On 2015-09-13 10:16, Gokan Atmaca wrote:
Hello
I'm using the Fail2ban. I configuration below. I want to try to
prevent the continuous password. Fail2ban password that does not
prevent this form. (Asterisk 1.8 / Elastix interface)
What could be the problem ?
Asterisk log;
"Registration from '<sip:[email protected];transport=UDP>' failed for
'x.x.x.x:32956' - Wrong password"
Fail2ban asterisk filter;
# Fail2Ban filter for asterisk authentication failures
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them
from
# common.local
before = common.conf
[Definition]
_daemon = asterisk
__pid_re = (?:\[\d+\])
# All Asterisk log messages begin like this:
log_prefix= (?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])?
\S+:\d*( in \w+:)?
failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration
from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong
password|Username/auth name mismatch|No m$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from
'[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension
not found in context 'de$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST>
failed to authenticate as '[^']*'$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration
for peer '[^']*' \(from <HOST>\)$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST>
failed MD5 authentication for '[^']*' \([^)]+\)$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from
'[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension
not found in context 'de$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST>
failed to authenticate as '[^']*'$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration
for peer '[^']*' \(from <HOST>\)$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST>
failed MD5 authentication for '[^']*' \([^)]+\)$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to
authenticate (user|device) [^@]+@<HOST>\S*$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s
(?:handle_request_subscribe: )?Sending fake auth rejection for
(device|user) \d*<sip:[^@]+@<HOST>>;tag=$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s
SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",S$
^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])?
)Ext\. s: "Rejecting unknown SIP connection from <HOST>"$
ignoreregex =
# Author: Xavier Devlamynck / Daniel Black
#
# General log format - main/logger.c:ast_log
# Address format - ast_sockaddr_stringify
#
# First regex: channels/chan_sip.c
#
# main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in s
In the fail2ban website they have several versions of asterisk.conf
depending on the version of Asterisk you are using. If you have the
latest fail2ban that one has the version for Asterisk 11. Go there and
download the correct version for your setup.
--
Telecomunicaciones Abiertas de México S.A. de C.V.
Carlos Chávez
dCAP #1349
+52 (55)9116-91161
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
