[asterisk-users] Fail2ban for asterisk 16 PJSIP

Administrator TOOTAI admin at tootai.net
Sat Jun 8 08:06:13 CDT 2019 

Le 08/06/2019 à 05:20, John T. Bittner a écrit :
> Hopefully, this helps someone else.
> 
> 
> This seems to be working for me.
> 
> # Fail2Ban configuration file
> 
> [INCLUDES]
> 
> #before = common.conf
> 
> [Definition]
> 
> failregex = NOTICE.* .*: Request \'REGISTER\' from '.*' failed for 
> '<HOST>:.*' .* - No matching endpoint found
> 
>              NOTICE.* .*: Request \'REGISTER\' from '.*' failed for 
> '<HOST>:.*' .* - Failed to authenticate
> 
>              NOTICE.* .*: Request \'REGISTER\' from '.*' failed for 
> '<HOST>:.*' .* - Error to authenticate
> 
>              NOTICE.* .*: Request \'INVITE\' from '.*' failed for 
> '<HOST>:.*' .*
> 
> John Bittner
> 
> Xaccel
[...]

We have this rules:

[INCLUDES] 
 

 
 

# Read common prefixes. If any customizations available -- read them 
from 

# common.local 
 

before = common.conf 
 

 
 

[Definition] 
 

 
 

_daemon = asterisk 
 

 
 

__pid_re = (?:\s*\[\d+\]) 
 

 
 

iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4} 
 

 
 

# All Asterisk log messages begin like this: 
 

log_prefix= (?:NOTICE|SECURITY|WARNING)%(__pid_re)s:?(?:\[C-[\da-f]*\])? 
[^:]+:\d*(?:(?: in)? \w+:)? 

 
 

prefregex = ^%(__prefix_line)s%(log_prefix)s <F-CONTENT>.+</F-CONTENT>$ 
 

 
 

failregex = ^Registration from '[^']*' failed for '<HOST>(:\d+)?' - 
(?:Wrong password|Username/auth name mismatch|No matching peer found|Not 
a local domain|Device does not ma
tch ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a 
local domain)$ 

             ^Call from '[^']*' \(<HOST>:\d+\) to extension '[^']*' 
rejected because extension not found in context 

             ^(?:Host )?<HOST> (?:failed (?:to authenticate\b|MD5 
authentication\b)|tried to authenticate with nonexistent user\b) 

             ^No registration for peer '[^']*' \(from <HOST>\)$ 
 

             ^hacking attempt detected '<HOST>'$ 
 

 
^SecurityEvent="(?:FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)"(?:(?:,(?!RemoteAddress=)\w+="[^"]*")*|.*?),RemoteAddress="IPV[46]/(UDP|TCP
|WS)/<HOST>/\d+"(?:,(?!RemoteAddress=)\w+="[^"]*")*$ 
 

             ^"Rejecting unknown SIP connection from <HOST>"$ 
 

             ^Request (?:'[^']*' )?from '(?:[^']*|.*?)' failed for 
'<HOST>(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching endpoint 
found|Not match Endpoint(?: Contact)? ACL|(?
:Failed|Error) to authenticate)\s*$ 
 

 
 

# FreePBX (todo: make optional in v.0.10): 
 

# 
^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? 
)[^:]+: Friendly Scanner from <HOST>$ 

 
 

ignoreregex = 
 

 
 

datepattern = {^LN-BEG} 
 

 
 

# Author: Xavier Devlamynck / Daniel Black

-- 
Daniel

More information about the asterisk-users mailing list