Easy setup Asterisk + Fail2Ban

In September 2013, I published an extremely popular article with the same title. However, since then everything has radically changed on the part of fail2ban - asterisk support has been added “out of the box”, and the format of configuration files has radically changed since version 0.9. Therefore, I am publishing a new article on this topic, since the steps to set up are now also radically different.

Until the security log appeared in Asterisk version 10, fail2ban could not properly protect asterisk from a popular type of attack — sip password matching for extensions, since in the usual asterisk logs, the attacker's ip-address was not displayed.
With the advent of the security log, this problem has been resolved.

If you have Asterisk 10 and newer, you can successfully use it with a pair of fail2ban. The setup is pretty simple.
')

1. Edit /etc/asterisk/logger.conf, adding security events logging to the standard log:

messages => notice,warning,error,security 

2. Restart the asterisk logging system with the command

 asterisk -x "logger reload" 

3. Enable jail 'asterisk' in fail2ban by adding to /etc/fail2ban/jail.local

 [asterisk] enabled = true bantime = 86400 

4. Restart fail2ban to recalculate the configuration.

 fail2ban-client reload 

5. Check that everything is in order.

 fail2ban-client status asterisk 

Done! fail2ban will detect and prevent attacks on the selection of SIP passwords.