If you are using OSSEC here are some rules: <rule id="10000" level="5"> <decoded_as>local-asterisk-denied</decoded_as> <description>Asterisk Potentially Under Attack</description> </rule>
<rule id="10001" level="8" frequency="5" timeframe="10"> <if_matched_sid>10000</if_matched_sid> <same_source_ip /> <description>Asterisk Under Brute Force Attack</description> </rule> and for the local_decoder: <decoder name="local-asterisk-denied"> <prematch>NOTICE[\d+] \S+: Registration from </prematch> <regex offset="after_prematch">^\S+ failed for '(\d+.\d+.\d+.\d+)'</regex> <order>srcip</order> </decoder> OSSEC can then use Active Response to block the IP using IPtables. -- Thanks, Phil ----- Original Message ----- > > > > -----Original Message----- > > From: [email protected] > > [mailto:asterisk-users- > > [email protected]] On Behalf Of Bryant Zimmerman > > Sent: Tuesday, July 26, 2011 3:22 PM > > To: Asterisk Users Mailing List - Non-Commercial Discussion > > Subject: Re: [asterisk-users] file2ban > > > > I want to add an entry to a database every time a brute force > > registration > > attempt is done. > > from this database we are updating cisco routers with our ban list > > so our > > entire network is protected. > > The database side of things is working and has been for some time. > > I really > > would like to add the file2ban side of it to protect our asterisk > > system > > better. > > Look at the /etc/fail2ban/action.d/ Actions in the default config > runs an iptables command to insert the ban into IPTables, but you > can have it run most any command. > > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
