[asterisk-users] sip attack.. fail2ban not stopping attack

Mon Dec 27 15:20:13 UTC 2010

jail.conf
[asterisk-iptables]

enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
           sendmail-whois[name=ASTERISK, dest=root,
sender=fail2ban at example.org]
logpath  = /var/log/asterisk/messages
maxretry = 5
bantime = 259200

filter asterisk.conf
[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf

[Definition]

#_daemon = asterisk

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>"
can
#          be used for standard IP/hostname matching and is only an alias
for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#

failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong
password
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No
matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' -
Username/auth name mismatch
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device
does not match ACL
            NOTICE.* <HOST> failed to authenticate as '.*'$
            NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
            NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
ignoreregex =

logger.conf
[general]
;
; Customize the display of debug message time stamps
; this example is the ISO 8601 date format (yyyy-mm-dd HH:MM:SS)
;
; see strftime(3) Linux manual for format specifiers.  Note that there is
also
; a fractional second parameter which may be used in this field.  Use %1q
; for tenths, %2q for hundredths, etc.
;
dateformat=%F %T       ; ISO 8601 date format
;dateformat=%F %T.%3q   ; with milliseconds

Dave
-----Original Message-----
From: asterisk-users-bounces at lists.digium.com
[mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Daniel Tryba
Sent: Monday, December 27, 2010 5:16 AM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-users] sip attack.. fail2ban not stopping attack

On Sat, Dec 25, 2010 at 04:04:59PM -0700, Dave George wrote:
> My server is being attached all day and fail2ban is not stopping the
> attack.  I updated stamstamp to match fail2ban requirements.

How about posting your fail2ban config?

-- 

   Daniel Tryba

--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
               http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users