[asterisk-users] Fail2ban

Gokan Atmaca linux.gokan at gmail.com
Sun Sep 13 10:16:46 CDT 2015 

Hello

I'm using the Fail2ban.  I configuration below. I want to try to
prevent the continuous password. Fail2ban password that does not
prevent this form. (Asterisk 1.8 / Elastix interface)

What could be the problem ?

Asterisk log;
"Registration from '<sip:3060 at sip.x.eu;transport=UDP>' failed for
'x.x.x.x:32956' - Wrong password"


Fail2ban asterisk filter;

# Fail2Ban filter for asterisk authentication failures
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from

# common.local
before = common.conf


[Definition]

_daemon = asterisk

__pid_re = (?:\[\d+\])

# All Asterisk log messages begin like this:
log_prefix= (?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])?
\S+:\d*( in \w+:)?

failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration
from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong
password|Username/auth name mismatch|No m$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from
'[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension
not found in context 'de$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST>
failed to authenticate as '[^']*'$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration
for peer '[^']*' \(from <HOST>\)$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST>
failed MD5 authentication for '[^']*' \([^)]+\)$
  ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from
'[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension
not found in context 'de$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST>
failed to authenticate as '[^']*'$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration
for peer '[^']*' \(from <HOST>\)$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST>
failed MD5 authentication for '[^']*' \([^)]+\)$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to
authenticate (user|device) [^@]+@<HOST>\S*$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s
(?:handle_request_subscribe: )?Sending fake auth rejection for
(device|user) \d*<sip:[^@]+@<HOST>>;tag=$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s
SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",S$
            ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])?
)Ext\. s: "Rejecting unknown SIP connection from <HOST>"$

ignoreregex =


# Author: Xavier Devlamynck / Daniel Black
#
# General log format - main/logger.c:ast_log
# Address format - ast_sockaddr_stringify
#
# First regex: channels/chan_sip.c
#
# main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in s

More information about the asterisk-users mailing list