[asterisk-users] Asterisk fail2ban filters - show us yours

[Patrick Lists]

Hi,

In the thread "Interesting attack tonight & fail2ban them" Bruce B 
mentioned it would be nice to have input from the Community to come up 
with the best set of fail2ban filters. That's a great idea. So let's 
start with Bruce's filters (thanks!) and take it from there. Anyone have 
any improvements and/or additions? Apologies for the line wrap. No idea 
how to prevent that in Thunderbird. The filters are also at 
http://pastebin.com/6T9M1W3F

Not sure but it may be possible that logging has changed between 
Asterisk 1.4, 1.6, 1.8 and 10 so please mention the asterisk version 
with your filters.

For Asterisk 1.8:

failregex = Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - 
Wrong password
             Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - 
No matching peer found
             Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - 
Device does not match ACL
             Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - 
Username/auth name mismatch
             Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - 
Peer is not supposed to register
             NOTICE.* <HOST> failed to authenticate as '.*'$
             NOTICE.* .*: No registration for peer '.*' (from <HOST>)
             NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' 
(.*)
             VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing 
'ss-noservice' (language '.*')


There are 2 lines that I have which are not in this list:

NOTICE.* .*: Registration from '.*' failed for '<HOST>' - ACL error 
(permit/deny)
NOTICE.* .*: Failed to authenticate user .*@<HOST>.*

How about those (no idea for which Asterisk version they are)?

Regards,
Patrick