Sophony Memo informatique

4juil/11Off

Asterisk & fail2ban sur Debian Squeeze

Ci-dessous, la procédure pour sécuriser un serveur Astérisk sous Debian avec Fail2ban.

C’est essentiellement pour écarter les petits malins qui font de la brute force sur les comptes SIP.

Installer fail2ban

apt-get install fail2ban

Configurer fail2ban

Dans le fichier /etc/fail2ban/jail.conf, ajouter les lignes suivantes :

#
# Asterisk
#

[asterisk-iptables]

enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
sendmail-whois[name=ASTERISK, dest=mon_mail@domaine.com, sender=fail2ban@domaine.com]
logpath  = /var/log/asterisk/messages
maxretry = 3
bantime = 259200

Créer le fichier /etc/fail2ban/filter.d/asterisk.conf, puis y ajouter les lignes suivantes :

# Fail2Ban configuration file
#
#

[Definition]

#_daemon = asterisk

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#

failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL
NOTICE.* <HOST> failed to authenticate as '.*'$
NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
NOTICE.* .*: Failed to authenticate user .*@<HOST>.*

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

Dans /etc/asterisk/logger.conf, décommenter le ligne suivante:

dateformat=%F %T

Redémarrer asterisk et fail2ban :

/etc/init.d/asterisk restart

/etc/init.d/fail2ban restart

Vérifier l'installation

iptables -L -v

Il faut voir quelque chose du type :

Chain fail2ban-ASTERISK (1 references)
pkts bytes target     prot opt in     out     source               destination
4   264 RETURN     all  --  any    any     anywhere             anywhere

Remplis sous: Asterisk Commentaires
4juil/11Off

Carte MegaRAID sur Debian Squeeze (MG Hybrid 2011 OVH)

Il y a deux jours, nous avons loué une nouvelle machine chez l'hébergeur OVH.

Cette dernière est équipé d'une carte RAID hardware MegaRAID.

La commande MegaCli qui permet de contrôler la carte et d'affiner les réglages est malheureusement très pauvrement documentée.
Voici quelques commandes de bases ...

Afficher les infos sur la carte et la configuration

#MegaCli -AdpAllInfo -aAll

Adapter #0 ==============================================================================
Versions
================
Product Name    : LSI MegaRAID SAS PCI Express ROMB
Serial No       :
FW Package Build: 12.9.0-0033 Mfg. Data
================
Mfg. Date       : 00/00/00
Rework Date     : 00/00/00
Revision No     :
Battery FRU     : N/A Image Versions in Flash:
================
BIOS Version       : 3.17.00_4.08.04.00_0x0416A000
FW Version         : 2.90.03-0928
Preboot CLI Version: 04.04-010:#%00008
WebBIOS Version    : 6.0-18-e_13-Rel
Boot Block Version : 2.02.00.00-0000 Pending Images in Flash
================
None PCI Info
================
Vendor Id       : 1000
Device Id       : 0079
SubVendorId     : 15d9
SubDeviceId     : 0700 Host Interface  : PCIE Number of Frontend Port: 0
Device Interface  : PCIE Number of Backend Port: 8
Port  :  Address
0        4433221100000000
1        4433221102000000
2        4433221103000000
3        4433221101000000
4        0000000000000000
5        0000000000000000
6        0000000000000000
7        0000000000000000 HW Configuration
================
SAS Address     : 500304800313ea00
BBU             : Present
Alarm           : Present
NVRAM           : Present
Serial Debugger : Present
Memory          : Present
Flash           : Present
Memory Size     : 512MB
TPM             : Absent Settings
================
Current Time                     : 10:29:43 7/4, 2011
Predictive Fail Poll Interval    : 300sec
Interrupt Throttle Active Count  : 16
Interrupt Throttle Completion    : 50us
Rebuild Rate                     : 30%
PR Rate                          : 30%
Resynch Rate                     : 30%
Check Consistency Rate           : 30%
Reconstruction Rate              : 30%
Cache Flush Interval             : 4s
Max Drives to Spinup at One Time : 2
Delay Among Spinup Groups        : 12s
Physical Drive Coercion Mode     : 1GB
Cluster Mode                     : Disabled
Alarm                            : Enabled
Auto Rebuild                     : Enabled
Battery Warning                  : Enabled
Ecc Bucket Size                  : 15
Ecc Bucket Leak Rate             : 1440 Minutes
Restore HotSpare on Insertion    : Disabled
Expose Enclosure Devices         : Enabled
Maintain PD Fail History         : Disabled
Host Request Reordering          : Enabled
Auto Detect BackPlane Enabled    : SGPIO/i2c SEP
Load Balance Mode                : Auto
Use FDE Only                     : No
Security Key Assigned            : No
Security Key Failed              : No
Security Key Not Backedup        : No Any Offline VD Cache Preserved   : No Capabilities
================
RAID Level Supported             : RAID0, RAID1, RAID5, RAID6, RAID10, RAID50, RAID60, PRL 11, PRL 11 with spanning, SRL 3 supported
Supported Drives                 : SAS, SATA Allowed Mixing: Mix in Enclosure Allowed
Mix of SAS/SATA of HDD type in VD Allowed
Mix of SAS/SATA of SSD type in VD Allowed
Mix of SSD/HDD in VD Allowed Status
================
ECC Bucket Count                 : 0 Limitations
================
Max Arms Per VD         : 32
Max Spans Per VD        : 8
Max Arrays              : 128
Max Number of VDs       : 64
Max Parallel Commands   : 1008
Max SGE Count           : 60
Max Data Transfer Size  : 8192 sectors
Max Strips PerIO        : 42
Min Stripe Size         : 8 KB
Max Stripe Size         : 1.0 MB Device Present
================
Virtual Drives    : 2
Degraded        : 0
Offline         : 0
Physical Devices  : 5
Disks           : 4
Critical Disks  : 0
Failed Disks    : 0 Supported Adapter Operations
================
Rebuild Rate                    : Yes
CC Rate                         : Yes
BGI Rate                        : Yes
Reconstruct Rate                : Yes
Patrol Read Rate                : Yes
Alarm Control                   : Yes
Cluster Support                 : No
BBU                             : Yes
Spanning                        : Yes
Dedicated Hot Spare             : Yes
Revertible Hot Spares           : Yes
Foreign Config Import           : Yes
Self Diagnostic                 : Yes
Allow Mixed Redundancy on Array : No
Global Hot Spares               : Yes
Deny SCSI Passthrough           : No
Deny SMP Passthrough            : No
Deny STP Passthrough            : No
Support Security                : No Supported VD Operations
================
Read Policy          : Yes
Write Policy         : Yes
IO Policy            : Yes
Access Policy        : Yes
Disk Cache Policy    : Yes
Reconstruction       : Yes
Deny Locate          : No
Deny CC              : No
Allow Ctrl Encryption: No Supported PD Operations
================
Force Online                            : Yes
Force Offline                           : Yes
Force Rebuild                           : Yes
Deny Force Failed                       : No
Deny Force Good/Bad                     : No
Deny Missing Replace                    : No
Deny Clear                              : No
Deny Locate                             : No
Disable Copyback                        : No
Enable Copyback on SMART                : No
Enable Copyback to SSD on SMART Error   : Yes
Enable SSD Patrol Read                  : No
Enable Spin Down of UnConfigured Drives : Yes Error Counters
================
Memory Correctable Errors   : 0
Memory Uncorrectable Errors : 0 Cluster Information
================
Cluster Permitted     : No
Cluster Active        : No Default Settings
================
Phy Polarity                     : 0
Phy PolaritySplit                : 0
Background Rate                  : 30
Stripe Size                      : 64kB
Flush Time                       : 4 seconds
Write Policy                     : WB
Read Policy                      : Adaptive
Cache When BBU Bad               : Enabled
Cached IO                        : Yes
SMART Mode                       : Mode 6
Alarm Disable                    : Yes
Coercion Mode                    : 1GB
ZCR Config                       : Unknown
Dirty LED Shows Drive Activity   : No
BIOS Continue on Error           : No
Spin Down Mode                   : None
Allowed Device Type              : SAS/SATA Mix
Allow Mix in Enclosure           : Yes
Allow HDD SAS/SATA Mix in VD     : Yes
Allow SSD SAS/SATA Mix in VD     : Yes
Allow HDD/SSD Mix in VD          : Yes
Allow SATA in Cluster            : No
Max Chained Enclosures           : 16
Disable Ctrl-R                   : Yes
Enable Web BIOS                  : Yes
Direct PD Mapping                : No
BIOS Enumerate VDs               : Yes
Restore Hot Spare on Insertion   : No
Expose Enclosure Devices         : Yes
Maintain PD Fail History         : No
Disable Puncturing               : No
Zero Based Enclosure Enumeration : No
PreBoot CLI Enabled              : Yes
LED Show Drive Activity          : Yes
Cluster Disable                  : Yes
SAS Disable                      : No
Auto Detect BackPlane Enable     : SGPIO/i2c SEP
Use FDE Only                     : No
Enable Led Header                : No
Delay during POST                : 0 Exit Code: 0x00

Afficher les infos du lecteur logique 0 sur la carte 0

# MegaCli -LDInfo -L0 -a0

Adapter 0 -- Virtual Drive Information:
Virtual Disk: 0 (Target Id: 0)
Name:
RAID Level: Primary-1, Secondary-0, RAID Level Qualifier-0
Size:36.321 GB
State: Optimal
Stripe Size: 64 KB
Number Of Drives:2
Span Depth:1
Default Cache Policy: WriteBack, ReadAdaptive, Cached, Write Cache OK if Bad BBU
Current Cache Policy: WriteBack, ReadAdaptive, Cached, Write Cache OK if Bad BBU
Access Policy: Read/Write
Disk Cache Policy: Disk's Default
Encryption Type: None Exit Code: 0x00

Afficher les infos du lecteur logique 1 sur la carte 0

# MegaCli -LDInfo -L1 -a0

Adapter 0 -- Virtual Drive Information:
Virtual Disk: 1 (Target Id: 1)
Name:
RAID Level: Primary-1, Secondary-0, RAID Level Qualifier-0
Size:2.727 TB
State: Optimal
Stripe Size: 64 KB
Number Of Drives:2
Span Depth:1
Default Cache Policy: WriteBack, ReadAdaptive, Cached, Write Cache OK if Bad BBU
Current Cache Policy: WriteBack, ReadAdaptive, Cached, Write Cache OK if Bad BBU
Access Policy: Read/Write
Disk Cache Policy: Disk's Default
Encryption Type: None
Exit Code: 0x00

Afficher les disques physiques du contrôleur

# MegaCli -PDList -a0

Adapter #0 Enclosure Device ID: 252
Slot Number: 0
Device Id: 4
Sequence Number: 2
Media Error Count: 0
Other Error Count: 0
Predictive Failure Count: 0
Last Predictive Failure Event Seq Number: 0
PD Type: SATA
Raw Size: 37.271 GB [0x4a8b570 Sectors]
Non Coerced Size: 36.771 GB [0x498b570 Sectors]
Coerced Size: 36.321 GB [0x48a4800 Sectors]
Firmware state: Online
SAS Address(0): 0x4433221100000000
Connected Port Number: 0(path0)
Inquiry Data: CVPR120002BA040AGN  INTEL SSDSA2CT040G3                     4PC10302
FDE Capable: Not Capable
FDE Enable: Disable
Secured: Unsecured
Locked: Unlocked
Foreign State: None
Device Speed: 3.0Gb/s
Link Speed: 3.0Gb/s
Media Type: Solid State Device Enclosure Device ID: 252
Slot Number: 1
Device Id: 7
Sequence Number: 2
Media Error Count: 0
Other Error Count: 0
Predictive Failure Count: 0
Last Predictive Failure Event Seq Number: 0
PD Type: SATA
Raw Size: 2.728 TB [0x15d50a3b0 Sectors]
Non Coerced Size: 2.728 TB [0x15d40a3b0 Sectors]
Coerced Size: 2.727 TB [0x15d3ef000 Sectors]
Firmware state: Online
SAS Address(0): 0x4433221101000000
Connected Port Number: 3(path0)
Inquiry Data:       MK0311YHG7M2PAHitachi HDS723030ALA640                 MKAOA580
FDE Capable: Not Capable
FDE Enable: Disable
Secured: Unsecured
Locked: Unlocked
Foreign State: None
Device Speed: Unknown
Link Speed: Unknown
Media Type: Hard Disk Device Enclosure Device ID: 252
Slot Number: 2
Device Id: 5
Sequence Number: 2
Media Error Count: 0
Other Error Count: 0
Predictive Failure Count: 0
Last Predictive Failure Event Seq Number: 0
PD Type: SATA
Raw Size: 37.271 GB [0x4a8b570 Sectors]
Non Coerced Size: 36.771 GB [0x498b570 Sectors]
Coerced Size: 36.321 GB [0x48a4800 Sectors]
Firmware state: Online
SAS Address(0): 0x4433221102000000
Connected Port Number: 1(path0)
Inquiry Data: CVPR11740022040AGN  INTEL SSDSA2CT040G3                     4PC10302
FDE Capable: Not Capable
FDE Enable: Disable
Secured: Unsecured
Locked: Unlocked
Foreign State: None
Device Speed: 3.0Gb/s
Link Speed: 3.0Gb/s
Media Type: Solid State Device Enclosure Device ID: 252
Slot Number: 3
Device Id: 6
Sequence Number: 2
Media Error Count: 0
Other Error Count: 0
Predictive Failure Count: 0
Last Predictive Failure Event Seq Number: 0
PD Type: SATA
Raw Size: 2.728 TB [0x15d50a3b0 Sectors]
Non Coerced Size: 2.728 TB [0x15d40a3b0 Sectors]
Coerced Size: 2.727 TB [0x15d3ef000 Sectors]
Firmware state: Online
SAS Address(0): 0x4433221103000000
Connected Port Number: 2(path0)
Inquiry Data:       MK0311YHG7PJ9AHitachi HDS723030ALA640                 MKAOA580
FDE Capable: Not Capable
FDE Enable: Disable
Secured: Unsecured
Locked: Unlocked
Foreign State: None
Device Speed: Unknown
Link Speed: Unknown
Media Type: Hard Disk Device Exit Code: 0x00

Remplis sous: Debian Commentaires