Page 1 of 1

I use fail2ban, why do I need SecAst

Posted: Tue Dec 06, 2016 3:33 am
by CRM User
I bought a FreePBX system from a vendor who says FreePBX comes with a security system called "Fail2Ban". Why would I need SecAst if I have fail2ban? Aren't they the same thing?

Re: I use fail2ban, why do I need SecAst

Posted: Tue Dec 06, 2016 3:39 am
by Telium Support
First of all, you should be aware that Fail2Ban is not a security system - it depends completely on Asterisk to say that a user attempted to register/dial without a valid account. Fail2ban has no intrusion detection, no hacking detection, no geofencing, no fraud pattern detection, etc. It is simple a tool that reads log files to determine if an IP should be banned. Digium warns users not to use Fail2Ban as a security measure; see http://forums.asterisk.org/viewtopic.php?p=159984 To underscore Digium's point, most SIP attacks don't even show up in the Asterisk log files, so these attackers are not stopped by fail2ban.

Fail2ban is certainly better than nothing - so if you don't want to use SecAst (even the Free Edition of SecAst), then install fail2ban. If all you want is Asterisk log trolling then SecAst can respond to these same messages from Asterisk if you choose, just like Fail2Ban, but that is among the least significant features of SecAst. SecAst uses event information from the Asterisk AMI, data from the network interface card, SIP data (including dialing digits, rate of dialing, etc), and more to create a profile of each user/device and identify potential hacking and fraud. SecAst also uses proprietary databases of phone numbers used in fraud, known source IP addresses of telecom hackers or intrusion attempts, and all IP addresses mapped to cities/regions/countries/continents worldwide to dramatically reduce the risk of fraud or intrusion. SecAst even uses heuristic detection (like Antivirus software) to identify behavioral patterns indicative of hacking attempts, or indicative of calls being made using stolen credentials. And finally, SecAst continually monitors endpoint activities (even after registration) to protect the PBX and stop fraud.

So comparing Fail2Ban to SecAst is like comparing a screw driver to a toolbox full of tools. Many of our customers have come to SecAst from Fail2Ban after their first $100,000 bill from their ITSP. Products like FreePBX tend to give users a false sense of security by calling Fail2Ban their "security system" - because it's not. Digium makes it quite clear that if you think Fail2Ban is a security system then you risk being hacked / defrauded.