Protecting an Asterisk server from brute force attacks with fail2ban

Recently, the server hosting my Asterisk setup started to get laggy and eventually it even died a few times on me. Checking the logs it turned out that unknown IPs tried to initialize calls through my contexts. The log file carried gigabytes of stuff like this:

NOTICE[1110] chan_sip.c: Call from '' (IP_ADDRESS_REMOVED:5070) to extension '000972597103443' \\rejected because extension not found in context 'maincontext'.

It was pretty obvious that some hijacked clients tried to initialize calls trough my system. Luckily, my setup does not accept calls from unknown parties. Yet, the massive amount of connections filled up my logs entirely and opened that many connections that the system collapsed at the end.

In order to secure other systems in my environments, I'm using fail2ban, e.g. for securing ssh logins. Therefore I will do the same for the sake of my Asterisk health.

  • So as always, you may want to trigger the tool installation:

    aptitude install fail2ban
  • Next create a local configuration:

    cd /etc/fail2ban && cp jail.conf jail.local
  • Now an individual filter description for the according Asterisk log entries has to be added in a new file called /etc/fail2ban/filter.d/asterisk.conf:

    [Definition]
    _daemon = asterisk
    failregex = NOTICE.* .*: Call from \'\' \(<HOST>:.*\) to extension \'.*\' rejected because extension not found in context \'incoming\'.*
            NOTICE.* .*: Registration from \'\".*\" \<sip:.*\>\' failed for \'<HOST>:.*\' - No matching peer found
    ignoreregex =
  • For these filters to take effect they have to be introduced to fail2ban in /etc/fail2ban/jail.local. Assuming there is a default Asterisk setup on your system, the follwing lines have to be added at the end of that file:

    [asterisk]
    enabled  = true
    filter   = asterisk
    action   = iptables-allports[name=asterisk, protocol=all]
    logpath  = /var/log/asterisk/messages
    maxretry = 1
    findtime = 600
  • Restart fail2ban to activate these changes:

    service fail2ban restart 
  1. Good article but fail2ban has some serious holes! (see http://forums.asterisk.org/viewtopic.php?p=159984). I think you’re better off using SecAst (www.generationd.com) – even the free edition has a leg up on fail2ban….

  2. I just do ssh keypairs and disable password login. But fail2ban is something I should consider to try

Leave a Comment