CSF / Asterisk

[simon templar]

Still working on it with sergio. We have a couple of bugs to fix before he releases it.

[Sergio]

For people interested on a regex for ASTERIX, please see:
viewtopic.php?f=6&t=7517&start=10#p22708

Simon, will write the details on how to apply it, we made some test today and it works.

Sergio

[simon templar]

Hi all,

In order to have CSF work with Asterisk, and protect it, this is what you need to do (this is working for Asterisk 1.8.15:

Make sure that you have a file /etc/asterisk/logger.conf with the following line:

Code: Select all

messages => notice

You line can have more option in it, for example:

Code: Select all

messages => notice,warning,error

This line will create a new log file /var/log/asterisk/messages which will receive a NOTICE when there is a failed registration attempt.

Once this is configured, you can restart the logger in Asterisk to take in account the new configuration:

Code: Select all

asterisk@home> logger reload

Once this is done, edit /etc/csf/regex.custom.pm and add the following line:

Code: Select all

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /\[\S+\s+\S+\] NOTICE\[\S+\] chan_sip.c\: Registration from '(\S+\s?\S+)' failed for '(\S+)\:\d+' \- Wrong password/))  {
  return ("Bad Logon: $1",$2,"SecmasASTERIX","1","1");
 }

At the first wrong login attempt of an IP, it will block it.

If you do not need to allow external access, then you can secure your Asterisk box by adding in FIREWALL DENY IPs the following lines:

Code: Select all

udp|in|d=5060|s=0.0.0.0/0 #do not delete
tcp|in|d=5060|s=0.0.0.0/0 #do not delete

If you do that though, you will need to selectively open the ports for IPs that you know. So in the FIREWALL ALLOW IPs you will need to add something like that for example:

Code: Select all

192.168.1.0/24

udp|in|d=5060|s=10.1.2.10  # IP from your SIP carrier for example
udp|in|d=10000_20000|s=10.1.2.10  # IP from your SIP carrier for example

That is about all you need to do. You can verify that it works by trying to connect from another IP than your desktop (because your IP will be added in the firewall rules, and you will be blocked), and monitoring CSF by clicking WATCH SYSTEM LOGS within CSF.

Enjoy !

[leozim]

Re: Custom REGEX rules for CSF.

Postby leozim » 23 May 2014 13:41
Hello,

Last month I try to configure rules of Sergio and cant work, but is a very busy time to me and I dont back here to check again...

at this time, I try new rules solution, but on here, dont work yet.

I configure correctly CUSTOM1_LOG:
CUSTOM1_LOG = "/var/log/asterisk/messages"


Asterisk put logs correctly:

[root@voip asterisk]# tail -f /var/log/asterisk/messages
[May 23 13:29:48] NOTICE[30661] chan_sip.c: Registration from '"2130" <sip:2130@200.200.200.200:5060>' failed for '192.99.35.217:5081' - Wrong password
[May 23 13:30:30] NOTICE[30661] chan_sip.c: Registration from '"1200" <sip:1200@200.200.200.200:5060>' failed for '192.99.35.217:5083' - Wrong password
[May 23 13:32:42] NOTICE[30661] chan_sip.c: Registration from '"9011" <sip:9011@200.200.200.200:5060>' failed for '192.99.35.217:5146' - Wrong password


But on lfd.log dont see any block.. very stranger situation.

Its possible csf dont check custom_log config?

Thanks

[Sergio]

After you added the regex in /usr/local/csf/bin/regex.custom.pm, Did you restarted LFD?
If so, Did LFD shows everything was ok?

[simon templar]

I forgot an important thing.

Edit /etc/csf/csf.conf , and change

Code: Select all

CUSTOM1_LOG = "/var/log/messages"

to

Code: Select all

CUSTOM1_LOG = "/var/log/asterisk/messages"

[leozim]

Hi,

Yes, I restart LFD after all changes and change CUSTOM1_LOG = "/var/log/asterisk/messages"

Is very stranger custom check dont work.

I need make changes on LF_TRIGGER or another options on /etc/csf/csf.conf?

Thank you

[Sergio]

No, you don't need to set any options in csf.conf

Please, paste some error lines from /var/log/asterisk/messages to check them.

[trupsalms]

I know a lot of people have been asking about this Sergio, but this is actually the correct location, on my system, for asterisk log files. Can You Please Assist With A Regex File For Me.

log file location /var/log/asterisk/full

[2014-08-29 15:04:29] NOTICE[1810] chan_sip.c: Registration from 'Sip-Personal<sip:1000@174.96.126.96>' failed for '444.414.441.232:63129' - Wrong password
[2014-08-29 15:04:29] NOTICE[1810] chan_sip.c: Registration from 'Sip-Personal<sip:1000@174.96.126.96>' failed for '444.414.441.232:63129' - Wrong password
[2014-08-29 15:04:49] NOTICE[1810] chan_sip.c: Registration from 'Sip-Personal<sip:1000@174.96.126.96>' failed for '444.414.441.232:63129' - Wrong password

[Sergio]

I know a lot of people have been asking about this Sergio, but this is actually the correct location, on my system, for asterisk log files. Can You Please Assist With A Regex File For Me.

log file location /var/log/asterisk/full

[2014-08-29 15:04:29] NOTICE[1810] chan_sip.c: Registration from 'Sip-Personal<sip:1000@174.96.126.96>' failed for '444.414.441.232:63129' - Wrong password
[2014-08-29 15:04:29] NOTICE[1810] chan_sip.c: Registration from 'Sip-Personal<sip:1000@174.96.126.96>' failed for '444.414.441.232:63129' - Wrong password
[2014-08-29 15:04:49] NOTICE[1810] chan_sip.c: Registration from 'Sip-Personal<sip:1000@174.96.126.96>' failed for '444.414.441.232:63129' - Wrong password

The only thing that you need to do, is to edit /etc/csf/csf.confg and search where it says
"CUSTOM1_LOG ="
and write there the location of your log file, after that you will need to restar CSF + LFD