On Wed, Aug 29, 2018 at 10:52 PM, Matthew Jordan <mjor...@digium.com> wrote:
> > On Wed, Aug 29, 2018 at 6:20 PM Telium Support Group <supp...@telium.ca> > wrote: > >> Depending on log trolling (Asterisk security log) misses a lot, and also >> depends on the SIP/PJSIP folks to not change message structure (which has >> already happened numerous time). If you are comfortable hacking >> chan_sip.c you may prefer to get the same messages from the AMI. It still >> misses a lot but that approach is better than nothing. >> >> Digium warns not to use fail2ban / log trolling as a security system: >> http://forums.asterisk.org/viewtopic.php?p=159984 >> >> >> > That's some pretty old advice. > > The rationale for *not* using general log messages with fail2ban still > stands: the general WARNING/NOTICE/etc. log messages are subject to change > between versions, and no one wants that to impact someone's security. So > you should not use those messages as input into fail2ban. > > That rationale did lead to the 'security' event type in log messages. > Security Event Logging - as it is called - got added into Asterisk quite > some time ago. So long ago I'm really not sure which version. At a minimum, > Asterisk 11, but I'm pretty sure it was in 10 as well. > > Documentation for it can be found here: > > https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Event+Logger > > And here: > > https://wiki.asterisk.org/wiki/display/AST/Logging+Configuration > > Note that this also fires off AMI events (and ARI events, IIRC). > > If, for whatever reason, you do not get a SECURITY log message or a > corresponding event when something 'bad' happens, that would be worth some > additional discussion. If anything, the events can be a bit chatty... > > FYI: We have found that Fail2Ban has not been as effective as it has in the past (more with web provisioning servers then with SIP) as once the attackers think they have a system they can compromise they will change their IP's and keep trying over and over.
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Astricon is coming up October 9-11! Signup is available at: https://www.asterisk.org/community/astricon-user-conference Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users