On 9/13/15 11:16 AM, Gokan Atmaca wrote:
Hello
I'm using the Fail2ban. I configuration below. I want to try to
prevent the continuous password. Fail2ban password that does not
prevent this form. (Asterisk 1.8 / Elastix interface)
What could be the problem ?
Asterisk log;
"Registration from '<sip:[email protected];transport=UDP>' failed for
'x.x.x.x:32956' - Wrong password"
Sometimes minor tweaks to the file are in order. My suggestion is to
use the fail2ban-regex utility to test the log file entry until it is
detected. Just put the line generated by asterisk in a test file and
then run the regex.
# /usr/bin/fail2ban-regex -?
Usage: /usr/bin/fail2ban-regex [OPTIONS] <LOG> <REGEX> [IGNOREREGEX]
example:
/usr/bin/fail2ban-regex testlogfile /etc/fail2ban/filter.d/asterisk.conf
Fail2ban asterisk filter;
# Fail2Ban filter for asterisk authentication failures
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = asterisk
__pid_re = (?:\[\d+\])
# All Asterisk log messages begin like this:
log_prefix= (?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])?
\S+:\d*( in \w+:)?
failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration
from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong
password|Username/auth name mismatch|No m$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from
'[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension
not found in context 'de$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST>
failed to authenticate as '[^']*'$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration
for peer '[^']*' \(from <HOST>\)$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST>
failed MD5 authentication for '[^']*' \([^)]+\)$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from
'[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension
not found in context 'de$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST>
failed to authenticate as '[^']*'$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration
for peer '[^']*' \(from <HOST>\)$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST>
failed MD5 authentication for '[^']*' \([^)]+\)$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to
authenticate (user|device) [^@]+@<HOST>\S*$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s
(?:handle_request_subscribe: )?Sending fake auth rejection for
(device|user) \d*<sip:[^@]+@<HOST>>;tag=$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s
SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",S$
^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])?
)Ext\. s: "Rejecting unknown SIP connection from <HOST>"$
ignoreregex =
# Author: Xavier Devlamynck / Daniel Black
#
# General log format - main/logger.c:ast_log
# Address format - ast_sockaddr_stringify
#
# First regex: channels/chan_sip.c
#
# main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in s
--
Technical Support
http://www.cellroute.net
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
