[asterisk-users] Asterisk fail2ban filters - show us yours

Diego Aguirre (DagMoller) dag.list at infodag.com.br
Thu Dec 29 09:10:17 CST 2011 

Hi,

I Have added this line for asterisk 1.8 (i have allowguest=yes and context=default in sip.conf):
NOTICE.* .*: Call from '.*' (<HOST>) to extension '.*' rejected because extension not found in context 'default'.

Em 29-12-2011 13:03, Patrick Lists escreveu:
> Hi,
> 
> In the thread "Interesting attack tonight & fail2ban them" Bruce B mentioned it would be nice to have input from the Community to come up with the best set of fail2ban filters. That's a great idea. So let's start with Bruce's filters (thanks!) and take it from there. Anyone have any improvements and/or additions? Apologies for the line wrap. No idea how to prevent that in Thunderbird. The filters are also at http://pastebin.com/6T9M1W3F
> 
> Not sure but it may be possible that logging has changed between Asterisk 1.4, 1.6, 1.8 and 10 so please mention the asterisk version with your filters.
> 
> For Asterisk 1.8:
> 
> failregex = Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Wrong password
>             Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - No matching peer found
>             Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Device does not match ACL
>             Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Username/auth name mismatch
>             Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Peer is not supposed to register
>             NOTICE.* <HOST> failed to authenticate as '.*'$
>             NOTICE.* .*: No registration for peer '.*' (from <HOST>)
>             NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
>             VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing 'ss-noservice' (language '.*')
> 
> 
> There are 2 lines that I have which are not in this list:
> 
> NOTICE.* .*: Registration from '.*' failed for '<HOST>' - ACL error (permit/deny)
> NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
> 
> How about those (no idea for which Asterisk version they are)?
> 
> Regards,
> Patrick
> 
> -- 
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>               http://www.asterisk.org/hello
> 
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users

-- 
Diego Aguirre (DagMoller)
Infodag Consultoria
FWD#: 459696
Enum#: +55 21 8871-4916 (e164.org)
DUNDi-br#: 21 8871-4916

More information about the asterisk-users mailing list