
<html>

  <head>

    <meta content="text/html; charset=windows-1252"

      http-equiv="Content-Type">

  </head>

  <body bgcolor="#FFFFFF" text="#000000">

    <div class="moz-cite-prefix">Am 15.09.2014 um 15:26 schrieb Matthew

      Jordan:<br>

    </div>

    <blockquote

cite="mid:CAN2PU+5w8cECb72PnNMKmUSPq1A83bbi0L_ZHcDA84NkZemcPA@mail.gmail.com"

      type="cite">

      <div dir="ltr">

        <div class="gmail_extra"><br>

          <div class="gmail_quote">On Mon, Sep 15, 2014 at 6:21 AM,

            Patrick Laimbock <span dir="ltr"><<a

                moz-do-not-send="true"

                href="mailto:patrick@laimbock.com" target="_blank">patrick@laimbock.com</a>></span>

            wrote:<br>

            <blockquote class="gmail_quote" style="margin:0px 0px 0px

              0.8ex;border-left:1px solid

              rgb(204,204,204);padding-left:1ex">Hi Rainer,<span

                class=""><br>

                <br>

                On 15-09-14 09:07, Rainer Piper wrote:<br>

                <blockquote class="gmail_quote" style="margin:0px 0px

                  0px 0.8ex;border-left:1px solid

                  rgb(204,204,204);padding-left:1ex">

                  Hi,<br>

                  <br>

                  Info !!! not a question !!!<br>

                  <br>

                  the pjsip logger is different:<br>

                  <br>

                  [Sep 15 07:33:27] NOTICE[65267]

                  res_pjsip/pjsip_distributor.c: Request<br>

                  from '"1001" <<a moz-do-not-send="true"

                    href="mailto:sip%3A1001@81.20.137.222"

                    target="_blank">sip:1001@81.20.137.222</a>>'

                  failed for '<a moz-do-not-send="true"

                    href="http://85.25.197.23:5071" target="_blank">85.25.197.23:5071</a>'<br>

                  (callid: 1bfa1fcfee1e20dbe9bbbcac5d7bdffc) - No

                  matching endpoint found<br>

                  <br>

                  and here the RegEx for fail2ban to catch this log:<br>

                  <br>

                  |NOTICE.* .*: Request from '.*' failed for

                  '<HOST>(:[0-9]{1,5})?' (.*) -<br>

                  No matching endpoint found<br>

                </blockquote>

                <br>

              </span>

              Thanks for sharing. If you use github it would be nice if

              you could submit a pull request so that it becomes part of

              the Asterisk rules in the next Fail2ban version (0.9.1).<br>

              <br>

              <a moz-do-not-send="true"

                href="https://github.com/fail2ban/fail2ban/pulls"

                target="_blank">https://github.com/fail2ban/fail2ban/pulls</a><br>

              <br>

              HTH,<br>

              Patrick<span class=""><font color="#888888"><br>

                </font></span></blockquote>

            <div><br>

              <br>

            </div>

            <div>Why would you not use the SECURITY log format, which

              have the exact same format between chan_sip and

              chan_pjsip, and have a consistent format from Asterisk

              10+? <br>

              <br>

              <a moz-do-not-send="true"

href="https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Event+Logger">https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Event+Logger</a><br>

            </div>

          </div>

          <br>

          -- <br>

          <div dir="ltr">

            <div>Matthew Jordan<br>

            </div>

            <div>Digium, Inc. | Engineering Manager</div>

            <div>445 Jan Davis Drive NW - Huntsville, AL 35806 - USA</div>

            <div>Check us out at: <a moz-do-not-send="true"

                href="http://digium.com" target="_blank">http://digium.com</a>

              & <a moz-do-not-send="true"

                href="http://asterisk.org" target="_blank">http://asterisk.org</a></div>

          </div>

        </div>

      </div>

      <br>

      <fieldset class="mimeAttachmentHeader"></fieldset>

      <br>

    </blockquote>

    <br>

    Thanks for security_log => security<br>

    <br>

    Ok ... I switched the <br>

    security_log => security<br>

    in logger.conf on and I'm going to write a RegEx for Fail2ban.<br>

    <br>

    log sample - security log of wrong password:<br>

    [Sep 15 15:51:26] SECURITY[17378] res_security_log.c:

SecurityEvent="ChallengeResponseFailed",EventTV="2014-09-15T15:51:26.126+0200",Severity="Error",Service="PJSIP",EventVersion="1",AccountID="7002",SessionID=<a class="moz-txt-link-rfc2396E" href="mailto:80DFFBE5-4C3B-E411-8429-AD5D2362CB3E@192.168.8.10">"80DFFBE5-4C3B-E411-8429-AD5D2362CB3E@192.168.8.10"</a>,LocalAddress="IPV4/UDP/178.5.154.91/5072",RemoteAddress="IPV4/UDP/192.168.8.10/6012",Challenge="1410789078/000dd605e4bd1b6dd7488afafafafafaf",Response="8fc17a017a3ac5eea21ca86c6c0f5ee8",ExpectedResponse=""<br>

    <br>

    <div class="moz-signature">-- <br>

      <b>Rainer Piper</b>

      <br>

      Integration engineer

      <br>

      Koeslinstr. 56

      <br>

      53123 BONN <br>

      GERMANY

      <br>

      Phone: <a href="callto:004922897167161" nr="+4922897167161"

        class="telified" title="Als Telefonnummer verwenden"

style="color:#00001f;background-color:#ffffdf;-moz-border-radius:3px;cursor:pointer">+49

        228 97167161</a>

      <br>

      P2P: <a class="moz-txt-link-freetext" href="sip:rainer@sip.soho-piper.de:5072">sip:rainer@sip.soho-piper.de:5072</a> (pjsip-test)

      <br>

      XMPP: <a class="moz-txt-link-abbreviated" href="mailto:rainer@xmpp.soho-piper.de">rainer@xmpp.soho-piper.de</a></div>

  </body>

</html>