Configurando o Fail2ban com o Security do asterisk - Listando IPs banidos - Banindo IP manualmente - Desbanindo um IP

Libere o Security no Asterisk (Acima do asterisk 10)

$ nano /etc/asterisk/logger.conf

localize a linha security e descomente-a

security => security

;; opcional, mantenha os logs do security no console para analise em tempo real

full => debug,error,notice,verbose,warning,security
console => debug,error,notice,verbose,warning,security

Ajuste o parâmetro de data no asterisk logger

Localize o parametro dateformat dentro do arquivo logger  descomente a linha dateformat=%F %T

$ nano /etc/asterisk/logger.conf

[general]
;
; Customize the display of debug message time stamps
; this example is the ISO 8601 date format (yyyy-mm-dd HH:MM:SS)
;
; see strftime(3) Linux manual for format specifiers.  Note that there is also
; a fractional second parameter which may be used in this field.  Use %1q
; for tenths, %2q for hundredths, etc.
;
dateformat=%F %T 

Confirurando o Fail2ban com o Security do Asterisk

Crie o arquivo /etc/fail2ban/filter.d/asterisk.conf

$ touch /etc/fail2ban/filter.d/asterisk.conf

Insira o conteúdo abaixo

# Fail2Ban configuration file
#
#
# $Revision: 250 $
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf


[Definition]

#_daemon = asterisk

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#

failregex = SECURITY.* SecurityEvent="FailedACL".*RemoteAddress=".+?/.+?/<HOST>/.+?".*
            SECURITY.* SecurityEvent="InvalidAccountID".*RemoteAddress=".+?/.+?/<HOST>/.+?".*
            SECURITY.* SecurityEvent="ChallengeResponseFailed".*RemoteAddress=".+?/.+?/<HOST>/.+?".*
            SECURITY.* SecurityEvent="InvalidPassword".*RemoteAddress=".+?/.+?/<HOST>/.+?".*

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

Reinicie o Fail2ban e o logger do asterisk

$ asterisk -rx reload
$ service fail2ban restart

Descubra qual o JAIL que vc deseja analisar

$ fail2ban-client status | grep "Jail list:"

Listando os IPs banidos

$ fail2ban-client status asterisk-iptables

Banindo um IP

$ fail2ban-client -vvv set asterisk-iptables banip 103.145.12.170

Desbanindo um IP

$ fail2ban-client set ssh unbanip 177.99.47.161