[asterisk-users] SEMI OFF-TOPIC - Fail2ban

Tech Support asterisk at voipbusiness.us
Fri Jan 9 09:05:38 CST 2015 

Hello;
    Did you remember to uncomment the dateformat in
/etc/asterisk/logger.conf? That's necessary for fail2ban to work.

Logger.conf
[general]
dateformat=%F %T


Regards;
John

-----Original Message-----
From: asterisk-users-bounces at lists.digium.com
[mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of ricky
gutierrez
Sent: Thursday, January 08, 2015 4:38 PM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: [asterisk-users] SEMI OFF-TOPIC - Fail2ban

Hi list , someone on the list has seen this type of connection attempts in
asterisk, fail2ban does not stop

2015-01-08 14:59:47] SECURITY[21515] res_security_log.c:
SecurityEvent="ChallengeSent",EventTV="1420750787-386840",Severity="Informat
ional",Service="SIP",EventVersion="1",AccountID="sip:100 at 173.230.133.20",Ses
sionID="0x169f528",LocalAddress="IPV4/UDP/173.230.133.20/5060",RemoteAddress
="IPV4/UDP/63.141.229.58/5078",Challenge="770e84a3"
[2015-01-08 15:20:20] SECURITY[21515] res_security_log.c:
SecurityEvent="ChallengeSent",EventTV="1420752020-854997",Severity="Informat
ional",Service="SIP",EventVersion="1",AccountID="sip:102 at 173.230.133.20",Ses
sionID="0x169f528",LocalAddress="IPV4/UDP/173.230.133.20/5060",RemoteAddress
="IPV4/UDP/198.204.241.58/5074",Challenge="23965594"


I modified the fail2ban with the filter, but still not detected


asterisk.conf

log_prefix= \[\]\s*(?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[\S+\d*\])? \S+:\d*

failregex = ^%(log_prefix)s Registration from '[^']*' failed for
'<HOST>(:\d+)?' - Wrong password$
            ^%(log_prefix)s Registration from '[^']*' failed for
'<HOST>(:\d+)?' - No matching peer found$
            ^%(log_prefix)s Registration from '[^']*' failed for
'<HOST>(:\d+)?' - Username/auth name mismatch$
            ^%(log_prefix)s Registration from '[^']*' failed for
'<HOST>(:\d+)?' - Device does not match ACL$
            ^%(log_prefix)s Registration from '[^']*' failed for
'<HOST>(:\d+)?' - Peer is not supposed to register$
            ^%(log_prefix)s Registration from '[^']*' failed for
'<HOST>(:\d+)?' - ACL error \(permit/deny\)$
            ^%(log_prefix)s Registration from '[^']*' failed for
'<HOST>(:\d+)?' - Not a local domain$
            ^%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension
'\d+' rejected because extension not found in context 'default'
\.$
            ^%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$
            ^%(log_prefix)s No registration for peer '[^']*' \(from
<HOST>\)$
            ^%(log_prefix)s Host <HOST> failed MD5 authentication for
'[^']*' \([^)]+\)$
            ^%(log_prefix)s Failed to authenticate (user|device)
[^@]+@<HOST>\S*$
            ^%(log_prefix)s (?:handle_request_subscribe: )?Sending fake auth
rejection for (device|user) \d*<sip:[^@]+@<HOST>>;tag=\w+\S* $
            ^%(log_prefix)s
SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPa
ssword)",EventTV="[\d-]+",Severit
y="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d+",SessionID="0x[\
da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",Rem
oteAddress="IPV[46]/(UD|TC)P/<HOST>/\d+"(,Challenge="\w+",ReceivedChallenge=
"\w+")?(,ReceivedHash="[\da-f]+")?$

ignoreregex =




--
rickygm

http://gnuforever.homelinux.com

--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to
Asterisk? Join us for a live introductory webinar every Thurs:
               http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

More information about the asterisk-users mailing list