[asterisk-users] Blacklist failed attempts

Frank Vanoni mailinglist at linuxista.com
Fri Mar 2 04:27:53 CST 2018


On Thu, 2018-03-01 at 15:02 +0200, Atux Atux wrote:
> I have tried to implement it through fail2ban, but it doe snot seem
> to work for my asterisk implementation.
I'm happy with Fail2Ban protecting my Asterisk 13. Here is my
configuration:
in /etc/asterisk/logger.conf:
messages => security,notice,warning,error
in /etc/asterisk/sip.conf:
allowguest=yes
context=unauthenticated
in /etc/asterisk/extensions.conf:
[unauthenticated]
;; Incomming calls from unauthenticated caller -> Fail2Ban
exten => _X.,1,Log(WARNING,fail2ban='${CHANNEL(peerip)}') 
exten => _X.,2,Set(CDR(UserField)=SIP PEER IP: ${CHANNEL(peerip)})
exten => _X.,3,HangUp()
exten => _+X.,1,Log(WARNING,fail2ban='${CHANNEL(peerip)}') 
exten => _+X.,2,Set(CDR(UserField)=SIP PEER IP: ${CHANNEL(peerip)})
exten => _+X.,3,HangUp()
in /etc/fail2ban/jail.conf:
[asterisk]
filter   = asterisk
action = iptables-allports[name=ASTERISK]
logpath  = /var/log/asterisk/messages
maxretry = 1
findtime = 86400
bantime  = 518400
enabled = true
in /etc/fail2ban/filter.d
# Fail2Ban configuration file
#
#
# $Revision: 250 $
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them
from
# common.local
#before = common.conf
[Definition]
#_daemon = asterisk
# Option:  failregex
# Notes.:  regex to match the password failures messages in the
logfile. The
#          host must be matched by a group named "host". The tag
"<HOST>" can
#          be used for standard IP/hostname matching and is only an
alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
failregex = 	NOTICE.* .*: Registration from '.*' failed for
'<HOST>:.*' - Wrong password
		NOTICE.* .*: Call from '.*' \(<HOST>(:[0-9]{1,5})?\) to
extension '.*' rejected because extension not found in context
'unauthenticated'
		NOTICE.* chan_sip.c: Call from '.*' \(<HOST>(:[0-
9]{1,5})?\) to extension '.*' rejected because extension not found in
context 'unauthenticated'
        	NOTICE.* .*: Registration from '.*' failed for
'<HOST>:.*' - Username/auth name mismatch
        	NOTICE.* .*: Registration from '.*' failed for
'<HOST>:.*' - No matching peer found
        	NOTICE.* .*: Registration from '.*' failed for
'<HOST>:.*' - Not a local domain
        	NOTICE.* .*: Registration from '.*' failed for
'<HOST>:.*' - Peer is not supposed to register
        	NOTICE.* .*: Registration from '.*' failed for
'<HOST>:.*' - Device does not match ACL
        	NOTICE.* .*: Registration from '.*' failed for
'<HOST>:.*' - Device not configured to use this transport type
        	NOTICE.* .*: No registration for peer '.*' \(from
<HOST>\)
        	NOTICE.* .*: Host <HOST> failed MD5 authentication for
'.*' \(.*\)
        	NOTICE.* .*: Host <HOST> denied access to register peer
'.*'
        	NOTICE.* .*: Host <HOST> did not provide proper
plaintext password for '.*'
        	NOTICE.* .*: Registration of '.*' rejected: '.*' from:
'<HOST>'
        	NOTICE.* .*: Peer '.*' is not dynamic (from <HOST>)
        	NOTICE.* .*: Host <HOST> denied access to register peer
'.*'
        	SECURITY.* .*:
SecurityEvent="InvalidAccountID".*,Severity="Error",Service="SIP".*,Rem
oteAddress="IPV[46]/(UDP|TCP|TLS)/<HOST>/[0-9]+"
        	SECURITY.* .*:
SecurityEvent="FailedACL".*,Severity="Error",Service="SIP".*,RemoteAddr
ess="IPV[46]/(UDP|TCP|TLS)/<HOST>/[0-9]+"
        	SECURITY.* .*:
SecurityEvent="InvalidPassword".*,Severity="Error",Service="SIP".*,Remo
teAddress="IPV[46]/(UDP|TCP|TLS)/<HOST>/[0-9]+"
        	SECURITY.* .*:
SecurityEvent="ChallengeResponseFailed".*,Severity="Error",Service="SIP
".*,RemoteAddress="IPV[46]/(UDP|TCP|TLS)/<HOST>/[0-9]+"
		VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing 'ss-
noservice' \(language '.*'\)
		SECURITY.* .*:
SecurityEvent="ChallengeSent".*,Severity="Informational",Service="SIP".
*,AccountID="sip:.*@93.94.247.123".*,RemoteAddress="IPV[46]/(UDP|TCP|TL
S)/<HOST>/[0-9]+
		WARNING.* .*: fail2ban='<HOST>'
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20180302/bfb277c7/attachment.html>


More information about the asterisk-users mailing list