[asterisk-users] fail2ban and pjsip in asterisk 12 and 13
Matthew Jordan
mjordan at digium.com
Mon Sep 15 08:26:59 CDT 2014
On Mon, Sep 15, 2014 at 6:21 AM, Patrick Laimbock <patrick at laimbock.com>
wrote:
> Hi Rainer,
>
> On 15-09-14 09:07, Rainer Piper wrote:
>
>> Hi,
>>
>> Info !!! not a question !!!
>>
>> the pjsip logger is different:
>>
>> [Sep 15 07:33:27] NOTICE[65267] res_pjsip/pjsip_distributor.c: Request
>> from '"1001" <sip:1001 at 81.20.137.222>' failed for '85.25.197.23:5071'
>> (callid: 1bfa1fcfee1e20dbe9bbbcac5d7bdffc) - No matching endpoint found
>>
>> and here the RegEx for fail2ban to catch this log:
>>
>> |NOTICE.* .*: Request from '.*' failed for '<HOST>(:[0-9]{1,5})?' (.*) -
>> No matching endpoint found
>>
>
> Thanks for sharing. If you use github it would be nice if you could submit
> a pull request so that it becomes part of the Asterisk rules in the next
> Fail2ban version (0.9.1).
>
> https://github.com/fail2ban/fail2ban/pulls
>
> HTH,
> Patrick
>
Why would you not use the SECURITY log format, which have the exact same
format between chan_sip and chan_pjsip, and have a consistent format from
Asterisk 10+?
https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Event+Logger
--
Matthew Jordan
Digium, Inc. | Engineering Manager
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
Check us out at: http://digium.com & http://asterisk.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20140915/256c11f8/attachment.html>
More information about the asterisk-users
mailing list