[AsteriskBrasil] Fail2Ban bloqueia após muitas tentativas.
leandro alves
thc.leandro em gmail.com
Terça Fevereiro 8 10:39:19 BRST 2011
João, isto acontece pelo seguinte:
- As tentativas de registro não se repetem, ou seja, as tentativas são em
cima de ramais sequenciais, e não o mesmo ramal (3 vezes), por exemplo, o
atacante envia tentativas de registro não mais de uma vez no mesmo ramal,
mas sim, 1 vez e cada ramal do scanner, de forma sequencial:
sip:100 em xxx.xxx.xxx.xxx - No matching peer found
sip:200 em xxx.xxx.xxx.xxx - No matching peer found
sip:300 em xxx.xxx.xxx.xxx - No matching peer found
- Se o atacante enviasse a tentativa de registro, repetindo a extensão, aí
sim seria respeitado o numero maximo de tentativas:
sip:100 em xxx.xxx.xxx.xxx - No matching peer found
sip:100 em xxx.xxx.xxx.xxx - No matching peer found
sip:100 em xxx.xxx.xxx.xxx - No matching peer found
- O que ocorre quando você diz que após 100 tentativas é que o bloqueio
ocorre, é em função da repetição do ciclo do scanner, que vai tentar repetir
o processo, aí bloqueia.
- O mais "sensato" é gerar uma regra para bloquear com apenas uma tentativa,
pois levando em consideração que é você quem bloqueia/libera acesso de
registro aos ramais, poderia ser facilmente liberado as redes internas, e
esta regra mais rigorosa para as redes externas.
Att.,
Em 8 de fevereiro de 2011 10:23, João Marcelo Queiroz <jmbq em bol.com.br>escreveu:
> Com a ajuda de vários amigos aqui da lista, finalmente meu fail2ban está
> bloqueando os constantes ataques que venho sofrendo. Mas apesar de ter
> configurado o jail.conf para banir o IP após 2 tentativas o que vejo é que
> às vezes preciso de 100 tentativas ou mais para que o f2b bloqueie o IP. O
> que consegui perceber é que o bloqueio é efetuado após 1 segundo, ou seja,
> se em 1 segundo o atacante fizer 1000 tentativas ou 10 tentativas, não
> importa, o bloqueio será feito apenas após esse tempo. Pelo menos é o que
> pude constatar pelos logs.
>
> Já alterei o valor do maxretry de 3 para 2 e do findtime de 60 para 30 e
> 1000, sem efeito perceptível.
>
> Algo mais que possa fazer? Reforço que todos os ataques são barrados pelo
> F2B, ou seja, o F2B está funcionando, mas somente após várias tentativas.
>
> Abaixo exemplo de um ataque.
>
> _________________________
>
> [Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from
> '"1790833979"<sip:1790833979 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220'
> - No matching peer found
> [Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from
> '"100"<sip:100 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching
> peer found
> [Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from
> '"200"<sip:200 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching
> peer found
> [Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from
> '"300"<sip:300 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching
> peer found
> [Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from
> '"400"<sip:400 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching
> peer found
> [Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from
> '"500"<sip:500 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching
> peer found
> [Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from
> '"600"<sip:600 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching
> peer found
> [Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from
> '"700"<sip:700 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching
> peer found
> [Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from
> '"800"<sip:800 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching
> peer found
> [Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from
> '"900"<sip:900 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching
> peer found
> [Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from
> '"1000"<sip:1000 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No
> matching peer found
> [Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from
> '"2000"<sip:2000 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No
> matching peer found
> [Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from
> '"3000"<sip:3000 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No
> matching peer found
> [Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from
> '"4000"<sip:4000 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No
> matching peer found
> [Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from
> '"5000"<sip:5000 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No
> matching peer found
> [Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from
> '"6000"<sip:6000 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No
> matching peer found
> [Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from
> '"7000"<sip:7000 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No
> matching peer found
> [Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from
> '"8000"<sip:8000 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No
> matching peer found
> [Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from
> '"9000"<sip:9000 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No
> matching peer found
> [Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from
> '"0000"<sip:0000 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No
> matching peer found
> [Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from
> '"123"<sip:123 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching
> peer found
> [Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from
> '"1234"<sip:1234 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No
> matching peer found
> [Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from
> '"12345"<sip:12345 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No
> matching peer found
> [Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from
> '"123456"<sip:123456 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No
> matching peer found
> [Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from
> '"123123"<sip:123123 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No
> matching peer found
> [Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from
> '"12341234"<sip:12341234 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' -
> No matching peer found
> [Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from
> '"1234512345"<sip:1234512345 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220'
> - No matching peer found
> [Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from
> '"105"<sip:105 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching
> peer found
> [Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from
> '"205"<sip:205 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching
> peer found
> [Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from
> '"305"<sip:305 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching
> peer found
> [Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from
> '"405"<sip:405 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching
> peer found
> [Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from
> '"505"<sip:505 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching
> peer found
> [Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from
> '"605"<sip:605 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching
> peer found
> [Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from
> '"705"<sip:705 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching
> peer found
> [Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from
> '"805"<sip:805 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching
> peer found
> [Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from
> '"905"<sip:905 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching
> peer found
> [Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from
> '"test"<sip:test em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No
> matching peer found
> [Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from
> '"noauth"<sip:noauth em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No
> matching peer found
> [Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from
> '"101"<sip:101 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching
> peer found
> [Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from
> '"202"<sip:202 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching
> peer found
> [Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from
> '"303"<sip:303 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching
> peer found
> [Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from
> '"404"<sip:404 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching
> peer found
> [Feb 8 02:18:21] NOTICE[3196] chan_sip.c: Registration from
> '"505"<sip:505 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching
> peer found
> [Feb 8 02:18:21] NOTICE[3196] chan_sip.c: Registration from
> '"606"<sip:606 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching
> peer found
> [Feb 8 02:18:21] NOTICE[3196] chan_sip.c: Registration from
> '"707"<sip:707 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching
> peer found
> [Feb 8 02:18:21] NOTICE[3196] chan_sip.c: Registration from
> '"808"<sip:808 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching
> peer found
> [Feb 8 02:18:21] NOTICE[3196] chan_sip.c: Registration from
> '"909"<sip:909 em xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching
> peer found
> __________________________
>
> Segue parte do log do fail2ban:
>
> __________________________
> 2011-02-04 17:39:28,126 fail2ban.server : INFO Changed logging target to
> /var/log/fail2ban.log for Fail2ban v0.8.4
> 2011-02-04 17:39:28,127 fail2ban.jail : INFO Creating new jail
> 'ssh-iptables'
> 2011-02-04 17:39:28,127 fail2ban.jail : INFO Jail 'ssh-iptables' uses
> poller
> 2011-02-04 17:39:28,141 fail2ban.filter : INFO Added logfile =
> /var/log/iptables
> 2011-02-04 17:39:28,141 fail2ban.filter : INFO Set maxRetry = 5
> 2011-02-04 17:39:28,142 fail2ban.filter : INFO Set findtime = 1000
> 2011-02-04 17:39:28,142 fail2ban.actions: INFO Set banTime = 518400
> 2011-02-04 17:39:28,185 fail2ban.jail : INFO Creating new jail
> 'asterisk-iptables'
> 2011-02-04 17:39:28,186 fail2ban.jail : INFO Jail 'asterisk-iptables'
> uses poller
> 2011-02-04 17:39:28,186 fail2ban.filter : INFO Added logfile =
> /var/log/asterisk/fail2ban
> 2011-02-04 17:39:28,187 fail2ban.filter : INFO Set maxRetry = 2
> 2011-02-04 17:39:28,188 fail2ban.filter : INFO Set findtime = 1000
> 2011-02-04 17:39:28,188 fail2ban.actions: INFO Set banTime = 518400
> 2011-02-04 17:39:28,204 fail2ban.jail : INFO Creating new jail
> 'ssh-tcpwrapper'
> 2011-02-04 17:39:28,204 fail2ban.jail : INFO Jail 'ssh-tcpwrapper' uses
> poller
> 2011-02-04 17:39:28,205 fail2ban.filter : INFO Added logfile =
> /var/log/iptables
> 2011-02-04 17:39:28,205 fail2ban.filter : INFO Set maxRetry = 2
> 2011-02-04 17:39:28,207 fail2ban.filter : INFO Set findtime = 1000
> 2011-02-04 17:39:28,207 fail2ban.actions: INFO Set banTime = 518400
> 2011-02-04 17:39:28,225 fail2ban.jail : INFO Creating new jail
> 'apache-tcpwrapper'
> 2011-02-04 17:39:28,225 fail2ban.jail : INFO Jail 'apache-tcpwrapper'
> uses poller
> 2011-02-04 17:39:28,225 fail2ban.filter : INFO Set maxRetry = 6
> 2011-02-04 17:39:28,226 fail2ban.filter : INFO Set findtime = 1000
> 2011-02-04 17:39:28,227 fail2ban.actions: INFO Set banTime = 518400
> 2011-02-04 17:39:28,232 fail2ban.jail : INFO Creating new jail
> 'proftpd-iptables'
> 2011-02-04 17:39:28,232 fail2ban.jail : INFO Jail 'proftpd-iptables'
> uses poller
> 2011-02-04 17:39:28,233 fail2ban.filter : INFO Set maxRetry = 6
> 2011-02-04 17:39:28,234 fail2ban.filter : INFO Set findtime = 1000
> 2011-02-04 17:39:28,234 fail2ban.actions: INFO Set banTime = 518400
> 2011-02-04 17:39:28,245 fail2ban.jail : INFO Creating new jail
> 'sasl-iptables'
> 2011-02-04 17:39:28,245 fail2ban.jail : INFO Jail 'sasl-iptables' uses
> poller
> 2011-02-04 17:39:28,246 fail2ban.filter : INFO Added logfile =
> /var/log/mail.log
> 2011-02-04 17:39:28,246 fail2ban.filter : INFO Set maxRetry = 2
> 2011-02-04 17:39:28,247 fail2ban.filter : INFO Set findtime = 1000
> 2011-02-04 17:39:28,248 fail2ban.actions: INFO Set banTime = 518400
> 2011-02-04 17:39:28,255 fail2ban.jail : INFO Jail 'ssh-iptables'
> started
> 2011-02-04 17:39:28,256 fail2ban.jail : INFO Jail 'asterisk-iptables'
> started
> 2011-02-04 17:39:28,258 fail2ban.jail : INFO Jail 'ssh-tcpwrapper'
> started
> 2011-02-04 17:39:28,261 fail2ban.jail : INFO Jail 'apache-tcpwrapper'
> started
> 2011-02-04 17:39:28,263 fail2ban.jail : INFO Jail 'proftpd-iptables'
> started
> 2011-02-04 17:39:28,275 fail2ban.jail : INFO Jail 'sasl-iptables'
> started
> 2011-02-06 03:11:52,980 fail2ban.actions: WARNING [asterisk-iptables] Ban
> 188.72.203.180
> 2011-02-07 03:23:03,461 fail2ban.actions: WARNING [asterisk-iptables] Ban
> 188.161.233.236
> 2011-02-07 23:18:09,081 fail2ban.actions: WARNING [asterisk-iptables] Ban
> 184.106.181.209
> 2011-02-07 23:18:11,431 fail2ban.actions: WARNING [asterisk-iptables]
> 184.106.181.209 already banned
> 2011-02-08 02:18:21,829 fail2ban.actions: WARNING [asterisk-iptables] Ban
> 203.86.167.220
>
> ________________________
> Abaixo o contexto asterisk-iptables do jail.conf:
>
> ________________________
>
> # Fail2Ban configuration file
> #
> # Author: Cyril Jaquier
> #
> # $Revision: 747 $
> #
>
> # The DEFAULT allows a global definition of the options. They can be
> override
> # in each jail afterwards.
>
> [DEFAULT]
>
> # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will
> not
> # ban a host which matches an address in this list. Several addresses can
> be
> # defined using space separator.
> ignoreip = 127.0.0.1 xxx.xxx.xxx.xxx
>
> # "bantime" is the number of seconds that a host is banned.
> bantime = 518400
>
> # A host is banned if it has generated "maxretry" during the last
> "findtime"
> # seconds.
> findtime = 1000
>
> # "maxretry" is the number of failures before a host get banned.
> maxretry = 2
>
> ...
>
> [asterisk-iptables]
>
> enabled = true
> filter = asterisk
> action = iptables-allports[name=ASTERISK, protocol=all]
> sendmail-whois[name=ASTERISK, dest=XXX em XXXX.com.br, sender==
> XXX em XXXX.com.br
> logpath = /var/log/asterisk/fail2ban
> maxretry = 2
> bantime = 518400
>
>
>
> ____________________
> Abaixo o filtro asterisk no fail2ban:
>
> ____________________
> # Fail2Ban configuration file
>
> [INCLUDES]
> # Read common prefixes. If any customizations available -- read them from
> # common.local
> #before = common.conf
>
> [Definition]
> #_daemon = asterisk
> # Option: failregex
> # Notes.: regex to match the password failures messages in the logfile.
> The
> # host must be matched by a group named 'host'. The tag '<HOST>'
> can
> # be used for standard IP/hostname matching and is only an alias
> for
> # (?:::f{4,6}:)?(?P<host>\S+)
> # Values: TEXT
>
> failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong
> password
> NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No
> matching peer found
> NOTICE.* .*: Registration from '.*' failed for '<HOST>' -
> Username/auth name mismatch
> NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device
> does not match ACL
> NOTICE.* <HOST> failed to authenticate as '.*'$
> NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
> NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
> NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
>
> # Option: ignoreregex
> # Notes.: regex to ignore. If this regex matches, the line is ignored.
> # Values: TEXT
> ignoreregex =
>
>
> _______________________________________________
> KHOMP: qualidade em placas de E1, GSM, FXS e FXO para Asterisk.
> - Hardware com alta disponibilidade de recursos e qualidade KHOMP
> - Suporte técnico local qualificado e gratuito
> Conheça a linha completa de produtos KHOMP em www.khomp.com.br
> _______________________________________________
> Headsets Plantronics com o melhor preço do Brasil.
> Acesse agora www.voipmania.com.br
> VOIPMANIA STORE
> ________
> Lista de discussões AsteriskBrasil.org
> AsteriskBrasil em listas.asteriskbrasil.org
> http://listas.asteriskbrasil.org/mailman/listinfo/asteriskbrasil
> ______________________________________________
> Para remover seu email desta lista, basta enviar um email em branco para
> asteriskbrasil-unsubscribe em listas.asteriskbrasil.org
>
--
Leandro,
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: http://listas.asteriskbrasil.org/pipermail/asteriskbrasil/attachments/20110208/419f62aa/attachment-0001.htm
Mais detalhes sobre a lista de discussão AsteriskBrasil