<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">Am 15.09.2014 um 15:26 schrieb Matthew
      Jordan:<br>
    </div>
    <blockquote
cite="mid:CAN2PU+5w8cECb72PnNMKmUSPq1A83bbi0L_ZHcDA84NkZemcPA@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div class="gmail_extra"><br>
          <div class="gmail_quote">On Mon, Sep 15, 2014 at 6:21 AM,
            Patrick Laimbock <span dir="ltr"><<a
                moz-do-not-send="true"
                href="mailto:patrick@laimbock.com" target="_blank">patrick@laimbock.com</a>></span>
            wrote:<br>
            <blockquote class="gmail_quote" style="margin:0px 0px 0px
              0.8ex;border-left:1px solid
              rgb(204,204,204);padding-left:1ex">Hi Rainer,<span
                class=""><br>
                <br>
                On 15-09-14 09:07, Rainer Piper wrote:<br>
                <blockquote class="gmail_quote" style="margin:0px 0px
                  0px 0.8ex;border-left:1px solid
                  rgb(204,204,204);padding-left:1ex">
                  Hi,<br>
                  <br>
                  Info !!! not a question !!!<br>
                  <br>
                  the pjsip logger is different:<br>
                  <br>
                  [Sep 15 07:33:27] NOTICE[65267]
                  res_pjsip/pjsip_distributor.c: Request<br>
                  from '"1001" <<a moz-do-not-send="true"
                    href="mailto:sip%3A1001@81.20.137.222"
                    target="_blank">sip:1001@81.20.137.222</a>>'
                  failed for '<a moz-do-not-send="true"
                    href="http://85.25.197.23:5071" target="_blank">85.25.197.23:5071</a>'<br>
                  (callid: 1bfa1fcfee1e20dbe9bbbcac5d7bdffc) - No
                  matching endpoint found<br>
                  <br>
                  and here the RegEx for fail2ban to catch this log:<br>
                  <br>
                  |NOTICE.* .*: Request from '.*' failed for
                  '<HOST>(:[0-9]{1,5})?' (.*) -<br>
                  No matching endpoint found<br>
                </blockquote>
                <br>
              </span>
              Thanks for sharing. If you use github it would be nice if
              you could submit a pull request so that it becomes part of
              the Asterisk rules in the next Fail2ban version (0.9.1).<br>
              <br>
              <a moz-do-not-send="true"
                href="https://github.com/fail2ban/fail2ban/pulls"
                target="_blank">https://github.com/fail2ban/fail2ban/pulls</a><br>
              <br>
              HTH,<br>
              Patrick<span class=""><font color="#888888"><br>
                </font></span></blockquote>
            <div><br>
              <br>
            </div>
            <div>Why would you not use the SECURITY log format, which
              have the exact same format between chan_sip and
              chan_pjsip, and have a consistent format from Asterisk
              10+? <br>
              <br>
              <a moz-do-not-send="true"
href="https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Event+Logger">https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Event+Logger</a><br>
            </div>
          </div>
          <br>
          -- <br>
          <div dir="ltr">
            <div>Matthew Jordan<br>
            </div>
            <div>Digium, Inc. | Engineering Manager</div>
            <div>445 Jan Davis Drive NW - Huntsville, AL 35806 - USA</div>
            <div>Check us out at: <a moz-do-not-send="true"
                href="http://digium.com" target="_blank">http://digium.com</a>
              & <a moz-do-not-send="true"
                href="http://asterisk.org" target="_blank">http://asterisk.org</a></div>
          </div>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
    </blockquote>
    <br>
    Thanks for security_log => security<br>
    <br>
    Ok ... I switched the <br>
    security_log => security<br>
    in logger.conf on and I'm going to write a RegEx for Fail2ban.<br>
    <br>
    log sample - security log of wrong password:<br>
    [Sep 15 15:51:26] SECURITY[17378] res_security_log.c:
SecurityEvent="ChallengeResponseFailed",EventTV="2014-09-15T15:51:26.126+0200",Severity="Error",Service="PJSIP",EventVersion="1",AccountID="7002",SessionID=<a class="moz-txt-link-rfc2396E" href="mailto:80DFFBE5-4C3B-E411-8429-AD5D2362CB3E@192.168.8.10">"80DFFBE5-4C3B-E411-8429-AD5D2362CB3E@192.168.8.10"</a>,LocalAddress="IPV4/UDP/178.5.154.91/5072",RemoteAddress="IPV4/UDP/192.168.8.10/6012",Challenge="1410789078/000dd605e4bd1b6dd7488afafafafafaf",Response="8fc17a017a3ac5eea21ca86c6c0f5ee8",ExpectedResponse=""<br>
    <br>
    <div class="moz-signature">-- <br>
      <b>Rainer Piper</b>
      <br>
      Integration engineer
      <br>
      Koeslinstr. 56
      <br>
      53123 BONN <br>
      GERMANY
      <br>
      Phone: <a href="callto:004922897167161" nr="+4922897167161"
        class="telified" title="Als Telefonnummer verwenden"
style="color:#00001f;background-color:#ffffdf;-moz-border-radius:3px;cursor:pointer">+49
        228 97167161</a>
      <br>
      P2P: <a class="moz-txt-link-freetext" href="sip:rainer@sip.soho-piper.de:5072">sip:rainer@sip.soho-piper.de:5072</a> (pjsip-test)
      <br>
      XMPP: <a class="moz-txt-link-abbreviated" href="mailto:rainer@xmpp.soho-piper.de">rainer@xmpp.soho-piper.de</a></div>
  </body>
</html>