Hi Frank. Does fail2ban know what portnumber ASTERISK is in Your action line ?
Regards, Finn Den 20-10-2014 kl. 16:43 skrev Frank Ial Banister: > > My asterisk version 1.8 (runing freepbx 2.11) fail2ban filter for asterisk > is old > > My cat /var/log/fail2ban.log shows ssh attempts and it grabs them fine > (Until i change that port) > so I know fail2ban is working but for asterisk filers it just sort of > ignors them. i can test it and it picks up things from the log but why does > it not ban anyone? > > if there is any thing else anyone want s to know I will do my best I must > be missing something and I am stuck and really could use a fresh tip > something to get me going again thank you. > > > Debian v7 (on hyper-v) > > /etc/fail2ban/jail.local > [asterisk-iptables] > > enabled = true > filter = asterisk > action = iptables-allports[name=ASTERISK, protocol=all] > sendmail-whois[name=ASTERISK, dest=root, > sender=fail2ban@mydomain] > logpath = logpath = /var/log/asterisk/messages > maxretry = 1 > bantime = 259200 > > /etc/fail2ban/filter.d/asterisk.conf > > [INCLUDES] > before = common.conf > > > [Definition] > _daemon = asterisk > > > failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - > Wrong password > NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No > matching peer found > NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No > matching peer found > NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - > Username/auth name mismatch > NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - > Device does not match ACL > NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - > Peer is not supposed to register > NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - > ACL error (permit/deny) > NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - > Device does not match ACL > NOTICE.* <HOST> failed to authenticate as '.*'$ > NOTICE.* .*: No registration for peer '.*' \(from <HOST>\) > NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' > (.*) > NOTICE.* .*: Failed to authenticate user .*@<HOST>.* > NOTICE.* .*: Sending fake auth rejection for device > .*\<sip:.*\@<HOST>\>;tag=.* > WARNING.*Rejecting unknown SIP connection from <HOST>.*$ > > ignoreregex = > > > Here is the stuff I am trying to stop > cat /var/log/asterisk/messages|grep Rejecting > > [2014-10-19 21:38:55] WARNING[12277] Ext. s: "Rejecting unknown SIP > connection from 192.254.79.34" > [2014-10-19 21:41:16] WARNING[13030] Ext. s: "Rejecting unknown SIP > connection from 192.254.79.34" > [2014-10-19 21:45:49] WARNING[14391] Ext. s: "Rejecting unknown SIP > connection from 192.254.79.34" > [2014-10-19 21:48:10] WARNING[15089] Ext. s: "Rejecting unknown SIP > connection from 192.254.79.34" > [2014-10-19 21:52:50] WARNING[16501] Ext. s: "Rejecting unknown SIP > connection from 192.254.79.34" > [2014-10-19 21:55:10] WARNING[17207] Ext. s: "Rejecting unknown SIP > connection from 192.254.79.34" > [2014-10-19 21:59:38] WARNING[18564] Ext. s: "Rejecting unknown SIP > connection from 192.254.79.34" > [2014-10-19 22:01:58] WARNING[19273] Ext. s: "Rejecting unknown SIP > connection from 192.254.79.34" > [2014-10-19 22:06:35] WARNING[20569] Ext. s: "Rejecting unknown SIP > connection from 192.254.79.34" > [2014-10-19 22:08:49] WARNING[21281] Ext. s: "Rejecting unknown SIP > connection from 192.254.79.34" > [2014-10-19 22:13:22] WARNING[22659] Ext. s: "Rejecting unknown SIP > connection from 192.254.79.34" > [2014-10-19 22:15:38] WARNING[23341] Ext. s: "Rejecting unknown SIP > connection from 192.254.79.34" > [2014-10-19 22:20:06] WARNING[24691] Ext. s: "Rejecting unknown SIP > connection from 192.254.79.34" > [2014-10-19 22:22:23] WARNING[25375] Ext. s: "Rejecting unknown SIP > connection from 192.254.79.34" > [2014-10-19 22:26:54] WARNING[26745] Ext. s: "Rejecting unknown SIP > connection from 192.254.79.34" > > it just goes on forever. > > if there is something you want to know what am I missing.. cause when I run > fail2ban-regex /var/log/asterisk/messages > /etc/fail2ban/filter.d/asterisk.conf > filter works good in this fail2ban-regex but it is ignoring the logs what > am I doing wrong?! > Code: > > Running tests > ============= > > Use regex file : /etc/fail2ban/filter.d/asterisk.conf > Use log file : /var/log/asterisk/messages > > > Results > ======= > > Failregex > |- Regular expressions: > | [1] NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Wrong > password > | [2] NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No > matching peer found > | [3] NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No > matching peer found > | [4] NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - > Username/auth name mismatch > | [5] NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device > does not match ACL > | [6] NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Peer is > not supposed to register > | [7] NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - ACL > error (permit/deny) > | [8] NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device > does not match ACL > | [9] NOTICE.* <HOST> failed to authenticate as '.*'$ > | [10] NOTICE.* .*: No registration for peer '.*' \(from <HOST>\) > | [11] NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*) > | [12] NOTICE.* .*: Failed to authenticate user .*@<HOST>.* > | [13] NOTICE.* .*: Sending fake auth rejection for device > .*\<sip:.*\@<HOST>\>;tag=.* > | [14] WARNING.*Rejecting unknown SIP connection from <HOST>.*$ > | > `- Number of matches: > [1] 0 match(es) > [2] 0 match(es) > [3] 0 match(es) > [4] 0 match(es) > [5] 0 match(es) > [6] 0 match(es) > [7] 0 match(es) > [8] 0 match(es) > [9] 0 match(es) > [10] 0 match(es) > [11] 0 match(es) > [12] 0 match(es) > [13] 0 match(es) > [14] 33 match(es) > > Ignoreregex > |- Regular expressions: > | > `- Number of matches: > > Summary > ======= > > Addresses found: > [1] > [2] > [3] > [4] > [5] > [6] > [7] > [8] > [9] > [10] > [11] > [12] > [13] > [14] > 192.254.79.34 (Sat Oct 18 00:44:05 2014) > 192.254.79.34 (Sat Oct 18 00:44:44 2014) > 192.111.154.38 (Sat Oct 18 00:48:15 2014) > 192.254.79.34 (Sat Oct 18 00:52:31 2014) > 192.254.79.34 (Sat Oct 18 00:53:18 2014) > 192.111.154.38 (Sat Oct 18 00:59:44 2014) > 192.254.79.34 (Sat Oct 18 01:00:51 2014) > 192.254.79.34 (Sat Oct 18 01:01:55 2014) > 192.111.154.38 (Sat Oct 18 09:51:57 2014) > 192.111.154.38 (Sat Oct 18 10:04:04 2014) > 192.111.154.38 (Sat Oct 18 10:16:12 2014) > 192.111.154.38 (Sat Oct 18 10:28:36 2014) > 62.210.95.17 (Sat Oct 18 22:53:56 2014) > 62.210.95.17 (Sat Oct 18 22:53:56 2014) > 192.254.79.34 (Sun Oct 19 21:27:30 2014) > 192.254.79.34 (Sun Oct 19 21:31:59 2014) > 192.254.79.34 (Sun Oct 19 21:34:21 2014) > 192.254.79.34 (Sun Oct 19 21:38:55 2014) > 192.254.79.34 (Sun Oct 19 21:41:16 2014) > 192.254.79.34 (Sun Oct 19 21:45:49 2014) > 192.254.79.34 (Sun Oct 19 21:48:10 2014) > 192.254.79.34 (Sun Oct 19 21:52:50 2014) > 192.254.79.34 (Sun Oct 19 21:55:10 2014) > 192.254.79.34 (Sun Oct 19 21:59:38 2014) > 192.254.79.34 (Sun Oct 19 22:01:58 2014) > 192.254.79.34 (Sun Oct 19 22:06:35 2014) > 192.254.79.34 (Sun Oct 19 22:08:49 2014) > 192.254.79.34 (Sun Oct 19 22:13:22 2014) > 192.254.79.34 (Sun Oct 19 22:15:38 2014) > 192.254.79.34 (Sun Oct 19 22:20:06 2014) > 192.254.79.34 (Sun Oct 19 22:22:23 2014) > 192.254.79.34 (Sun Oct 19 22:26:54 2014) > 192.254.79.34 (Sun Oct 19 22:29:08 2014) > > Date template hits: > 0 hit(s): MONTH Day Hour:Minute:Second > 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year > 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second > 0 hit(s): Year/Month/Day Hour:Minute:Second > 0 hit(s): Day/Month/Year Hour:Minute:Second > 0 hit(s): Day/Month/Year Hour:Minute:Second > 0 hit(s): Day/MONTH/Year:Hour:Minute:Second > 0 hit(s): Month/Day/Year:Hour:Minute:Second > 355759 hit(s): Year-Month-Day Hour:Minute:Second > 0 hit(s): Year.Month.Day Hour:Minute:Second > 0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond] > 0 hit(s): Day-Month-Year Hour:Minute:Second > 0 hit(s): TAI64N > 0 hit(s): Epoch > 0 hit(s): ISO 8601 > 0 hit(s): Hour:Minute:Second > 0 hit(s): <Month/Day/Year@Hour:Minute:Second> > > Success, the total number of match is 33 > > However, look at the above section 'Running tests' which could contain > important > information. > > What am I missing all i can find is something on how the timing on reading > the log . i dunno anyone? > Last edited by charly78; Yesterday at 10:36 PM. > linux charly78 is online now Report This Post Edit/Delete Message > Reply > With Quote > > > > Reply > > Edit Tags > Tags > asterisk, fail2ban, sip > > Quick Reply > Message: > Remove Text Formatting > > Bold > > Italic > > Underline > > > > > Insert Link > > Wrap [QUOTE] tags around selected text > > Decrease Size > Increase Size > > > Currently Active Users Viewing This Thread: 1 (1 members and 0 guests) > charly78 > > Posting Rules > You may post new threads > You may post replies > You may post attachments > You may edit your posts > BB code is On > Smilies are On > [IMG] code is Off > HTML code is Off > Forum Rules > > Forum Jump > > Similar Threads > Thread Thread Starter Forum Replies Last Post > [SOLVED] Fail2Ban failed to ban Attack on Asterisk, Why ? MET Linux - > Security 10 05-27-10 05:08 AM > > > All times are GMT -4. The time now is 10:16 AM. > > Contact Us - Advertising Info - Rules - LQ Merchandise - Donations - > Contributing Member - LQ Sitemap - > > Main Menu > > Linux Forums > Android Forum > Chrome OS Forum > Search > LQ Tags > Linux HCL > Linux Tutorials > LQ Job Marketplace > Linux Wiki > Distro Reviews > Book Reviews > Download Linux > Social Groups > LQ Blogs > > (Con't) > My LQ > > My Profile > LQ UserCP > Edit Profile > Edit Options > Subscribed Threads > My Posts > My Threads > My Social Network > My Blog > New Blog Entry > Blog Settings > LQ Stats > LQ Spy > Mark Forums Read > Log Out > > Write for LQ > LinuxQuestions.org is looking for people interested in writing Editorials, > Articles, Reviews, and more. If you'd like to contribute content, let us > know. > Main Menu > > LQ Calendar > LQ Rules > LQ Sitemap > Site FAQ > View New Posts > View Latest Posts > Zero Reply Threads > LQ Wiki Most Wanted > Jeremy's Blog > Report LQ Bug > > Syndicate > RSS1 Latest Threads > RSS1 LQ News > Twitter: @linuxquestions > identi.ca: @linuxquestions > Facebook: linuxquestions Google+: linuxquestions > > > > > > > > ------------------------------------------------------------------------------ > Comprehensive Server Monitoring with Site24x7. > Monitor 10 servers for $9/Month. > Get alerted through email, SMS, voice calls or mobile push notifications. > Take corrective actions from your mobile device. > http://p.sf.net/sfu/Zoho > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > ------------------------------------------------------------------------------ Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://p.sf.net/sfu/Zoho _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
