On 08/07/2013 16:11, Patrick Lists wrote:
On 07/08/2013 01:46 PM, Giles Coochey wrote:Just a note that I did a little work to extend FreePBX distro with some extra Fail2Ban which deals with some drive-by SIP registration attempts.My regex is poor to middling, but the steps detailed here: http://www.coochey.net/?p=61 manage to stop IPs which try toauthenticate against Asterisk which FreePBX were not able to stop before.I would welcome any improvements anyone would care to submit and I'll extend the article a little. The changes need the Asterisk security log feature, which I think was only introduced in later versions of Asterisk (e.g. v11).It seems your rule is not yet present in fail2ban 0.8.10.0. The only one close to it is:SECURITY%(__pid_re)s [^:]+: SecurityEvent="InvalidAccountID",EventTV="[0-9-]+",Severity="[a-zA-Z]+",Service="[a-zA-Z]+",EventVersion="[0-9]+",AccountID="[0-9]+",SessionID="0x[0-9a-f]+",LocalAddress="IPV[46]/(UD|TC)P/[0-9a-fA-F:.]+/[0-9]+",RemoteAddress="IPV[46]/(UD|TC)P/<HOST>/[0-9]+"$See https://github.com/fail2ban/fail2ban/blob/0.8.10/config/filter.d/asterisk.confMight be an idea to submit it for future inclusion.
I think that Regex above is far better than my:failregex = SECURITY.* SecurityEvent=\"InvalidPassword\".*RemoteAddress=\"IPV4/UDP/<HOST>/
I think I will try and get it slightly better than my lowly attempt, before I try to submit it!! The example you give is probably a good boilerplate for it!! I can probably just juxtaposition InvalidAccountID for InvalidPassword
Thanks Giles -- Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk [email protected]
smime.p7s
Description: S/MIME Cryptographic Signature
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
