If this is a small site, I recommend you download the free version of SecAst (www.telium.ca <http://www.telium.ca> ) and replace fail2ban. SecAst does NOT use the log file, or regexes, to match etc.instead it talks to Asterisk through the AMI to extract security information. Messing with regexes is a losing battle, and the lag in reading logs can allow an attacker 100+ registration attempts before fail2ban even does anything (assuming the IP is exposed in the Asterisk log).
If this is a large install then post in the commercial list for more information. -Raj- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Tech Support Sent: Wednesday, March 1, 2017 2:37 PM To: 'Asterisk Users Mailing List - Non-Commercial Discussion' <asterisk-users@lists.digium.com> Subject: Re: [asterisk-users] fail2ban Asterisk 13.13.1 It's possible that you need to increase the value of 'findtime' to something greater than 300 secs. You also may want to set "timestamp = yes" in asterisk.conf so each line in the CLI will be time stamped. Time stamping it will be the definitive determination on whether or not the 'findtime' is the culprit. Regards; John V. From: asterisk-users-boun...@lists.digium.com <mailto:asterisk-users-boun...@lists.digium.com> [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Motty Cruz Sent: Wednesday, March 01, 2017 01:29 PM To: 'Asterisk Users Mailing List - Non-Commercial Discussion' Subject: [asterisk-users] fail2ban Asterisk 13.13.1 Hello, fail2ban does not ban offending IP. NOTICE[29784] chan_sip.c: Registration from '"user3"<sip:1005@asterisk-ip:5060>' failed for 'offending-IP:53417' - Wrong password NOTICE[29784] chan_sip.c: Registration from '"user3"<sip:1005@asterisk-ip:5060>' failed for 'offending-IP:53911' - Wrong password # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 300 [asterisk-iptables] enable = true port = 5060,5061 filter = asterisk action = iptables-allports[name=ASTERISK, protocol=all] sendmail[name=ASTERISK, dest=mo...@email.com <mailto:dest=mo...@email.com> , sender=fail2...@asterisk-ip.com <mailto:sender=fail2...@asterisk-ip.com> ] #action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] logpath = /var/log/asterisk/messages maxretry = 3 findtime = 300 bantime = -1 in filter.d asterisk.conf failregex = ^%(__prefix_line)s%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$ ^%(__prefix_line)s%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '[^']*' rejected because extension not found in context ^%(__prefix_line)s%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$ ^%(__prefix_line)s%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$ ^%(__prefix_line)s%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$ ^%(__prefix_line)s%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$ ^%(__prefix_line)s%(log_prefix)s hacking attempt detected '<HOST>'$ ^%(__prefix_line)s%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPa ssword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",Eve ntVersion="\d+",AccountID="(\d*|<unknown>)",SessionID=".+",LocalAddress="IPV [46]/(UDP|TCP|WS)/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UDP|TCP|WS)/<HO ST>/\d+"(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",Ex pectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$ ^%(__prefix_line)s%(log_prefix)s "Rejecting unknown SIP connection from <HOST>"$ ^%(__prefix_line)s%(log_prefix)s Request (?:'[^']*' )?from '[^']*' failed for '<HOST>(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching endpoint found|Not match Endpoint(?: Contact)? ACL|(?:Failed|Error) to authenticate)\s*$ failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Peer is not supposed to register NOTICE.* .*: Registration from '.*' failed for '<HOST>' - ACL error (permit/deny) NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL NOTICE.* <HOST> failed to authenticate as '.*'$ NOTICE.* .*: No registration for peer '.*' \(from <HOST>\) NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*) NOTICE.* .*: Failed to authenticate user .*@ <mailto:.*@%3cHOST%3e.*> <HOST>.* NOTICE.* .*: Sending fake auth rejection for device .*\<sip:.*\@ <sip:.*\@%3cHOST> <HOST>\>;tag=.* NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>' - No matching peer found NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>' - Wrong password ignoreregex = Thanks Motty
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users