I'm running centos 5.10 32 bit server with fail2ban-0.8.14-1.el5 and
Asterisk 10.7.0. some p-o-s is constantly trying to hack (my) asterisk
and /var/log/asterisk/messages is littered with entries like this
every minute or so:
[2015-03-16 18:46:34] NOTICE[3453] chan_sip.c: hacking attempt
detected '195.154.56.42'
[2015-03-16 18:46:34] NOTICE[3453] chan_sip.c: Sending fake auth
rejection for device
30001<sip:30001@<asterisk-machine-ip>>;tag=8314aeaa
fail2ban is doing nothing about it. In /etc/fail2ban/jail.local I have this:
[asterisk]
enabled = true
filter = asterisk
action = iptables-multiport[name=asterisk-tcp, port="5060,5061", protocol=tcp]
iptables-multiport[name=asterisk-udp, port="5060,5061", protocol=udp]
sendmail-whois[name=Asterisk, dest=root, [email protected]]
logpath = /var/log/asterisk/messages
maxretry = 2
and /etc/fail2ban/filter.d/asterisk.conf contains this:
<snip>
failregex =
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s
(?:handle_request_subscribe: )?Sending fake auth rejection for
(device|user) \d*<sip:[^@]+@<HOST>>;tag=\w+\S*$
I've tried replacing asterisk.conf with an older version I found here:
http://liberatech.mx/archivos/fail2ban/asterisk.conf but it made no difference.
how can I resolve this and get fail2ban to recognize the hack attempt
and block the offending ip?
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
