[asterisk-users] Fail2ban

Carlos Chavez cursor at telecomabmex.com
Sun Sep 13 11:11:22 CDT 2015 

On 2015-09-13 10:16, Gokan Atmaca wrote:
> Hello
> 
> I'm using the Fail2ban.  I configuration below. I want to try to
> prevent the continuous password. Fail2ban password that does not
> prevent this form. (Asterisk 1.8 / Elastix interface)
> 
> What could be the problem ?
> 
> Asterisk log;
> "Registration from '<sip:3060 at sip.x.eu;transport=UDP>' failed for
> 'x.x.x.x:32956' - Wrong password"
> 
> 
> Fail2ban asterisk filter;
> 
> # Fail2Ban filter for asterisk authentication failures
> #
> 
> [INCLUDES]
> 
> # Read common prefixes. If any customizations available -- read them 
> from
> 
> # common.local
> before = common.conf
> 
> 
> [Definition]
> 
> _daemon = asterisk
> 
> __pid_re = (?:\[\d+\])
> 
> # All Asterisk log messages begin like this:
> log_prefix= (?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])?
> \S+:\d*( in \w+:)?
> 
> failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration
> from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong
> password|Username/auth name mismatch|No m$
>             ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from
> '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension
> not found in context 'de$
>             ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST>
> failed to authenticate as '[^']*'$
>             ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration
> for peer '[^']*' \(from <HOST>\)$
>             ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST>
> failed MD5 authentication for '[^']*' \([^)]+\)$
>   ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from
> '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension
> not found in context 'de$
>             ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST>
> failed to authenticate as '[^']*'$
>             ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration
> for peer '[^']*' \(from <HOST>\)$
>             ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST>
> failed MD5 authentication for '[^']*' \([^)]+\)$
>             ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to
> authenticate (user|device) [^@]+@<HOST>\S*$
>             ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s
> (?:handle_request_subscribe: )?Sending fake auth rejection for
> (device|user) \d*<sip:[^@]+@<HOST>>;tag=$
>             ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s
> SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",S$
>             
> ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])?
> )Ext\. s: "Rejecting unknown SIP connection from <HOST>"$
> 
> ignoreregex =
> 
> 
> # Author: Xavier Devlamynck / Daniel Black
> #
> # General log format - main/logger.c:ast_log
> # Address format - ast_sockaddr_stringify
> #
> # First regex: channels/chan_sip.c
> #
> # main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in s

      In the fail2ban website they have several versions of asterisk.conf 
depending on the version of Asterisk you are using.  If you have the 
latest fail2ban that one has the version for Asterisk 11.  Go there and 
download the correct version for your setup.

-- 
Telecomunicaciones Abiertas de México S.A. de C.V.
Carlos Chávez
dCAP #1349
+52 (55)9116-91161

More information about the asterisk-users mailing list