Discussion:
[Fail2ban-users] recidive and asterisk-tcp-udp problem
Zurd
2013-08-09 11:02:36 UTC
Permalink
Hi everyone,

I just installed fail2ban-0.8.10, the recidive jail works fine for SSH
attempts but not for asterisk.

I have the 2 jails asterisk-tcp and asterisk-udp active, they are working
just fine by banning every 10 minutes. And, after an IP has been blocked
many times, the recidive jail now ban the IP for a longer time. However,
after 10 minutes, the 2 asterisk jails ban the IP yet again (the attacker
still tries to get into the system). So I receive a ban email from fail2ban
every 10 minutes, I even see the one from the recidive jail. I see recidive
in iptables -L with the attacker's IP and I use pretty much the same
default configuration in fail2ban-0.8.10.
Tom Hendrikx
2013-08-09 12:49:10 UTC
Permalink
Post by Zurd
Hi everyone,
I just installed fail2ban-0.8.10, the recidive jail works fine for SSH
attempts but not for asterisk.
I have the 2 jails asterisk-tcp and asterisk-udp active, they are
working just fine by banning every 10 minutes. And, after an IP has been
blocked many times, the recidive jail now ban the IP for a longer time.
However, after 10 minutes, the 2 asterisk jails ban the IP yet again
(the attacker still tries to get into the system). So I receive a ban
email from fail2ban every 10 minutes, I even see the one from the
recidive jail. I see recidive in iptables -L with the attacker's IP and
I use pretty much the same default configuration in fail2ban-0.8.10.
Do you see the repeating bans only on the udp jail?

Due to the nature of udp it's not possible to verify whether the
received udp packets are actually from the ip address that is advertised
(i.e. in the udp packet header it says ip x.y.z, which is also what your
os and fail2ban see, but the packet could actually be sent by someone else).

--
Tom
Zurd
2013-08-10 06:42:58 UTC
Permalink
To answer your question, I see the repeating IP ban in both jail, that is
asterisk TCP and UDP.

I made more testing with the help of the sipvicious tool, was able to do
some penetration testing on my server so that asterisk can log it and thus
fail2ban can ban.

At first I put the asterisk-tcp jail active but not the asterisk-udp jail.
I was able to do a continuous dictionary attack even though fail2ban both
ban my IP in the asterisk-tcp jail and in the recidive jail, I could see
the IP banned in iptables. This is really not working.

Then I tried the other way around, with the asterisk-udp jail active but
not the asterisk-tcp. This work as expected, I was completely ban and
couldn't continue the attack (got the message socket error: timed out).
However, the recidive jail does not work in this situation. I set the
asterisk-udp jail for a bantime of 120 and the recidive jail at 360 and I
was ban for only 2 minutes, after that I was able to continue the attack.

In both tests, in iptables, it list the same thing exactly. There's a chain
for fail2ban-asterisk-udp or fail2ban-asterisk-tcp and another one for
fail2ban-recidive like this :
Chain fail2ban-asterisk-tcp (1 references)
target prot opt source destination
REJECT all -- x.x.x.x anywhere reject-with icmp-port-unreachable
RETURN all -- anywhere anywhere

I thought that maybe when fail2ban remove the attacker's IP that maybe it
also remove that same IP in the recidive jail but I checked iptables and it
is not the case. After 120 seconds, the asterisk chain goes away but the
recidive chain is still there.

In the jail.conf file we see there's an issue with those jails, not sure
but I don't think it's related :
https://github.com/fail2ban/fail2ban/issues/37

If some some reason, like you were saying that it's impossible to prove the
IP in UDP and that would be the reason why the recidive jail is not
working, it would be a good idea to add this information in the jail.conf
file.

As a "fix", I will raise the bantime of the asterisk jail to 3600 instead
of the default 600, that way I will receive an email from asterisk only 1
per hour instead of every 10 minutes. Some attackers don't realize that
their script is not working and just leave it there for a long period of
time.

If there's anything else I can test and haven't thought up, let me know :-)

p.s. quick question, while being banned, is it normal I can still ping the
server? I would assume it should since in iptables we can see the column
'prot' for all.

Cheers
Post by Tom Hendrikx
Post by Zurd
Hi everyone,
I just installed fail2ban-0.8.10, the recidive jail works fine for SSH
attempts but not for asterisk.
I have the 2 jails asterisk-tcp and asterisk-udp active, they are
working just fine by banning every 10 minutes. And, after an IP has been
blocked many times, the recidive jail now ban the IP for a longer time.
However, after 10 minutes, the 2 asterisk jails ban the IP yet again
(the attacker still tries to get into the system). So I receive a ban
email from fail2ban every 10 minutes, I even see the one from the
recidive jail. I see recidive in iptables -L with the attacker's IP and
I use pretty much the same default configuration in fail2ban-0.8.10.
Do you see the repeating bans only on the udp jail?
Due to the nature of udp it's not possible to verify whether the
received udp packets are actually from the ip address that is advertised
(i.e. in the udp packet header it says ip x.y.z, which is also what your
os and fail2ban see, but the packet could actually be sent by someone else).
--
Tom
Loading...