<div dir="ltr"><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Aug 29, 2018 at 10:52 PM, Matthew Jordan <span dir="ltr"><<a href="mailto:mjordan@digium.com" target="_blank">mjordan@digium.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_quote"><span class=""><div dir="ltr">On Wed, Aug 29, 2018 at 6:20 PM Telium Support Group <<a href="mailto:support@telium.ca" target="_blank">support@telium.ca</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Depending on log trolling (Asterisk security log) misses a lot, and also depends on the SIP/PJSIP folks to not change message structure (which has already happened numerous time). If you are comfortable hacking chan_sip.c you may prefer to get the same messages from the AMI. It still misses a lot but that approach is better than nothing.<br>
<br>
Digium warns not to use fail2ban / log trolling as a security system: <a href="http://forums.asterisk.org/viewtopic.php?p=159984" rel="noreferrer" target="_blank">http://forums.asterisk.org/<wbr>viewtopic.php?p=159984</a><br>
<br>
<br></blockquote><div><br></div></span><div>That's some pretty old advice.<br></div><div><br></div><div>The rationale for *not* using general log messages with fail2ban still stands: the general WARNING/NOTICE/etc. log messages are subject to change between versions, and no one wants that to impact someone's security. So you should not use those messages as input into fail2ban.</div><div><br></div><div>That rationale did lead to the 'security' event type in log messages. Security Event Logging - as it is called - got added into Asterisk quite some time ago. So long ago I'm really not sure which version. At a minimum, Asterisk 11, but I'm pretty sure it was in 10 as well.</div><div><br></div><div>Documentation for it can be found here:</div><div><br></div><div><a href="https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Event+Logger" target="_blank">https://wiki.asterisk.org/<wbr>wiki/display/AST/Asterisk+<wbr>Security+Event+Logger</a><br></div><div><br></div><div>And here:</div><div><br></div><div><a href="https://wiki.asterisk.org/wiki/display/AST/Logging+Configuration" target="_blank">https://wiki.asterisk.org/<wbr>wiki/display/AST/Logging+<wbr>Configuration</a><br></div><div><br></div><div>Note that this also fires off AMI events (and ARI events, IIRC).</div><div><br></div><div>If, for whatever reason, you do not get a SECURITY log message or a corresponding event when something 'bad' happens, that would be worth some additional discussion. If anything, the events can be a bit chatty...</div><div><div class="h5"><div><br></div></div></div></div></div></blockquote><div> </div><div>FYI: We have found that Fail2Ban has not been as effective as it has in the past (more with web provisioning servers then with SIP) as once the attackers think they have a system they can compromise they will change their IP's and keep trying over and over.</div><div><br></div><div><br></div></div></div></div>