I created a script to help secure Asterisk servers: fail-to-ban. It runs once per minute and will block an IP that tries, unsuccessfully, to authenticate more than a certain number of tries within a certain interval. It keeps track of each block and will automatically unblock an IP after a given amount of time elapses. All of these variables are easily set/tuned at the beginning of the script. It’s basic, easy to install, and effective. The installation is just two extremely easy steps.
/scripts/fail-to-ban
#!/bin/bash PATH=$PATH:/usr/bin:/bin:/sbin:/usr/sbin ATTEMPTS=10; # NUMBER OF ATTEMPTS IN A GIVEN INTERVAL INTERVAL=300; # INTERVAL (IN SECONDS) TO WATCH FOR FAILED ATTEMPTS - HISTORICALLY FROM CURRENT TIME PERMBAN=100; # AFTER THIS NUM OF FAILED ATTEMPTS, BAN UNTIL LOG ROTATES BLOCKSECS=3600; # AFTER THIS TIME (IN SECONDS), UNBLOCK A BLOCKED IP BLOCKED_ALREADY="" BLOCKED_NOW="" SKIPPED="" EXPIRED_BLOCK="" NOW=`date '+%s'` isip() { ISIP=$1 if [ $(echo $IP | sed 's/[^.]//g' | awk '{print length; }' 2> /dev/null) -eq 3 ]; then ISIP=1 fi } fail2ban() { # echo failing $IP with count $COUNT and lastcount $LASTCOUNT IP=$IP EXISTS=`iptables -n -L | grep $IP | wc -l` IS_LOCAL=`echo $IP | grep -E '^10\.|192\.168|127\.' | wc -l` if [ $EXISTS -gt 0 ]; then BLOCKED_ALREADY+=",$IP:$COUNT" # echo "IP $IP is already blocked" elif [ $IS_LOCAL -eq 1 ]; then SKIPPED+=",$IP:$COUNT" # echo "IP is local IP. Not blocking" else if [ ! "$IP" == "" ]; then # echo "Blocking IP $IP after $COUNT abuses." BLOCKED_NOW+=",$IP:$COUNT" iptables -I INPUT 1 -j DROP -s $IP echo "`date`:$IP:$NEWCOUNT:$COUNT" >> /tmp/banned.log fi fi } updateList() { NOW=`date '+%s'` sed -i /tmp/ip-list.log -e "s/"$IP":"$LASTCOUNT".*$/"$IP":"$COUNT":"$NOW"/" } showList() { LIST="$2" DESCRIPTION="$1" if [ ! "$LIST" == "" ]; then echo "$DESCRIPTION" for i in `echo "$LIST"` do BIP=$(echo $i | sed -e 's/:.*$//') BCOUNT=$(echo $i | sed -e 's/^.*://') if [ ! "$BIP" == "" ]; then echo $BIP $BCOUNT fi done fi } checkExpired() { BLOCKED=$(iptables -L INPUT -n | grep "^DROP" | sed -e 's/^.*-- //' | sed -e 's/ .*$//') for i in `grep -e "$BLOCKED" /tmp/ip-list.log` do IP=`echo $i | cut -d':' -f1` isip $IP COUNT=`echo $i | cut -d':' -f2` LASTACTION=`echo $i | cut -d':' -f3` if [ $((NOW-LASTACTION)) -gt $BLOCKSECS ] && [ ! "$IP" == "" ] && [ $ISIP -eq 1 ] && [ $COUNT -lt $PERMBAN ]; then LINE=`iptables -L -n --line-numbers | grep "$IP" | cut -d' ' -f1` if [ ! "$LINE" == "" ]; then echo "Removing block on $IP" # EXPIRED_BLOCK+=",$IP" echo iptables -D INPUT $LINE iptables -D INPUT $LINE fi fi done } if [ ! -f /tmp/ip-list.log ]; then touch /tmp/ip-list.log fi # Do some checking to see if the logs actually changed if [ -f /tmp/this-run ]; then mv /tmp/this-run /tmp/last-run else touch /tmp/last-run fi ls -al /var/log/asterisk/security > /tmp/this-run CHANGE=$(diff /tmp/last-run /tmp/this-run | wc -l) if [ $CHANGE -eq 0 ]; then echo "No change since last run" checkExpired exit fi IPLIST=$(/bin/grep -E "InvalidAccount|ChallengeResponseFailed" /var/log/asterisk/security | sed -e 's/^.*RemoteAddress="IPV4\/UDP\/\([0-9.]*\)\/.*$/\1/' | sort | uniq -c | sed -e 's/^ *//' | sed -e 's/ /:/') for i in `echo "$IPLIST"` do #echo $i COUNT=`echo $i | cut -d':' -f1` IP=`echo $i | cut -d':' -f2` isip $IP LASTCOUNT=`cat /tmp/ip-list.log | grep "^$IP:" | cut -d':' -f2` ELAPSED=`cat /tmp/ip-list.log | grep "^$IP:" | cut -d':' -f3 | sed -e 's/\n//g'` ELAPSED=$((NOW-ELAPSED)) if [ "$COUNT" == "" ]; then COUNT=0 fi if [ "$LASTCOUNT" == "" ]; then LASTCOUNT=0 fi NEWCOUNT=$((COUNT-LASTCOUNT)) if [ ! "$LASTCOUNT" == "" ] && [ $LASTCOUNT -eq 0 ] && [ $ISIP -eq 1 ]; then echo "$IP:$COUNT:$NOW" >> /tmp/ip-list.log # echo "Adding $IP to the IP tracking log with count $COUNT" fi if [ $NEWCOUNT -ge $ATTEMPTS ] && [ $ISIP -eq 1 ] && ( [ $ELAPSED -le $INTERVAL ] || [ $COUNT -gt $PERMBAN ] ); then if [ $LASTCOUNT -ne 0 ]; then # echo "Updating IP:$IP with NEWCOUNT:$NEWCOUNT ATTEMPTS:$ATTEMPTS ELAPSED:$ELAPSED INTERVAL:$INTERVAL ISIP:$ISIP" updateList fi fail2ban fi done checkExpired IFS="," showList "Blocked | Attempts" "$BLOCKED_ALREADY" showList "Newly Blocked | Attempts" "$BLOCKED_NOW" showList "Skipped | Attempts" "$SKIPPED" showList "Expired" "$EXPIRED_BLOCK"
/scripts/crontab
* * * * * /scripts/fail-to-ban > /dev/null 2>&1 &
After creating these files, simply run the following commands:
chmod a+x /scripts/fail-to-ban crontab /scripts/crontab
That’s really all you need to do!