On Thu, 2018-03-01 at 15:02 +0200, Atux Atux wrote: > I have tried to implement it through fail2ban, but it doe snot seem > to work for my asterisk implementation. I'm happy with Fail2Ban protecting my Asterisk 13. Here is my configuration: in /etc/asterisk/logger.conf: messages => security,notice,warning,error in /etc/asterisk/sip.conf: allowguest=yes context=unauthenticated in /etc/asterisk/extensions.conf: [unauthenticated] ;; Incomming calls from unauthenticated caller -> Fail2Ban exten => _X.,1,Log(WARNING,fail2ban='${CHANNEL(peerip)}') exten => _X.,2,Set(CDR(UserField)=SIP PEER IP: ${CHANNEL(peerip)}) exten => _X.,3,HangUp() exten => _+X.,1,Log(WARNING,fail2ban='${CHANNEL(peerip)}') exten => _+X.,2,Set(CDR(UserField)=SIP PEER IP: ${CHANNEL(peerip)}) exten => _+X.,3,HangUp() in /etc/fail2ban/jail.conf: [asterisk] filter = asterisk action = iptables-allports[name=ASTERISK] logpath = /var/log/asterisk/messages maxretry = 1 findtime = 86400 bantime = 518400 enabled = true in /etc/fail2ban/filter.d # Fail2Ban configuration file # # # $Revision: 250 $ # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local #before = common.conf [Definition] #_daemon = asterisk # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>\S+) # Values: TEXT # failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Wrong password NOTICE.* .*: Call from '.*' \(<HOST>(:[0-9]{1,5})?\) to extension '.*' rejected because extension not found in context 'unauthenticated' NOTICE.* chan_sip.c: Call from '.*' \(<HOST>(:[0- 9]{1,5})?\) to extension '.*' rejected because extension not found in context 'unauthenticated' NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Username/auth name mismatch NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Not a local domain NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Peer is not supposed to register NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device not configured to use this transport type NOTICE.* .*: No registration for peer '.*' \(from <HOST>\) NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' \(.*\) NOTICE.* .*: Host <HOST> denied access to register peer '.*' NOTICE.* .*: Host <HOST> did not provide proper plaintext password for '.*' NOTICE.* .*: Registration of '.*' rejected: '.*' from: '<HOST>' NOTICE.* .*: Peer '.*' is not dynamic (from <HOST>) NOTICE.* .*: Host <HOST> denied access to register peer '.*' SECURITY.* .*: SecurityEvent="InvalidAccountID".*,Severity="Error",Service="SIP".*,Rem oteAddress="IPV[46]/(UDP|TCP|TLS)/<HOST>/[0-9]+" SECURITY.* .*: SecurityEvent="FailedACL".*,Severity="Error",Service="SIP".*,RemoteAddr ess="IPV[46]/(UDP|TCP|TLS)/<HOST>/[0-9]+" SECURITY.* .*: SecurityEvent="InvalidPassword".*,Severity="Error",Service="SIP".*,Remo teAddress="IPV[46]/(UDP|TCP|TLS)/<HOST>/[0-9]+" SECURITY.* .*: SecurityEvent="ChallengeResponseFailed".*,Severity="Error",Service="SIP ".*,RemoteAddress="IPV[46]/(UDP|TCP|TLS)/<HOST>/[0-9]+" VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing 'ss- noservice' \(language '.*'\) SECURITY.* .*: SecurityEvent="ChallengeSent".*,Severity="Informational",Service="SIP". *,AccountID="sip:.*@93.94.247.123".*,RemoteAddress="IPV[46]/(UDP|TCP|TL S)/<HOST>/[0-9]+ WARNING.* .*: fail2ban='<HOST>' # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com --
Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users