[asterisk-users] Fail2ban
Gokan Atmaca
linux.gokan at gmail.com
Mon Sep 14 01:14:09 CDT 2015
I solved the problem. "action.d/iptables-custom.conf" include only udp.
service fail2ban restart
Thank you.
On Sun, Sep 13, 2015 at 9:17 PM, Andres <andres at telesip.net> wrote:
> On 9/13/15 11:16 AM, Gokan Atmaca wrote:
>>
>> Hello
>>
>> I'm using the Fail2ban. I configuration below. I want to try to
>> prevent the continuous password. Fail2ban password that does not
>> prevent this form. (Asterisk 1.8 / Elastix interface)
>>
>> What could be the problem ?
>>
>> Asterisk log;
>> "Registration from '<sip:3060 at sip.x.eu;transport=UDP>' failed for
>> 'x.x.x.x:32956' - Wrong password"
>
> Sometimes minor tweaks to the file are in order. My suggestion is to use
> the fail2ban-regex utility to test the log file entry until it is detected.
> Just put the line generated by asterisk in a test file and then run the
> regex.
>
> # /usr/bin/fail2ban-regex -?
> Usage: /usr/bin/fail2ban-regex [OPTIONS] <LOG> <REGEX> [IGNOREREGEX]
>
> example:
>
> /usr/bin/fail2ban-regex testlogfile /etc/fail2ban/filter.d/asterisk.conf
>
>
>
>
>
>>
>>
>> Fail2ban asterisk filter;
>>
>> # Fail2Ban filter for asterisk authentication failures
>> #
>>
>> [INCLUDES]
>>
>> # Read common prefixes. If any customizations available -- read them from
>>
>> # common.local
>> before = common.conf
>>
>>
>> [Definition]
>>
>> _daemon = asterisk
>>
>> __pid_re = (?:\[\d+\])
>>
>> # All Asterisk log messages begin like this:
>> log_prefix= (?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])?
>> \S+:\d*( in \w+:)?
>>
>> failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration
>> from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong
>> password|Username/auth name mismatch|No m$
>> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from
>> '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension
>> not found in context 'de$
>> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST>
>> failed to authenticate as '[^']*'$
>> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration
>> for peer '[^']*' \(from <HOST>\)$
>> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST>
>> failed MD5 authentication for '[^']*' \([^)]+\)$
>> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from
>> '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension
>> not found in context 'de$
>> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST>
>> failed to authenticate as '[^']*'$
>> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration
>> for peer '[^']*' \(from <HOST>\)$
>> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST>
>> failed MD5 authentication for '[^']*' \([^)]+\)$
>> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to
>> authenticate (user|device) [^@]+@<HOST>\S*$
>> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s
>> (?:handle_request_subscribe: )?Sending fake auth rejection for
>> (device|user) \d*<sip:[^@]+@<HOST>>;tag=$
>> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s
>>
>> SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",S$
>>
>> ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])?
>> )Ext\. s: "Rejecting unknown SIP connection from <HOST>"$
>>
>> ignoreregex =
>>
>>
>> # Author: Xavier Devlamynck / Daniel Black
>> #
>> # General log format - main/logger.c:ast_log
>> # Address format - ast_sockaddr_stringify
>> #
>> # First regex: channels/chan_sip.c
>> #
>> # main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in s
>>
>
>
> --
> Technical Support
> http://www.cellroute.net
>
>
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
> http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-users
More information about the asterisk-users
mailing list