[asterisk-users] sip attack.. fail2ban not stopping attack
Nick Ustinov
nickustinov at gmail.com
Mon Dec 27 16:20:16 UTC 2010
With asterisk 1.8+ it should be:
failregex = NOTICE.* .*: Registration from '.*' failed for
'<HOST>(:[0-9]{1,5})?' - Wrong password
NOTICE.* .*: Registration from '.*' failed for
'<HOST>(:[0-9]{1,5})?' - No matching peer found
NOTICE.* .*: Registration from '.*' failed for
'<HOST>(:[0-9]{1,5})?' - Username/auth name mismatch
NOTICE.* .*: Registration from '.*' failed for
'<HOST>(:[0-9]{1,5})?' - Device does not match ACL
NOTICE.* .*: Registration from '.*' failed for
'<HOST>(:[0-9]{1,5})?' - Peer is not supposed to register
NOTICE.* <HOST> failed to authenticate as '.*'$
NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
NOTICE.* .*: Host <HOST> failed MD5 authentication for
'.*' (.*)
NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
since format of notice has changed (asterisk now adds port after HOST)
Nick
On Mon, Dec 27, 2010 at 6:03 PM, Administrator TOOTAI <admin at tootai.net> wrote:
> Le 27/12/2010 16:20, dave george a écrit :
>>
>> [...]
>>
>> [Definition]
>>
>> #_daemon = asterisk
>>
>> # Option: failregex
>> # Notes.: regex to match the password failures messages in the logfile.
>> The
>> # host must be matched by a group named "host". The tag "<HOST>"
>> can
>> # be used for standard IP/hostname matching and is only an alias
>> for
>> # (?:::f{4,6}:)?(?P<host>\S+)
>> # Values: TEXT
>> #
>>
>> failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' -
>> Wrong
>> password
>> NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No
>> matching peer found
>> NOTICE.* .*: Registration from '.*' failed for '<HOST>' -
>> Username/auth name mismatch
>> NOTICE.* .*: Registration from '.*' failed for '<HOST>' -
>> Device
>> does not match ACL
>> NOTICE.*<HOST> failed to authenticate as '.*'$
>> NOTICE.* .*: No registration for peer '.*' \(from<HOST>\)
>> NOTICE.* .*: Host<HOST> failed MD5 authentication for '.*'
>> (.*)
>> NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
>> ignoreregex =
>> [...]
>>
>
> How looks your asterisk notice file?
>
> ---
> Daniel
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
> http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-users
>
More information about the asterisk-users
mailing list