CSF / Asterisk

simon templar
Junior Member
Posts: 19
Joined: 25 Mar 2010, 14:49

Re: CSF / Asterisk

Post by simon templar »

Still working on it with sergio. We have a couple of bugs to fix before he releases it.
Sergio
Junior Member
Posts: 1685
Joined: 12 Dec 2006, 14:56

Re: CSF / Asterisk

Post by Sergio »

For people interested on a regex for ASTERIX, please see:
viewtopic.php?f=6&t=7517&start=10#p22708

Simon, will write the details on how to apply it, we made some test today and it works.

Sergio
simon templar
Junior Member
Posts: 19
Joined: 25 Mar 2010, 14:49

Re: CSF / Asterisk

Post by simon templar »

Hi all,

In order to have CSF work with Asterisk, and protect it, this is what you need to do (this is working for Asterisk 1.8.15:

Make sure that you have a file /etc/asterisk/logger.conf with the following line:

Code: Select all

messages => notice
You line can have more option in it, for example:

Code: Select all

messages => notice,warning,error
This line will create a new log file /var/log/asterisk/messages which will receive a NOTICE when there is a failed registration attempt.

Once this is configured, you can restart the logger in Asterisk to take in account the new configuration:

Code: Select all

asterisk@home> logger reload

Once this is done, edit /etc/csf/regex.custom.pm and add the following line:

Code: Select all

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /\[\S+\s+\S+\] NOTICE\[\S+\] chan_sip.c\: Registration from '(\S+\s?\S+)' failed for '(\S+)\:\d+' \- Wrong password/))  {
  return ("Bad Logon: $1",$2,"SecmasASTERIX","1","1");
 }
At the first wrong login attempt of an IP, it will block it.

If you do not need to allow external access, then you can secure your Asterisk box by adding in FIREWALL DENY IPs the following lines:

Code: Select all

udp|in|d=5060|s=0.0.0.0/0 #do not delete
tcp|in|d=5060|s=0.0.0.0/0 #do not delete
If you do that though, you will need to selectively open the ports for IPs that you know. So in the FIREWALL ALLOW IPs you will need to add something like that for example:

Code: Select all

192.168.1.0/24

udp|in|d=5060|s=10.1.2.10  # IP from your SIP carrier for example
udp|in|d=10000_20000|s=10.1.2.10  # IP from your SIP carrier for example

That is about all you need to do. You can verify that it works by trying to connect from another IP than your desktop (because your IP will be added in the firewall rules, and you will be blocked), and monitoring CSF by clicking WATCH SYSTEM LOGS within CSF.

Enjoy !
leozim
Junior Member
Posts: 18
Joined: 30 May 2008, 14:35

Re: CSF / Asterisk

Post by leozim »

Re: Custom REGEX rules for CSF.

Postby leozim » 23 May 2014 13:41
Hello,

Last month I try to configure rules of Sergio and cant work, but is a very busy time to me and I dont back here to check again...

at this time, I try new rules solution, but on here, dont work yet.

I configure correctly CUSTOM1_LOG:
CUSTOM1_LOG = "/var/log/asterisk/messages"


Asterisk put logs correctly:

[root@voip asterisk]# tail -f /var/log/asterisk/messages
[May 23 13:29:48] NOTICE[30661] chan_sip.c: Registration from '"2130" <sip:2130@200.200.200.200:5060>' failed for '192.99.35.217:5081' - Wrong password
[May 23 13:30:30] NOTICE[30661] chan_sip.c: Registration from '"1200" <sip:1200@200.200.200.200:5060>' failed for '192.99.35.217:5083' - Wrong password
[May 23 13:32:42] NOTICE[30661] chan_sip.c: Registration from '"9011" <sip:9011@200.200.200.200:5060>' failed for '192.99.35.217:5146' - Wrong password


But on lfd.log dont see any block.. very stranger situation.

Its possible csf dont check custom_log config?

Thanks
Sergio
Junior Member
Posts: 1685
Joined: 12 Dec 2006, 14:56

Re: CSF / Asterisk

Post by Sergio »

After you added the regex in /usr/local/csf/bin/regex.custom.pm, Did you restarted LFD?
If so, Did LFD shows everything was ok?
simon templar
Junior Member
Posts: 19
Joined: 25 Mar 2010, 14:49

Re: CSF / Asterisk

Post by simon templar »

I forgot an important thing.

Edit /etc/csf/csf.conf , and change

Code: Select all

CUSTOM1_LOG = "/var/log/messages"
to

Code: Select all

CUSTOM1_LOG = "/var/log/asterisk/messages"
leozim
Junior Member
Posts: 18
Joined: 30 May 2008, 14:35

Re: CSF / Asterisk

Post by leozim »

Hi,

Yes, I restart LFD after all changes and change CUSTOM1_LOG = "/var/log/asterisk/messages"

Is very stranger custom check dont work.

I need make changes on LF_TRIGGER or another options on /etc/csf/csf.conf?

Thank you
Sergio
Junior Member
Posts: 1685
Joined: 12 Dec 2006, 14:56

Re: CSF / Asterisk

Post by Sergio »

No, you don't need to set any options in csf.conf

Please, paste some error lines from /var/log/asterisk/messages to check them.
trupsalms
Junior Member
Posts: 2
Joined: 04 Apr 2014, 03:19

Re: CSF / Asterisk

Post by trupsalms »

I know a lot of people have been asking about this Sergio, but this is actually the correct location, on my system, for asterisk log files. Can You Please Assist With A Regex File For Me.

log file location /var/log/asterisk/full

[2014-08-29 15:04:29] NOTICE[1810] chan_sip.c: Registration from 'Sip-Personal<sip:1000@174.96.126.96>' failed for '444.414.441.232:63129' - Wrong password
[2014-08-29 15:04:29] NOTICE[1810] chan_sip.c: Registration from 'Sip-Personal<sip:1000@174.96.126.96>' failed for '444.414.441.232:63129' - Wrong password
[2014-08-29 15:04:49] NOTICE[1810] chan_sip.c: Registration from 'Sip-Personal<sip:1000@174.96.126.96>' failed for '444.414.441.232:63129' - Wrong password
Sergio
Junior Member
Posts: 1685
Joined: 12 Dec 2006, 14:56

Re: CSF / Asterisk

Post by Sergio »

trupsalms wrote:I know a lot of people have been asking about this Sergio, but this is actually the correct location, on my system, for asterisk log files. Can You Please Assist With A Regex File For Me.

log file location /var/log/asterisk/full

[2014-08-29 15:04:29] NOTICE[1810] chan_sip.c: Registration from 'Sip-Personal<sip:1000@174.96.126.96>' failed for '444.414.441.232:63129' - Wrong password
[2014-08-29 15:04:29] NOTICE[1810] chan_sip.c: Registration from 'Sip-Personal<sip:1000@174.96.126.96>' failed for '444.414.441.232:63129' - Wrong password
[2014-08-29 15:04:49] NOTICE[1810] chan_sip.c: Registration from 'Sip-Personal<sip:1000@174.96.126.96>' failed for '444.414.441.232:63129' - Wrong password
The only thing that you need to do, is to edit /etc/csf/csf.confg and search where it says
"CUSTOM1_LOG ="
and write there the location of your log file, after that you will need to restar CSF + LFD
Post Reply