[asterisk-users] Fail2ban
Gokan Atmaca
linux.gokan at gmail.com
Mon Sep 14 01:23:46 CDT 2015
Another problem is too late to do the ban. The reason for this
yetmemse of CPU power. I'm simulating an attack. Of course, eating
CPU. One reason, now forbids. Abstracts must be strong if we are
eating our resources is a serious attack.
On Mon, Sep 14, 2015 at 9:14 AM, Gokan Atmaca <linux.gokan at gmail.com> wrote:
> I solved the problem. "action.d/iptables-custom.conf" include only udp.
> service fail2ban restart
>
> Thank you.
>
> On Sun, Sep 13, 2015 at 9:17 PM, Andres <andres at telesip.net> wrote:
>> On 9/13/15 11:16 AM, Gokan Atmaca wrote:
>>>
>>> Hello
>>>
>>> I'm using the Fail2ban. I configuration below. I want to try to
>>> prevent the continuous password. Fail2ban password that does not
>>> prevent this form. (Asterisk 1.8 / Elastix interface)
>>>
>>> What could be the problem ?
>>>
>>> Asterisk log;
>>> "Registration from '<sip:3060 at sip.x.eu;transport=UDP>' failed for
>>> 'x.x.x.x:32956' - Wrong password"
>>
>> Sometimes minor tweaks to the file are in order. My suggestion is to use
>> the fail2ban-regex utility to test the log file entry until it is detected.
>> Just put the line generated by asterisk in a test file and then run the
>> regex.
>>
>> # /usr/bin/fail2ban-regex -?
>> Usage: /usr/bin/fail2ban-regex [OPTIONS] <LOG> <REGEX> [IGNOREREGEX]
>>
>> example:
>>
>> /usr/bin/fail2ban-regex testlogfile /etc/fail2ban/filter.d/asterisk.conf
>>
>>
>>
>>
>>
>>>
>>>
>>> Fail2ban asterisk filter;
>>>
>>> # Fail2Ban filter for asterisk authentication failures
>>> #
>>>
>>> [INCLUDES]
>>>
>>> # Read common prefixes. If any customizations available -- read them from
>>>
>>> # common.local
>>> before = common.conf
>>>
>>>
>>> [Definition]
>>>
>>> _daemon = asterisk
>>>
>>> __pid_re = (?:\[\d+\])
>>>
>>> # All Asterisk log messages begin like this:
>>> log_prefix= (?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])?
>>> \S+:\d*( in \w+:)?
>>>
>>> failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration
>>> from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong
>>> password|Username/auth name mismatch|No m$
>>> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from
>>> '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension
>>> not found in context 'de$
>>> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST>
>>> failed to authenticate as '[^']*'$
>>> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration
>>> for peer '[^']*' \(from <HOST>\)$
>>> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST>
>>> failed MD5 authentication for '[^']*' \([^)]+\)$
>>> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from
>>> '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension
>>> not found in context 'de$
>>> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST>
>>> failed to authenticate as '[^']*'$
>>> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration
>>> for peer '[^']*' \(from <HOST>\)$
>>> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST>
>>> failed MD5 authentication for '[^']*' \([^)]+\)$
>>> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to
>>> authenticate (user|device) [^@]+@<HOST>\S*$
>>> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s
>>> (?:handle_request_subscribe: )?Sending fake auth rejection for
>>> (device|user) \d*<sip:[^@]+@<HOST>>;tag=$
>>> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s
>>>
>>> SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",S$
>>>
>>> ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])?
>>> )Ext\. s: "Rejecting unknown SIP connection from <HOST>"$
>>>
>>> ignoreregex =
>>>
>>>
>>> # Author: Xavier Devlamynck / Daniel Black
>>> #
>>> # General log format - main/logger.c:ast_log
>>> # Address format - ast_sockaddr_stringify
>>> #
>>> # First regex: channels/chan_sip.c
>>> #
>>> # main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in s
>>>
>>
>>
>> --
>> Technical Support
>> http://www.cellroute.net
>>
>>
>>
>> --
>> _____________________________________________________________________
>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>> New to Asterisk? Join us for a live introductory webinar every Thurs:
>> http://www.asterisk.org/hello
>>
>> asterisk-users mailing list
>> To UNSUBSCRIBE or update options visit:
>> http://lists.digium.com/mailman/listinfo/asterisk-users
More information about the asterisk-users
mailing list