[asterisk-users] Asterisk 11 security log, fail2ban, drive-by SIP attacks
Patrick Lists
asterisk-list at puzzled.xs4all.nl
Mon Jul 8 10:11:31 CDT 2013
On 07/08/2013 01:46 PM, Giles Coochey wrote:
> Just a note that I did a little work to extend FreePBX distro with some
> extra Fail2Ban which deals with some drive-by SIP registration attempts.
>
> My regex is poor to middling, but the steps detailed here:
> http://www.coochey.net/?p=61 manage to stop IPs which try to
> authenticate against Asterisk which FreePBX were not able to stop before.
>
> I would welcome any improvements anyone would care to submit and I'll
> extend the article a little.
>
> The changes need the Asterisk security log feature, which I think was
> only introduced in later versions of Asterisk (e.g. v11).
It seems your rule is not yet present in fail2ban 0.8.10.0. The only one
close to it is:
SECURITY%(__pid_re)s [^:]+:
SecurityEvent="InvalidAccountID",EventTV="[0-9-]+",Severity="[a-zA-Z]+",Service="[a-zA-Z]+",EventVersion="[0-9]+",AccountID="[0-9]+",SessionID="0x[0-9a-f]+",LocalAddress="IPV[46]/(UD|TC)P/[0-9a-fA-F:.]+/[0-9]+",RemoteAddress="IPV[46]/(UD|TC)P/<HOST>/[0-9]+"$
See
https://github.com/fail2ban/fail2ban/blob/0.8.10/config/filter.d/asterisk.conf
Might be an idea to submit it for future inclusion.
Regards,
Patrick
More information about the asterisk-users
mailing list