Re: [asterisk-users] fail2ban and pjsip in asterisk 12 and 13

Mon, 15 Sep 2014 07:00:46 -0700 

Am 15.09.2014 um 15:26 schrieb Matthew Jordan:



On Mon, Sep 15, 2014 at 6:21 AM, Patrick Laimbock 
<patr...@laimbock.com <mailto:patr...@laimbock.com>> wrote:


    Hi Rainer,

    On 15-09-14 09:07, Rainer Piper wrote:

        Hi,

        Info !!! not a question !!!

        the pjsip logger is different:

        [Sep 15 07:33:27] NOTICE[65267] res_pjsip/pjsip_distributor.c:
        Request
        from '"1001" <sip:1001@81.20.137.222
        <mailto:sip%3A1001@81.20.137.222>>' failed for
        '85.25.197.23:5071 <http://85.25.197.23:5071>'
        (callid: 1bfa1fcfee1e20dbe9bbbcac5d7bdffc) - No matching
        endpoint found

        and here the RegEx for fail2ban to catch this log:

        |NOTICE.* .*: Request from '.*' failed for
        '<HOST>(:[0-9]{1,5})?' (.*) -
        No matching endpoint found


    Thanks for sharing. If you use github it would be nice if you
    could submit a pull request so that it becomes part of the
    Asterisk rules in the next Fail2ban version (0.9.1).

    https://github.com/fail2ban/fail2ban/pulls

    HTH,
    Patrick




Why would you not use the SECURITY log format, which have the exact 
same format between chan_sip and chan_pjsip, and have a consistent 
format from Asterisk 10+?


https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Event+Logger

--
Matthew Jordan
Digium, Inc. | Engineering Manager
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
Check us out at: http://digium.com & http://asterisk.org




Thanks for security_log => security

Ok ... I switched the
security_log => security
in logger.conf on and I'm going to write a RegEx for Fail2ban.

log sample - security log of wrong password:

[Sep 15 15:51:26] SECURITY[17378] res_security_log.c: 
SecurityEvent="ChallengeResponseFailed",EventTV="2014-09-15T15:51:26.126+0200",Severity="Error",Service="PJSIP",EventVersion="1",AccountID="7002",SessionID="80DFFBE5-4C3B-E411-8429-AD5D2362CB3E@192.168.8.10",LocalAddress="IPV4/UDP/178.5.154.91/5072",RemoteAddress="IPV4/UDP/192.168.8.10/6012",Challenge="1410789078/000dd605e4bd1b6dd7488afafafafafaf",Response="8fc17a017a3ac5eea21ca86c6c0f5ee8",ExpectedResponse=""


--
*Rainer Piper*
Integration engineer
Koeslinstr. 56
53123 BONN
GERMANY
Phone: +49 228 97167161 <callto:004922897167161>
P2P: sip:rai...@sip.soho-piper.de:5072 (pjsip-test)
XMPP: rai...@xmpp.soho-piper.de

-- 
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
               http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users





















					Reply via email to