[asterisk-users] fail2ban and pjsip in asterisk 12 and 13

Rainer Piper rainer.piper at soho-piper.de
Mon Sep 15 09:00:09 CDT 2014 

Am 15.09.2014 um 15:26 schrieb Matthew Jordan:
>
> On Mon, Sep 15, 2014 at 6:21 AM, Patrick Laimbock 
> <patrick at laimbock.com <mailto:patrick at laimbock.com>> wrote:
>
>     Hi Rainer,
>
>     On 15-09-14 09:07, Rainer Piper wrote:
>
>         Hi,
>
>         Info !!! not a question !!!
>
>         the pjsip logger is different:
>
>         [Sep 15 07:33:27] NOTICE[65267] res_pjsip/pjsip_distributor.c:
>         Request
>         from '"1001" <sip:1001 at 81.20.137.222
>         <mailto:sip%3A1001 at 81.20.137.222>>' failed for
>         '85.25.197.23:5071 <http://85.25.197.23:5071>'
>         (callid: 1bfa1fcfee1e20dbe9bbbcac5d7bdffc) - No matching
>         endpoint found
>
>         and here the RegEx for fail2ban to catch this log:
>
>         |NOTICE.* .*: Request from '.*' failed for
>         '<HOST>(:[0-9]{1,5})?' (.*) -
>         No matching endpoint found
>
>
>     Thanks for sharing. If you use github it would be nice if you
>     could submit a pull request so that it becomes part of the
>     Asterisk rules in the next Fail2ban version (0.9.1).
>
>     https://github.com/fail2ban/fail2ban/pulls
>
>     HTH,
>     Patrick
>
>
>
> Why would you not use the SECURITY log format, which have the exact 
> same format between chan_sip and chan_pjsip, and have a consistent 
> format from Asterisk 10+?
>
> https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Event+Logger
>
> -- 
> Matthew Jordan
> Digium, Inc. | Engineering Manager
> 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
> Check us out at: http://digium.com & http://asterisk.org
>
>

Thanks for security_log => security

Ok ... I switched the
security_log => security
in logger.conf on and I'm going to write a RegEx for Fail2ban.

log sample - security log of wrong password:
[Sep 15 15:51:26] SECURITY[17378] res_security_log.c: 
SecurityEvent="ChallengeResponseFailed",EventTV="2014-09-15T15:51:26.126+0200",Severity="Error",Service="PJSIP",EventVersion="1",AccountID="7002",SessionID="80DFFBE5-4C3B-E411-8429-AD5D2362CB3E at 192.168.8.10",LocalAddress="IPV4/UDP/178.5.154.91/5072",RemoteAddress="IPV4/UDP/192.168.8.10/6012",Challenge="1410789078/000dd605e4bd1b6dd7488afafafafafaf",Response="8fc17a017a3ac5eea21ca86c6c0f5ee8",ExpectedResponse=""

-- 
*Rainer Piper*
Integration engineer
Koeslinstr. 56
53123 BONN
GERMANY
Phone: +49 228 97167161 <callto:004922897167161>
P2P: sip:rainer at sip.soho-piper.de:5072 (pjsip-test)
XMPP: rainer at xmpp.soho-piper.de
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20140915/646c6f8e/attachment.html>

More information about the asterisk-users mailing list