[asterisk-users] Interesting attack tonight & fail2ban them
Bruce B
bruceb444 at gmail.com
Wed Dec 28 23:45:33 CST 2011
You mentioned the IP, 208.122.57.58, where did you get that from?
Following are the default for Asterisk 1.8 (It would be great to have
others input on this to strengthen this part of the filter):
failregex = Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' -
Wrong password
Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - No
matching peer found
Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' -
Device does not match ACL
Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' -
Username/auth name mismatch
Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Peer
is not supposed to register
NOTICE.* <HOST> failed to authenticate as '.*'$
NOTICE.* .*: No registration for peer '.*' (from <HOST>)
NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing 'ss-noservice'
(language '.*')
Regards,
On Wed, Dec 28, 2011 at 11:50 PM, Michelle Dupuis <mdupuis at ocg.ca> wrote:
> I just realized there is no IP (host) in the message line, so no way for
> fail2ban to catch it.
>
> Other suggestions? Or will I have to code something into my dialplan....
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20111229/a2482808/attachment.htm>
More information about the asterisk-users
mailing list