[asterisk-users] Fail2ban

[Andres]

On 9/13/15 11:16 AM, Gokan Atmaca wrote:
> Hello
>
> I'm using the Fail2ban.  I configuration below. I want to try to
> prevent the continuous password. Fail2ban password that does not
> prevent this form. (Asterisk 1.8 / Elastix interface)
>
> What could be the problem ?
>
> Asterisk log;
> "Registration from '<sip:3060 at sip.x.eu;transport=UDP>' failed for
> 'x.x.x.x:32956' - Wrong password"
Sometimes minor tweaks to the file are in order.  My suggestion is to 
use the fail2ban-regex utility to test the log file entry until it is 
detected.  Just put the line generated by asterisk in a test file and 
then run the regex.

# /usr/bin/fail2ban-regex -?
Usage: /usr/bin/fail2ban-regex [OPTIONS] <LOG> <REGEX> [IGNOREREGEX]

example:

/usr/bin/fail2ban-regex testlogfile /etc/fail2ban/filter.d/asterisk.conf




>
>
> Fail2ban asterisk filter;
>
> # Fail2Ban filter for asterisk authentication failures
> #
>
> [INCLUDES]
>
> # Read common prefixes. If any customizations available -- read them from
>
> # common.local
> before = common.conf
>
>
> [Definition]
>
> _daemon = asterisk
>
> __pid_re = (?:\[\d+\])
>
> # All Asterisk log messages begin like this:
> log_prefix= (?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])?
> \S+:\d*( in \w+:)?
>
> failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration
> from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong
> password|Username/auth name mismatch|No m$
>              ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from
> '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension
> not found in context 'de$
>              ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST>
> failed to authenticate as '[^']*'$
>              ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration
> for peer '[^']*' \(from <HOST>\)$
>              ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST>
> failed MD5 authentication for '[^']*' \([^)]+\)$
>    ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from
> '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension
> not found in context 'de$
>              ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST>
> failed to authenticate as '[^']*'$
>              ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration
> for peer '[^']*' \(from <HOST>\)$
>              ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST>
> failed MD5 authentication for '[^']*' \([^)]+\)$
>              ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to
> authenticate (user|device) [^@]+@<HOST>\S*$
>              ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s
> (?:handle_request_subscribe: )?Sending fake auth rejection for
> (device|user) \d*<sip:[^@]+@<HOST>>;tag=$
>              ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s
> SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",S$
>              ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])?
> )Ext\. s: "Rejecting unknown SIP connection from <HOST>"$
>
> ignoreregex =
>
>
> # Author: Xavier Devlamynck / Daniel Black
> #
> # General log format - main/logger.c:ast_log
> # Address format - ast_sockaddr_stringify
> #
> # First regex: channels/chan_sip.c
> #
> # main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in s
>


-- 
Technical Support
http://www.cellroute.net