On 07/08/2013 01:46 PM, Giles Coochey wrote:
Just a note that I did a little work to extend FreePBX distro with some
extra Fail2Ban which deals with some drive-by SIP registration attempts.
My regex is poor to middling, but the steps detailed here:
http://www.coochey.net/?p=61 manage to stop IPs which try to
authenticate against Asterisk which FreePBX were not able to stop before.
I would welcome any improvements anyone would care to submit and I'll
extend the article a little.
The changes need the Asterisk security log feature, which I think was
only introduced in later versions of Asterisk (e.g. v11).
It seems your rule is not yet present in fail2ban 0.8.10.0. The only one
close to it is:
SECURITY%(__pid_re)s [^:]+:
SecurityEvent="InvalidAccountID",EventTV="[0-9-]+",Severity="[a-zA-Z]+",Service="[a-zA-Z]+",EventVersion="[0-9]+",AccountID="[0-9]+",SessionID="0x[0-9a-f]+",LocalAddress="IPV[46]/(UD|TC)P/[0-9a-fA-F:.]+/[0-9]+",RemoteAddress="IPV[46]/(UD|TC)P/<HOST>/[0-9]+"$
See
https://github.com/fail2ban/fail2ban/blob/0.8.10/config/filter.d/asterisk.conf
Might be an idea to submit it for future inclusion.
Regards,
Patrick
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
