<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Am 15.09.2014 um 15:26 schrieb Matthew
Jordan:<br>
</div>
<blockquote
cite="mid:CAN2PU+5w8cECb72PnNMKmUSPq1A83bbi0L_ZHcDA84NkZemcPA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Sep 15, 2014 at 6:21 AM,
Patrick Laimbock <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:patrick@laimbock.com" target="_blank">patrick@laimbock.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">Hi Rainer,<span
class=""><br>
<br>
On 15-09-14 09:07, Rainer Piper wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
Hi,<br>
<br>
Info !!! not a question !!!<br>
<br>
the pjsip logger is different:<br>
<br>
[Sep 15 07:33:27] NOTICE[65267]
res_pjsip/pjsip_distributor.c: Request<br>
from '"1001" <<a moz-do-not-send="true"
href="mailto:sip%3A1001@81.20.137.222"
target="_blank">sip:1001@81.20.137.222</a>>'
failed for '<a moz-do-not-send="true"
href="http://85.25.197.23:5071" target="_blank">85.25.197.23:5071</a>'<br>
(callid: 1bfa1fcfee1e20dbe9bbbcac5d7bdffc) - No
matching endpoint found<br>
<br>
and here the RegEx for fail2ban to catch this log:<br>
<br>
|NOTICE.* .*: Request from '.*' failed for
'<HOST>(:[0-9]{1,5})?' (.*) -<br>
No matching endpoint found<br>
</blockquote>
<br>
</span>
Thanks for sharing. If you use github it would be nice if
you could submit a pull request so that it becomes part of
the Asterisk rules in the next Fail2ban version (0.9.1).<br>
<br>
<a moz-do-not-send="true"
href="https://github.com/fail2ban/fail2ban/pulls"
target="_blank">https://github.com/fail2ban/fail2ban/pulls</a><br>
<br>
HTH,<br>
Patrick<span class=""><font color="#888888"><br>
</font></span></blockquote>
<div><br>
<br>
</div>
<div>Why would you not use the SECURITY log format, which
have the exact same format between chan_sip and
chan_pjsip, and have a consistent format from Asterisk
10+? <br>
<br>
<a moz-do-not-send="true"
href="https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Event+Logger">https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Event+Logger</a><br>
</div>
</div>
<br>
-- <br>
<div dir="ltr">
<div>Matthew Jordan<br>
</div>
<div>Digium, Inc. | Engineering Manager</div>
<div>445 Jan Davis Drive NW - Huntsville, AL 35806 - USA</div>
<div>Check us out at: <a moz-do-not-send="true"
href="http://digium.com" target="_blank">http://digium.com</a>
& <a moz-do-not-send="true"
href="http://asterisk.org" target="_blank">http://asterisk.org</a></div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
Thanks for security_log => security<br>
<br>
Ok ... I switched the <br>
security_log => security<br>
in logger.conf on and I'm going to write a RegEx for Fail2ban.<br>
<br>
log sample - security log of wrong password:<br>
[Sep 15 15:51:26] SECURITY[17378] res_security_log.c:
SecurityEvent="ChallengeResponseFailed",EventTV="2014-09-15T15:51:26.126+0200",Severity="Error",Service="PJSIP",EventVersion="1",AccountID="7002",SessionID=<a class="moz-txt-link-rfc2396E" href="mailto:80DFFBE5-4C3B-E411-8429-AD5D2362CB3E@192.168.8.10">"80DFFBE5-4C3B-E411-8429-AD5D2362CB3E@192.168.8.10"</a>,LocalAddress="IPV4/UDP/178.5.154.91/5072",RemoteAddress="IPV4/UDP/192.168.8.10/6012",Challenge="1410789078/000dd605e4bd1b6dd7488afafafafafaf",Response="8fc17a017a3ac5eea21ca86c6c0f5ee8",ExpectedResponse=""<br>
<br>
<div class="moz-signature">-- <br>
<b>Rainer Piper</b>
<br>
Integration engineer
<br>
Koeslinstr. 56
<br>
53123 BONN <br>
GERMANY
<br>
Phone: <a href="callto:004922897167161" nr="+4922897167161"
class="telified" title="Als Telefonnummer verwenden"
style="color:#00001f;background-color:#ffffdf;-moz-border-radius:3px;cursor:pointer">+49
228 97167161</a>
<br>
P2P: <a class="moz-txt-link-freetext" href="sip:rainer@sip.soho-piper.de:5072">sip:rainer@sip.soho-piper.de:5072</a> (pjsip-test)
<br>
XMPP: <a class="moz-txt-link-abbreviated" href="mailto:rainer@xmpp.soho-piper.de">rainer@xmpp.soho-piper.de</a></div>
</body>
</html>