Fail2Ban for Kamailio on VoipNow

WARNING

Applies to VoipNow 4.x and higher!

Fail2Ban works by actively monitoring log files and triggering various actions based on the content of the log files.

For example, it can detect a line in your mail log file similar to the one shown below:

Jan 7 11:25:45 hostname sendmail[1558]: s07BPgwK001558: AUTH failure (LOGIN): authentication failure (-13) SASL(-13): authentication failure: checkpass failed, relay=[67.216.253.197]

and trigger an action, such as banning the offender's IP with Firewalld.

Each monitored log is configured as a "jail" - a corresponding section in the /etc/fail2ban/jail.local file.

Here's a sample of jail entry that blocks SSH access:

[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6

The filter, which triggers the action, and the action itself are defined as separate files under /etc/fail2ban/filter.d and /etc/fail2ban/action.d.

Step-by-step guide

Requirements

• VoipNow 4.x and higher on CentOS 7/RHEL 7 or higher
• EPEL repository to install the fail2ban rpm
• Internet access

1) Install EPEL

EPEL is a repository of additional RPM packages which can be used in RHEL, CentOS, Fedora, and other similar distributions. For more details about the project, check the EPEL page.

If you're using CentOS, a package named epel-release is already included in the stock repository.

To install EPEL, run the following command:

yum install epel-release

2) Install Fail2Ban

yum -y install fail2ban

3) Enable and start Firewalld

Firewalld is the new firewall daemon introduced in CentOS/RHEL 7 and set to replace iptables in further releases.

To enable this service, run the following command:

# systemctl enable firewalld
ln -s '/usr/lib/systemd/system/firewalld.service' '/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service'
ln -s '/usr/lib/systemd/system/firewalld.service' '/etc/systemd/system/basic.target.wants/firewalld.service'

This command only enables the daemon, but does not start it.

To start the daemon and check its status, run the following:

# systemctl start firewalld

]# systemctl status firewalld
firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
   Active: active (running) since Tue 2015-12-08 09:57:56 UTC; 17s ago
 Main PID: 27859 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─27859 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
Dec 08 09:57:56 centos71 systemd[1]: Started firewalld - dynamic firewall daemon.

At this point, the service should appear as loaded and active.

4) Enable and start Fail2Ban

To enable and start the Fail2Ban service, run the following:

# systemctl enable fail2ban
ln -s '/usr/lib/systemd/system/fail2ban.service' '/etc/systemd/system/multi-user.target.wants/fail2ban.service'

# systemctl start fail2ban

# systemctl status fail2ban
fail2ban.service - Fail2Ban Service
   Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled)
   Active: active (running) since Tue 2015-12-08 09:59:21 UTC; 3s ago
     Docs: man:fail2ban(1)
  Process: 29758 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=0/SUCCESS)
 Main PID: 29761 (fail2ban-server)
   CGroup: /system.slice/fail2ban.service
           └─29761 /usr/bin/python2 -s /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x -b
Dec 08 09:59:21 centos71 systemd[1]: Starting Fail2Ban Service...
Dec 08 09:59:21 centos71 fail2ban-client[29758]: 2015-12-08 09:59:21,695 fail2ban.server [29759]: INFO Starting Fail2ban v0.9.3
Dec 08 09:59:21 centos71 fail2ban-client[29758]: 2015-12-08 09:59:21,695 fail2ban.server [29759]: INFO Starting in daemon mode
Dec 08 09:59:21 centos71 systemd[1]: Started Fail2Ban Service.

5) Configure Fail2Ban to pick up the log trigger

As mentioned before, Fail2Ban monitors log files and triggers actions upon certain events being detected in these log files.

Starting with VoipNow 4.0.0, the PIKE module is used to log and throttle incoming request IP addresses.

INFO

By default, PIKE is disabled. If you want to block abnormal traffic based on PIKE logs, you must enable it. More details here.

The messages logged by Kamailio look like this:

 1449744585: L1 Pike block from 10.150.5.113:5061
1449744585: L2 Pike block from 10.150.5.113:5061
1449744585: L3 Pike block from 10.150.5.113:5061

You need to create the Kamailio configuration file for Fail2Ban. This file needs must be placed in /etc/fail2ban/filter.d/kamailio.conf and must contain the following:

[Definition]
failregex = L. Pike block from <HOST>.*

Edit /etc/fail2ban/jail.conf and add:

[kamailio]
enabled  = true
filter   = kamailio
banaction   = firewallcmd-ipset
logpath  = /var/log/kamailio/abuse.log
maxretry = 5
bantime  = 3600
ignoreip = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16

WARNING

Define your whitelists
When setting up any type of restriction, it's a good idea to start by defining your whitelists (i.e. exceptions, for which the restrictions will not apply). For example, you can whitelist "good" IP addresses that you know very well: your own office, known customers who use static IPs, etc. Add these IPs in the ignoreip line.

The Kamailio jail can be tweaked using the following parameters:

• the IP will be banned after maxretry failed registration attempts
• the IP will be banned for bantime seconds

Once the configuration is done, restart Fail2Ban:

systemctl reload fail2ban

The default Fail2Ban configuration logs messages to /var/log/fail2ban.log

Here you should see messages similar to:

16:13:19,413 fail2ban.server         [12723]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.3
2015-12-10 16:13:19,414 fail2ban.database       [12723]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2015-12-10 16:13:19,421 fail2ban.jail           [12723]: INFO    Creating new jail 'kamailio'
2015-12-10 16:13:19,423 fail2ban.jail           [12723]: INFO    Jail 'kamailio' uses poller
2015-12-10 16:13:19,442 fail2ban.filter         [12723]: INFO    Set jail log file encoding to UTF-8
2015-12-10 16:13:19,442 fail2ban.jail           [12723]: INFO    Initiated 'polling' backend
2015-12-10 16:13:19,456 fail2ban.filter         [12723]: INFO    Added logfile = /var/log/kamailio/abuse.log
2015-12-10 16:13:19,457 fail2ban.filter         [12723]: INFO    Set maxRetry = 5
2015-12-10 16:13:19,458 fail2ban.filter         [12723]: INFO    Set jail log file encoding to UTF-8
2015-12-10 16:13:19,459 fail2ban.actions        [12723]: INFO    Set banTime = 3600
2015-12-10 16:13:19,459 fail2ban.filter         [12723]: INFO    Set findtime = 600
2015-12-10 16:13:19,470 fail2ban.jail           [12723]: INFO    Jail 'kamailio' started

Once the service is started, ensure that your Fail2Ban is working.

WARNING

Make sure you are not running the tests from the same IP you used to connect through SSH!

To make sure that Fail2Ban is banning the IP addresses which attempt to register with wrong passwords, try a few registrations with a wrong password yourself.

Once you've reached the number of attempts configured in the Kamailio jail, your IP should be banned and in fail2ban.log you will see something similar to:

2015-12-11 11:59:40,963 fail2ban.filter [21060]: INFO [kamailio] Found 10.150.8.186
2015-12-11 11:59:41,268 fail2ban.actions [21060]: NOTICE [kamailio] Ban 10.150.8.186

To ensure that the IP address was properly banned, you can use the ipset list command:

ipset list
Name: fail2ban-default
Type: hash:ip
Revision: 1
Header: family inet hashsize 1024 maxelem 65536 timeout 600
Size in memory: 16592
References: 1
Members:
10.150.8.186 timeout 496

6) Use iptables instead of Firewalld

If you're not ready to switch to firewalld, you can still use iptables to manage your firewall.

Before enabling the iptables service, make sure you've disabled firewalld:

# systemctl stop firewalld
# systemctl mask firewalld
# yum -y install iptables-services
# touch /etc/sysconfig/iptables
# touch /etc/sysconfig/iptables6
# systemctl start iptables
# systemctl start ip6tables
# systemctl enable iptables
# systemctl enable ip6tables

The /etc/fail2ban/jail.conf should have a different action specified:

[kamailio]
enabled  = true
filter   = kamailio
action  = iptables-allports[name=kamailio, protocol=all]
logpath  = /var/log/kamailio/abuse.log
maxretry = 5
bantime  = 3600
ignoreip = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
protocol = all

You can check the rules using the following command:

iptables -L -n -v

7) Disable the EPEL repository

To prevent any possible VoipNow software package conflicts, you need to disable the EPEL repository by running the following command:

yum-config-manager --disable repository epel

Troubleshooting

Time problems

A common problem with fail2ban is having log entries out of sync. Make sure the system time is up to date and everything is configured to use the same time zone. For example, if the log entries are ahead in absolute time (when compared to the system local time), Fail2Ban will not report anything.

Log file scanning problems

Sometimes, you might have problems with the log file scanning. By default, Fail2ban relies on the pyinotify backend, which uses inotify to monitor file system events. In case this causes problems, you can switch to a polling backend by setting backend=polling in the Kamailio section of jail.conf.

If you didn't copy the example code properly, your regular expression might not be configured correctly.

To test this, use the following command:

fail2ban-regex /var/log/kamailio/abuse.log /etc/fail2ban/filter.d/kamailio.conf
Running tests
=============
Use   failregex filter file : kamailio, basedir: /etc/fail2ban
Use         log file : /var/log/kamailio/abuse.log
Use         encoding : UTF-8
Results
=======
Failregex: 3 total
|-  #) [# of hits] regular expression
|   1) [3] ^.+Pike block from <HOST>:.*
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
|  [3] Epoch
`-
Lines: 3 lines, 0 ignored, 3 matched, 0 missed [processed in 0.00 sec]

The command output should specify how many lines were matched. In the example above, 38 matched.

Firewalld service is not started

In case the Firewalld service is not started, under /var/log/fail2ban.log you will see lines similar to the ones below:

015-12-10 16:12:27,654 fail2ban.jail           [11423]: INFO    Jail 'kamailio' started
2015-12-10 16:12:27,868 fail2ban.action         [11423]: ERROR   ipset create fail2ban-default hash:ip timeout 600
firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m multiport --dports ssh -m set --match-set fail2ban-default src -j REJECT --reject-with icmp-port-unreachable -- stdout: '\x1b[91mFirewallD is not running\x1b[00m\n'
2015-12-10 16:12:27,868 fail2ban.action         [11423]: ERROR   ipset create fail2ban-default hash:ip timeout 600
firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m multiport --dports ssh -m set --match-set fail2ban-default src -j REJECT --reject-with icmp-port-unreachable -- stderr: ''
2015-12-10 16:12:27,868 fail2ban.action         [11423]: ERROR   ipset create fail2ban-default hash:ip timeout 600
firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m multiport --dports ssh -m set --match-set fail2ban-default src -j REJECT --reject-with icmp-port-unreachable -- returned 252
2015-12-10 16:12:27,868 fail2ban.actions        [11423]: ERROR   Failed to start jail 'kamailio' action 'firewallcmd-ipset': Error starting action