My asterisk version 1.8 (runing freepbx 2.11) fail2ban filter for asterisk
is old
My cat /var/log/fail2ban.log shows ssh attempts and it grabs them fine
(Until i change that port)
so I know fail2ban is working but for asterisk filers it just sort of
ignors them. i can test it and it picks up things from the log but why does
it not ban anyone?
if there is any thing else anyone want s to know I will do my best I must
be missing something and I am stuck and really could use a fresh tip
something to get me going again thank you.
Debian v7 (on hyper-v)
/etc/fail2ban/jail.local
[asterisk-iptables]
enabled = true
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
sendmail-whois[name=ASTERISK, dest=root,
sender=fail2ban@mydomain]
logpath = logpath = /var/log/asterisk/messages
maxretry = 1
bantime = 259200
/etc/fail2ban/filter.d/asterisk.conf
[INCLUDES]
before = common.conf
[Definition]
_daemon = asterisk
failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' -
Wrong password
NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No
matching peer found
NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No
matching peer found
NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' -
Username/auth name mismatch
NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' -
Device does not match ACL
NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' -
Peer is not supposed to register
NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' -
ACL error (permit/deny)
NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' -
Device does not match ACL
NOTICE.* <HOST> failed to authenticate as '.*'$
NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*'
(.*)
NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
NOTICE.* .*: Sending fake auth rejection for device
.*\<sip:.*\@<HOST>\>;tag=.*
WARNING.*Rejecting unknown SIP connection from <HOST>.*$
ignoreregex =
Here is the stuff I am trying to stop
cat /var/log/asterisk/messages|grep Rejecting
[2014-10-19 21:38:55] WARNING[12277] Ext. s: "Rejecting unknown SIP
connection from 192.254.79.34"
[2014-10-19 21:41:16] WARNING[13030] Ext. s: "Rejecting unknown SIP
connection from 192.254.79.34"
[2014-10-19 21:45:49] WARNING[14391] Ext. s: "Rejecting unknown SIP
connection from 192.254.79.34"
[2014-10-19 21:48:10] WARNING[15089] Ext. s: "Rejecting unknown SIP
connection from 192.254.79.34"
[2014-10-19 21:52:50] WARNING[16501] Ext. s: "Rejecting unknown SIP
connection from 192.254.79.34"
[2014-10-19 21:55:10] WARNING[17207] Ext. s: "Rejecting unknown SIP
connection from 192.254.79.34"
[2014-10-19 21:59:38] WARNING[18564] Ext. s: "Rejecting unknown SIP
connection from 192.254.79.34"
[2014-10-19 22:01:58] WARNING[19273] Ext. s: "Rejecting unknown SIP
connection from 192.254.79.34"
[2014-10-19 22:06:35] WARNING[20569] Ext. s: "Rejecting unknown SIP
connection from 192.254.79.34"
[2014-10-19 22:08:49] WARNING[21281] Ext. s: "Rejecting unknown SIP
connection from 192.254.79.34"
[2014-10-19 22:13:22] WARNING[22659] Ext. s: "Rejecting unknown SIP
connection from 192.254.79.34"
[2014-10-19 22:15:38] WARNING[23341] Ext. s: "Rejecting unknown SIP
connection from 192.254.79.34"
[2014-10-19 22:20:06] WARNING[24691] Ext. s: "Rejecting unknown SIP
connection from 192.254.79.34"
[2014-10-19 22:22:23] WARNING[25375] Ext. s: "Rejecting unknown SIP
connection from 192.254.79.34"
[2014-10-19 22:26:54] WARNING[26745] Ext. s: "Rejecting unknown SIP
connection from 192.254.79.34"
it just goes on forever.
if there is something you want to know what am I missing.. cause when I run
fail2ban-regex /var/log/asterisk/messages
/etc/fail2ban/filter.d/asterisk.conf
filter works good in this fail2ban-regex but it is ignoring the logs what
am I doing wrong?!
Code:
Running tests
=============
Use regex file : /etc/fail2ban/filter.d/asterisk.conf
Use log file : /var/log/asterisk/messages
Results
=======
Failregex
|- Regular expressions:
| [1] NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Wrong
password
| [2] NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No
matching peer found
| [3] NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No
matching peer found
| [4] NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' -
Username/auth name mismatch
| [5] NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device
does not match ACL
| [6] NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Peer is
not supposed to register
| [7] NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - ACL
error (permit/deny)
| [8] NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device
does not match ACL
| [9] NOTICE.* <HOST> failed to authenticate as '.*'$
| [10] NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
| [11] NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
| [12] NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
| [13] NOTICE.* .*: Sending fake auth rejection for device
.*\<sip:.*\@<HOST>\>;tag=.*
| [14] WARNING.*Rejecting unknown SIP connection from <HOST>.*$
|
`- Number of matches:
[1] 0 match(es)
[2] 0 match(es)
[3] 0 match(es)
[4] 0 match(es)
[5] 0 match(es)
[6] 0 match(es)
[7] 0 match(es)
[8] 0 match(es)
[9] 0 match(es)
[10] 0 match(es)
[11] 0 match(es)
[12] 0 match(es)
[13] 0 match(es)
[14] 33 match(es)
Ignoreregex
|- Regular expressions:
|
`- Number of matches:
Summary
=======
Addresses found:
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
192.254.79.34 (Sat Oct 18 00:44:05 2014)
192.254.79.34 (Sat Oct 18 00:44:44 2014)
192.111.154.38 (Sat Oct 18 00:48:15 2014)
192.254.79.34 (Sat Oct 18 00:52:31 2014)
192.254.79.34 (Sat Oct 18 00:53:18 2014)
192.111.154.38 (Sat Oct 18 00:59:44 2014)
192.254.79.34 (Sat Oct 18 01:00:51 2014)
192.254.79.34 (Sat Oct 18 01:01:55 2014)
192.111.154.38 (Sat Oct 18 09:51:57 2014)
192.111.154.38 (Sat Oct 18 10:04:04 2014)
192.111.154.38 (Sat Oct 18 10:16:12 2014)
192.111.154.38 (Sat Oct 18 10:28:36 2014)
62.210.95.17 (Sat Oct 18 22:53:56 2014)
62.210.95.17 (Sat Oct 18 22:53:56 2014)
192.254.79.34 (Sun Oct 19 21:27:30 2014)
192.254.79.34 (Sun Oct 19 21:31:59 2014)
192.254.79.34 (Sun Oct 19 21:34:21 2014)
192.254.79.34 (Sun Oct 19 21:38:55 2014)
192.254.79.34 (Sun Oct 19 21:41:16 2014)
192.254.79.34 (Sun Oct 19 21:45:49 2014)
192.254.79.34 (Sun Oct 19 21:48:10 2014)
192.254.79.34 (Sun Oct 19 21:52:50 2014)
192.254.79.34 (Sun Oct 19 21:55:10 2014)
192.254.79.34 (Sun Oct 19 21:59:38 2014)
192.254.79.34 (Sun Oct 19 22:01:58 2014)
192.254.79.34 (Sun Oct 19 22:06:35 2014)
192.254.79.34 (Sun Oct 19 22:08:49 2014)
192.254.79.34 (Sun Oct 19 22:13:22 2014)
192.254.79.34 (Sun Oct 19 22:15:38 2014)
192.254.79.34 (Sun Oct 19 22:20:06 2014)
192.254.79.34 (Sun Oct 19 22:22:23 2014)
192.254.79.34 (Sun Oct 19 22:26:54 2014)
192.254.79.34 (Sun Oct 19 22:29:08 2014)
Date template hits:
0 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
355759 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Year.Month.Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): <Month/Day/Year@Hour:Minute:Second>
Success, the total number of match is 33
However, look at the above section 'Running tests' which could contain
important
information.
What am I missing all i can find is something on how the timing on reading
the log . i dunno anyone?
Last edited by charly78; Yesterday at 10:36 PM.
linux charly78 is online now Report This Post Edit/Delete Message Reply
With Quote
Reply
Edit Tags
Tags
asterisk, fail2ban, sip
Quick Reply
Message:
Remove Text Formatting
Bold
Italic
Underline
Insert Link
Wrap [QUOTE] tags around selected text
Decrease Size
Increase Size
Currently Active Users Viewing This Thread: 1 (1 members and 0 guests)
charly78
Posting Rules
You may post new threads
You may post replies
You may post attachments
You may edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Rules
Forum Jump
Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Fail2Ban failed to ban Attack on Asterisk, Why ? MET Linux -
Security 10 05-27-10 05:08 AM
All times are GMT -4. The time now is 10:16 AM.
Contact Us - Advertising Info - Rules - LQ Merchandise - Donations -
Contributing Member - LQ Sitemap -
Main Menu
Linux Forums
Android Forum
Chrome OS Forum
Search
LQ Tags
Linux HCL
Linux Tutorials
LQ Job Marketplace
Linux Wiki
Distro Reviews
Book Reviews
Download Linux
Social Groups
LQ Blogs
(Con't)
My LQ
My Profile
LQ UserCP
Edit Profile
Edit Options
Subscribed Threads
My Posts
My Threads
My Social Network
My Blog
New Blog Entry
Blog Settings
LQ Stats
LQ Spy
Mark Forums Read
Log Out
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials,
Articles, Reviews, and more. If you'd like to contribute content, let us
know.
Main Menu
LQ Calendar
LQ Rules
LQ Sitemap
Site FAQ
View New Posts
View Latest Posts
Zero Reply Threads
LQ Wiki Most Wanted
Jeremy's Blog
Report LQ Bug
Syndicate
RSS1 Latest Threads
RSS1 LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
