<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='color:#1F497D'>If this is a small site, I recommend you download the free version of SecAst (<a href="http://www.telium.ca">www.telium.ca</a>) and replace fail2ban. SecAst does NOT use the log file, or regexes, to match etc…instead it talks to Asterisk through the AMI to extract security information. Messing with regexes is a losing battle, and the lag in reading logs can allow an attacker 100+ registration attempts before fail2ban even does anything (assuming the IP is exposed in the Asterisk log).<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>If this is a large install then post in the commercial list for more information.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>-Raj-<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b>From:</b> asterisk-users-bounces@lists.digium.com [mailto:asterisk-users-bounces@lists.digium.com] <b>On Behalf Of </b>Tech Support<br><b>Sent:</b> Wednesday, March 1, 2017 2:37 PM<br><b>To:</b> 'Asterisk Users Mailing List - Non-Commercial Discussion' <asterisk-users@lists.digium.com><br><b>Subject:</b> Re: [asterisk-users] fail2ban Asterisk 13.13.1<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='color:#1F497D'> It's possible that you need to increase the value of ‘findtime’ to something greater than 300 secs. You also may want to set “timestamp = yes” in asterisk.conf so each line in the CLI will be time stamped. Time stamping it will be the definitive determination on whether or not the ‘findtime’ is the culprit.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Regards;<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>John V. <o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif'> <a href="mailto:asterisk-users-bounces@lists.digium.com">asterisk-users-bounces@lists.digium.com</a> [<a href="mailto:asterisk-users-bounces@lists.digium.com">mailto:asterisk-users-bounces@lists.digium.com</a>] <b>On Behalf Of </b>Motty Cruz<br><b>Sent:</b> Wednesday, March 01, 2017 01:29 PM<br><b>To:</b> 'Asterisk Users Mailing List - Non-Commercial Discussion'<br><b>Subject:</b> [asterisk-users] fail2ban Asterisk 13.13.1<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Hello, fail2ban does not ban offending IP. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>NOTICE[29784] chan_sip.c: Registration from '"user3"<<a href="sip:1005@asterisk-ip:5060">sip:1005@asterisk-ip:5060</a>>' failed for 'offending-IP:53417' - Wrong password<o:p></o:p></p><p class=MsoNormal>NOTICE[29784] chan_sip.c: Registration from '"user3"<<a href="sip:1005@asterisk-ip:5060">sip:1005@asterisk-ip:5060</a>>' failed for ‘offending-IP:53911' - Wrong password<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal># A host is banned if it has generated "maxretry" during the last "findtime"<o:p></o:p></p><p class=MsoNormal># seconds.<o:p></o:p></p><p class=MsoNormal>findtime = 300<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>[asterisk-iptables]<o:p></o:p></p><p class=MsoNormal>enable = true<o:p></o:p></p><p class=MsoNormal>port = 5060,5061<o:p></o:p></p><p class=MsoNormal>filter = asterisk<o:p></o:p></p><p class=MsoNormal>action = iptables-allports[name=ASTERISK, protocol=all]<o:p></o:p></p><p class=MsoNormal> sendmail[name=ASTERISK, <a href="mailto:dest=motty@email.com">dest=motty@email.com</a>, <a href="mailto:sender=fail2ban@asterisk-ip.com">sender=fail2ban@asterisk-ip.com</a>]<o:p></o:p></p><p class=MsoNormal>#action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]<o:p></o:p></p><p class=MsoNormal> %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]<o:p></o:p></p><p class=MsoNormal> %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]<o:p></o:p></p><p class=MsoNormal>logpath = /var/log/asterisk/messages<o:p></o:p></p><p class=MsoNormal>maxretry = 3<o:p></o:p></p><p class=MsoNormal>findtime = 300<o:p></o:p></p><p class=MsoNormal>bantime = -1<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>in filter.d<o:p></o:p></p><p class=MsoNormal>asterisk.conf<o:p></o:p></p><p class=MsoNormal>failregex = ^%(__prefix_line)s%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$<o:p></o:p></p><p class=MsoNormal> ^%(__prefix_line)s%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '[^']*' rejected because extension not found in context<o:p></o:p></p><p class=MsoNormal> ^%(__prefix_line)s%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$<o:p></o:p></p><p class=MsoNormal> ^%(__prefix_line)s%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$<o:p></o:p></p><p class=MsoNormal> ^%(__prefix_line)s%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$<o:p></o:p></p><p class=MsoNormal> ^%(__prefix_line)s%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$<o:p></o:p></p><p class=MsoNormal> ^%(__prefix_line)s%(log_prefix)s hacking attempt detected '<HOST>'$<o:p></o:p></p><p class=MsoNormal> ^%(__prefix_line)s%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="(\d*|<unknown>)",SessionID=".+",LocalAddress="IPV[46]/(UDP|TCP|WS)/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UDP|TCP|WS)/<HOST>/\d+"(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",ExpectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$<o:p></o:p></p><p class=MsoNormal> ^%(__prefix_line)s%(log_prefix)s "Rejecting unknown SIP connection from <HOST>"$<o:p></o:p></p><p class=MsoNormal> ^%(__prefix_line)s%(log_prefix)s Request (?:'[^']*' )?from '[^']*' failed for '<HOST>(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching endpoint found|Not match Endpoint(?: Contact)? ACL|(?:Failed|Error) to authenticate)\s*$<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password<o:p></o:p></p><p class=MsoNormal> NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found<o:p></o:p></p><p class=MsoNormal> NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found<o:p></o:p></p><p class=MsoNormal> NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch<o:p></o:p></p><p class=MsoNormal> NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL<o:p></o:p></p><p class=MsoNormal> NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Peer is not supposed to register<o:p></o:p></p><p class=MsoNormal> NOTICE.* .*: Registration from '.*' failed for '<HOST>' - ACL error (permit/deny)<o:p></o:p></p><p class=MsoNormal> NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL<o:p></o:p></p><p class=MsoNormal> NOTICE.* <HOST> failed to authenticate as '.*'$<o:p></o:p></p><p class=MsoNormal> NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)<o:p></o:p></p><p class=MsoNormal> NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)<o:p></o:p></p><p class=MsoNormal> NOTICE.* .*: Failed to authenticate user <a href="mailto:.*@%3cHOST%3e.*">.*@<HOST>.*</a><o:p></o:p></p><p class=MsoNormal> NOTICE.* .*: Sending fake auth rejection for device .*\<<a href="sip:.*\@%3cHOST">sip:.*\@<HOST</a>>\>;tag=.*<o:p></o:p></p><p class=MsoNormal> NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>' - No matching peer found<o:p></o:p></p><p class=MsoNormal> NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>' - Wrong password<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>ignoreregex =<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thanks<o:p></o:p></p><p class=MsoNormal>Motty<o:p></o:p></p></div></body></html>