[asterisk-users] Fail2ban

Gokan Atmaca linux.gokan at gmail.com
Sun Sep 13 11:22:21 CDT 2015


>>
>> I'm using the Fail2ban.  I configuration below. I want to try to
>> prevent the continuous password. Fail2ban password that does not
>> prevent this form. (Asterisk 1.8 / Elastix interface)
>>

hi

Asterisk version 1.8
Fail2ban version 0.8.14
  config: https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/asterisk.conf

But it does not prevent.





On Sun, Sep 13, 2015 at 7:11 PM, Carlos Chavez <cursor at telecomabmex.com> wrote:
> On 2015-09-13 10:16, Gokan Atmaca wrote:
>>
>> Hello
>>
>> I'm using the Fail2ban.  I configuration below. I want to try to
>> prevent the continuous password. Fail2ban password that does not
>> prevent this form. (Asterisk 1.8 / Elastix interface)
>>
>> What could be the problem ?
>>
>> Asterisk log;
>> "Registration from '<sip:3060 at sip.x.eu;transport=UDP>' failed for
>> 'x.x.x.x:32956' - Wrong password"
>>
>>
>> Fail2ban asterisk filter;
>>
>> # Fail2Ban filter for asterisk authentication failures
>> #
>>
>> [INCLUDES]
>>
>> # Read common prefixes. If any customizations available -- read them from
>>
>> # common.local
>> before = common.conf
>>
>>
>> [Definition]
>>
>> _daemon = asterisk
>>
>> __pid_re = (?:\[\d+\])
>>
>> # All Asterisk log messages begin like this:
>> log_prefix= (?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])?
>> \S+:\d*( in \w+:)?
>>
>> failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration
>> from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong
>> password|Username/auth name mismatch|No m$
>>             ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from
>> '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension
>> not found in context 'de$
>>             ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST>
>> failed to authenticate as '[^']*'$
>>             ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration
>> for peer '[^']*' \(from <HOST>\)$
>>             ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST>
>> failed MD5 authentication for '[^']*' \([^)]+\)$
>>   ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from
>> '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension
>> not found in context 'de$
>>             ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST>
>> failed to authenticate as '[^']*'$
>>             ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration
>> for peer '[^']*' \(from <HOST>\)$
>>             ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST>
>> failed MD5 authentication for '[^']*' \([^)]+\)$
>>             ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to
>> authenticate (user|device) [^@]+@<HOST>\S*$
>>             ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s
>> (?:handle_request_subscribe: )?Sending fake auth rejection for
>> (device|user) \d*<sip:[^@]+@<HOST>>;tag=$
>>             ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s
>>
>> SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",S$
>>
>> ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])?
>> )Ext\. s: "Rejecting unknown SIP connection from <HOST>"$
>>
>> ignoreregex =
>>
>>
>> # Author: Xavier Devlamynck / Daniel Black
>> #
>> # General log format - main/logger.c:ast_log
>> # Address format - ast_sockaddr_stringify
>> #
>> # First regex: channels/chan_sip.c
>> #
>> # main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in s
>
>
>      In the fail2ban website they have several versions of asterisk.conf
> depending on the version of Asterisk you are using.  If you have the latest
> fail2ban that one has the version for Asterisk 11.  Go there and download
> the correct version for your setup.
>
> --
> Telecomunicaciones Abiertas de México S.A. de C.V.
> Carlos Chávez
> dCAP #1349
> +52 (55)9116-91161
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>               http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users



More information about the asterisk-users mailing list