:39:28,232 fail2ban.jail   : INFO   Jail 'proftpd-iptables' uses poller
2011-02-04 17:39:28,233 fail2ban.filter : INFO   Set maxRetry = 6
2011-02-04 17:39:28,234 fail2ban.filter : INFO   Set findtime = 1000
2011-02-04 17:39:28,234 fail2ban.actions: INFO   Set banTime = 518400
2011-02-04 17:39:28,245 fail2ban.jail   : INFO   Creating new jail 'sasl-iptables'
2011-02-04 17:39:28,245 fail2ban.jail   : INFO   Jail 'sasl-iptables' uses poller
2011-02-04 17:39:28,246 fail2ban.filter : INFO   Added logfile = /var/log/mail.log
2011-02-04 17:39:28,246 fail2ban.filter : INFO   Set maxRetry = 2
2011-02-04 17:39:28,247 fail2ban.filter : INFO   Set findtime = 1000
2011-02-04 17:39:28,248 fail2ban.actions: INFO   Set banTime = 518400
2011-02-04 17:39:28,255 fail2ban.jail   : INFO   Jail 'ssh-iptables' started
2011-02-04 17:39:28,256 fail2ban.jail   : INFO   Jail 'asterisk-iptables' started
2011-02-04 17:39:28,258 fail2ban.jail   : INFO   Jail 'ssh-tcpwrapper' started
2011-02-04 17:39:28,261 fail2ban.jail   : INFO   Jail 'apache-tcpwrapper' started
2011-02-04 17:39:28,263 fail2ban.jail   : INFO   Jail 'proftpd-iptables' started
2011-02-04 17:39:28,275 fail2ban.jail   : INFO   Jail 'sasl-iptables' started
2011-02-06 03:11:52,980 fail2ban.actions: WARNING [asterisk-iptables] Ban 188.72.203.180
2011-02-07 03:23:03,461 fail2ban.actions: WARNING [asterisk-iptables] Ban 188.161.233.236
2011-02-07 23:18:09,081 fail2ban.actions: WARNING [asterisk-iptables] Ban 184.106.181.209
2011-02-07 23:18:11,431 fail2ban.actions: WARNING [asterisk-iptables] 184.106.181.209 already banned
2011-02-08 02:18:21,829 fail2ban.actions: WARNING [asterisk-iptables] Ban 203.86.167.220

________________________
Abaixo o contexto asterisk-iptables do jail.conf:

________________________

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 747 $
#

# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1 xxx.xxx.xxx.xxx

# "bantime" is the number of seconds that a host is banned.
bantime  = 518400

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 1000

# "maxretry" is the number of failures before a host get banned.
maxretry = 2

...

[asterisk-iptables]

enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
           sendmail-whois[name=ASTERISK, dest=XXX em XXXX.com.br, sender==XXX em XXXX.com.br
logpath  = /var/log/asterisk/fail2ban
maxretry = 2
bantime = 518400



____________________
Abaixo o filtro asterisk no fail2ban:

____________________
# Fail2Ban configuration file

[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf

[Definition]
#_daemon = asterisk
# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named 'host'. The tag '<HOST>' can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT

failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL
            NOTICE.* <HOST> failed to authenticate as '.*'$
            NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
            NOTICE.* .*: Failed to authenticate user .*@<HOST>.*

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
ignoreregex =

Mais detalhes sobre a lista de discussão AsteriskBrasil