[asterisk-users] Weird IPs in Fail2ban list

asterisk jobs asteriskcoding at gmail.com
Fri Feb 10 15:26:49 CST 2012 

I can't see those IPs in the /var/log/asterisk/full. I can't event see
parts of the IP address as I try *grep -o "23.20.189" full. *That is still
nothing.

I am wondering what is wrong here. This is my regex filter file:


failregex = Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' -
Wrong password
            Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - No
matching peer found
            Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' -
Device does not match ACL
            Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' -
Username/auth name mismatch
            Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Peer
is not supposed to register
            NOTICE.* <HOST> failed to authenticate as '.*'$
            NOTICE.* .*: No registration for peer '.*' (from <HOST>)
            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
            VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing 'ss-noservice'
(language '.*')
            .* <SIP/<HOST>-.*> Playing 'ss-noservice.gsm' .*


Thanks,

On Fri, Jan 27, 2012 at 2:16 AM, Mikhail Lischuk <mlischuk at itx.com.ua>wrote:

> **
>
> asterisk jobs писал 27.01.2012 06:49:
>
> Hello everyone,
> I have noticed getting wired IPs blocked by Fail2ban. Has anyone else seen
> this or can explain this?
> Chain fail2ban-ASTERISK (1 references)
> num  target     prot opt source               destination
> 1    DROP       all  --  0.23.20.189          0.0.0.0/0
>  I also get things like, 0.0.5.2, etc....Fail2ban seems to be working
> when I am testing. Are these numbers taken from the SIP packet or the
> TCP/IP protocol source because they surely are not valid addresses.
> Thanks
>
> Did you find those IPs in Asterisk log?
>
> If so - it isn't Fail2Ban problem, for it just parses logs and extracts
> substring
>
>
>
> --
> With Best Regards
> Mikhail Lischuk <mlischuk at itx.com.ua>
>
>
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>               http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20120210/e47d1795/attachment.htm>

More information about the asterisk-users mailing list