[asterisk-users] SEMI OFF-TOPIC - Fail2ban
ricky gutierrez
xserverlinux at gmail.com
Thu Jan 8 15:37:51 CST 2015
Hi list , someone on the list has seen this type of connection
attempts in asterisk, fail2ban does not stop
2015-01-08 14:59:47] SECURITY[21515] res_security_log.c:
SecurityEvent="ChallengeSent",EventTV="1420750787-386840",Severity="Informational",Service="SIP",EventVersion="1",AccountID="sip:100 at 173.230.133.20",SessionID="0x169f528",LocalAddress="IPV4/UDP/173.230.133.20/5060",RemoteAddress="IPV4/UDP/63.141.229.58/5078",Challenge="770e84a3"
[2015-01-08 15:20:20] SECURITY[21515] res_security_log.c:
SecurityEvent="ChallengeSent",EventTV="1420752020-854997",Severity="Informational",Service="SIP",EventVersion="1",AccountID="sip:102 at 173.230.133.20",SessionID="0x169f528",LocalAddress="IPV4/UDP/173.230.133.20/5060",RemoteAddress="IPV4/UDP/198.204.241.58/5074",Challenge="23965594"
I modified the fail2ban with the filter, but still not detected
asterisk.conf
log_prefix= \[\]\s*(?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[\S+\d*\])? \S+:\d*
failregex = ^%(log_prefix)s Registration from '[^']*' failed for
'<HOST>(:\d+)?' - Wrong password$
^%(log_prefix)s Registration from '[^']*' failed for
'<HOST>(:\d+)?' - No matching peer found$
^%(log_prefix)s Registration from '[^']*' failed for
'<HOST>(:\d+)?' - Username/auth name mismatch$
^%(log_prefix)s Registration from '[^']*' failed for
'<HOST>(:\d+)?' - Device does not match ACL$
^%(log_prefix)s Registration from '[^']*' failed for
'<HOST>(:\d+)?' - Peer is not supposed to register$
^%(log_prefix)s Registration from '[^']*' failed for
'<HOST>(:\d+)?' - ACL error \(permit/deny\)$
^%(log_prefix)s Registration from '[^']*' failed for
'<HOST>(:\d+)?' - Not a local domain$
^%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to
extension '\d+' rejected because extension not found in context
'default'
\.$
^%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$
^%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$
^%(log_prefix)s Host <HOST> failed MD5 authentication for
'[^']*' \([^)]+\)$
^%(log_prefix)s Failed to authenticate (user|device)
[^@]+@<HOST>\S*$
^%(log_prefix)s (?:handle_request_subscribe: )?Sending
fake auth rejection for (device|user) \d*<sip:[^@]+@<HOST>>;tag=\w+\S*
$
^%(log_prefix)s
SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severit
y="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d+",SessionID="0x[\da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",Rem
oteAddress="IPV[46]/(UD|TC)P/<HOST>/\d+"(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?$
ignoreregex =
--
rickygm
http://gnuforever.homelinux.com
More information about the asterisk-users
mailing list