[asterisk-users] fail2ban Asterisk 13.13.1
Motty Cruz
motty.cruz at gmail.com
Wed Mar 1 12:29:00 CST 2017
Hello, fail2ban does not ban offending IP.
NOTICE[29784] chan_sip.c: Registration from
'"user3"<sip:1005 at asterisk-ip:5060>' failed for 'offending-IP:53417' - Wrong
password
NOTICE[29784] chan_sip.c: Registration from
'"user3"<sip:1005 at asterisk-ip:5060>' failed for ‘offending-IP:53911' -
Wrong password
systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor
preset: disabled)
Active: active (running) since Wed 2017-03-01 00:40:43 PST; 470min ago
Docs: man:fail2ban(1)
jail.local
[DEFAULT]
# "bantime" is the number of seconds that a host is banned.
bantime = -1
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 300
# "maxretry" is the number of failures before a host get banned.
maxretry = 3
[asterisk-iptables]
enable = true
port = 5060,5061
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
sendmail[name=ASTERISK, dest=motty at email.com,
sender=fail2ban at asterisk-ip.com]
#action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s",
protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(port)s",
protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
logpath = /var/log/asterisk/messages
maxretry = 3
findtime = 300
bantime = -1
in filter.d
asterisk.conf
failregex = ^%(__prefix_line)s%(log_prefix)s Registration from '[^']*'
failed for '<HOST>(:\d+)?' - (Wrong password|Username/auth name mismatch|No
matching peer found|Not a local domain|Device does not match ACL|Peer is not
supposed to register|ACL error \(permit/deny\)|Not a local domain)$
^%(__prefix_line)s%(log_prefix)s Call from '[^']*'
\(<HOST>:\d+\) to extension '[^']*' rejected because extension not found in
context
^%(__prefix_line)s%(log_prefix)s Host <HOST> failed to
authenticate as '[^']*'$
^%(__prefix_line)s%(log_prefix)s No registration for peer
'[^']*' \(from <HOST>\)$
^%(__prefix_line)s%(log_prefix)s Host <HOST> failed MD5
authentication for '[^']*' \([^)]+\)$
^%(__prefix_line)s%(log_prefix)s Failed to authenticate
(user|device) [^@]+@<HOST>\S*$
^%(__prefix_line)s%(log_prefix)s hacking attempt detected
'<HOST>'$
^%(__prefix_line)s%(log_prefix)s
SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPa
ssword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",Eve
ntVersion="\d+",AccountID="(\d*|<unknown>)",SessionID=".+",LocalAddress="IPV
[46]/(UDP|TCP|WS)/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UDP|TCP|WS)/<HO
ST>/\d+"(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",Ex
pectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$
^%(__prefix_line)s%(log_prefix)s "Rejecting unknown SIP
connection from <HOST>"$
^%(__prefix_line)s%(log_prefix)s Request (?:'[^']*' )?from '[^']
*' failed for '<HOST>(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching
endpoint found|Not match Endpoint(?: Contact)? ACL|(?:Failed|Error) to
authenticate)\s*$
failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong
password
NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No
matching peer found
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No
matching peer found
NOTICE.* .*: Registration from '.*' failed for '<HOST>' -
Username/auth name mismatch
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device
does not match ACL
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Peer
is not supposed to register
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - ACL
error (permit/deny)
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device
does not match ACL
NOTICE.* <HOST> failed to authenticate as '.*'$
NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
NOTICE.* .*: Sending fake auth rejection for device
.*\<sip:.*\@<HOST>\>;tag=.*
NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>' -
No matching peer found
NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>' -
Wrong password
ignoreregex =
Thanks
Motty
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20170301/cf353523/attachment.html>
More information about the asterisk-users
mailing list