<div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<br>
I Have added this line for asterisk 1.8 (i have allowguest=yes and context=default in sip.conf):<br>
NOTICE.* .*: Call from '.*' (<HOST>) to extension '.*' rejected because extension not found in context 'default'.<br>
<br>
Em 29-12-2011 13:03, Patrick Lists escreveu:<br>
<div><div></div><div class="h5">> Hi,<br>
><br>
> In the thread "Interesting attack tonight & fail2ban them" Bruce B mentioned it would be nice to have input from the Community to come up with the best set of fail2ban filters. That's a great idea. So let's start with Bruce's filters (thanks!) and take it from there. Anyone have any improvements and/or additions? Apologies for the line wrap. No idea how to prevent that in Thunderbird. The filters are also at <a href="http://pastebin.com/6T9M1W3F" target="_blank">http://pastebin.com/6T9M1W3F</a><br>
><br>
> Not sure but it may be possible that logging has changed between Asterisk 1.4, 1.6, 1.8 and 10 so please mention the asterisk version with your filters.<br>
><br>
> For Asterisk 1.8:<br>
><br>
> failregex = Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Wrong password<br>
> Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - No matching peer found<br>
> Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Device does not match ACL<br>
> Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Username/auth name mismatch<br>
> Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Peer is not supposed to register<br>
> NOTICE.* <HOST> failed to authenticate as '.*'$<br>
> NOTICE.* .*: No registration for peer '.*' (from <HOST>)<br>
> NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)<br>
> VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing 'ss-noservice' (language '.*')<br>
><br>
><br>
> There are 2 lines that I have which are not in this list:<br>
><br>
> NOTICE.* .*: Registration from '.*' failed for '<HOST>' - ACL error (permit/deny)<br>
> NOTICE.* .*: Failed to authenticate user .*@<HOST>.*<br>
><br>
> How about those (no idea for which Asterisk version they are)?<br>
><br>
> Regards,<br>
> Patrick<br></div></div></blockquote><div><br></div><div>Thanks Patrick. This is a great initiative. Let's all build the strongest and most detailed filter possible. I actually looked at mine and now see that it has weaknesses due Asterisk 1.8.8x giving different type of logs or maybe FreePBX. Let's test, fix and append to the end of the filter. Everyone is welcome to contribute.</div>
<div><br></div><div><font face="arial, sans-serif">So far we have:</font></div><div><br></div><span style="font-size:13px;font-family:arial,sans-serif;background-color:rgb(255,255,255)"><b>For Asterisk 1.8:</b></span><br style="font-size:13px;font-family:arial,sans-serif;background-color:rgb(255,255,255)">
<span style="font-size:13px;font-family:arial,sans-serif;background-color:rgb(255,255,255)">failregex = Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Wrong password</span><br style="font-size:13px;font-family:arial,sans-serif;background-color:rgb(255,255,255)">
<span style="font-size:13px;font-family:arial,sans-serif;background-color:rgb(255,255,255)"> Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - No matching peer found</span><br style="font-size:13px;font-family:arial,sans-serif;background-color:rgb(255,255,255)">
<span style="font-size:13px;font-family:arial,sans-serif;background-color:rgb(255,255,255)"> Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Device does not match ACL</span><br style="font-size:13px;font-family:arial,sans-serif;background-color:rgb(255,255,255)">
<span style="font-size:13px;font-family:arial,sans-serif;background-color:rgb(255,255,255)"> Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Username/auth name mismatch</span><br style="font-size:13px;font-family:arial,sans-serif;background-color:rgb(255,255,255)">
<span style="font-size:13px;font-family:arial,sans-serif;background-color:rgb(255,255,255)"> Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Peer is not supposed to register</span><br style="font-size:13px;font-family:arial,sans-serif;background-color:rgb(255,255,255)">
<span style="font-size:13px;font-family:arial,sans-serif;background-color:rgb(255,255,255)"> NOTICE.* <HOST> failed to authenticate as '.*'$</span><br style="font-size:13px;font-family:arial,sans-serif;background-color:rgb(255,255,255)">
<span style="font-size:13px;font-family:arial,sans-serif;background-color:rgb(255,255,255)"> NOTICE.* .*: No registration for peer '.*' (from <HOST>)</span><br style="font-size:13px;font-family:arial,sans-serif;background-color:rgb(255,255,255)">
<span style="font-size:13px;font-family:arial,sans-serif;background-color:rgb(255,255,255)"> NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)</span><br style="font-size:13px;font-family:arial,sans-serif;background-color:rgb(255,255,255)">
<div><span style="background-color:rgb(255,255,255);font-family:arial,sans-serif;font-size:13px"> VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing 'ss-noservice' (language '.*')</span> <b>#Outdated?</b></div>
<div> #<b>Situation:</b> <span style="background-color:rgb(255,255,255)"><font size="2" style="font-family:arial,sans-serif">allowguest=yes and context=default in sip.con - </font><b><font face="arial, helvetica, sans-serif">Tested by </font></b></span><span style="background-color:rgb(255,255,255);text-align:left;white-space:nowrap"><b><font face="arial, helvetica, sans-serif">Diego Aguirre?</font></b></span></div>
<div> <span style="background-color:rgb(255,255,255);font-family:arial,sans-serif;font-size:14px">NOTICE.* .*: Call from '.*' (<HOST>) to extension '.*' rejected because extension not found in context 'default'</span></div>
<div><br></div><div>The following are what I found to be insecure but need escaping and fine tuning to work with filter:</div><div><br></div><div><b>Asterisk 1.8 + FreePBX:</b></div><div><b>Situation:</b> When target is coming in from unknown DID - Needs character escaping</div>
<div>Executing [unknown@from-sip-external:1] NoOp("SIP/10.0.0.6-00000001", "Received incoming SIP connection from unknown peer to unknown") in new stack</div><div><br></div><div><b>Situation:</b> Same as above except for an extension is called. Above was just IP call. Extension 011x doesn't exist.</div>
<div>Executing [0115666666@from-sip-external:1] NoOp("SIP/10.0.0.6-00000003", "Received incoming SIP connection from unknown peer to 0115666666") in new stack</div><div><br></div><div><b>Situation: </b>Same as above except for extension 101 does exist but system still rejects calls due to no guest allowed?!</div>
<div>Executing [101@from-sip-external:1] NoOp("SIP/10.0.0.6-00000005", "Received incoming SIP connection from unknown peer to 101") in new stack</div><div><br></div><div>*All of above have this following which can be used as a universal filter: <b>Executing [s@from-sip-external:8] Playback("SIP/10.0.0.6-00000005", "ss-noservice") in new stack </b></div>
<div><b><br></b></div><div>***Notice how this ss-noservice is difference from current the outdated filter one:</div><div><span style="font-family:arial,sans-serif;font-size:14px;background-color:rgb(255,255,255)"><b>VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing 'ss-noservice' (language '.*')</b></span></div>
<div><br></div><div>-Bruce </div></div>