On 03/16/2015 03:21 PM, Anthony Griffiths wrote: > I'm running centos 5.10 32 bit server with fail2ban-0.8.14-1.el5 and > Asterisk 10.7.0. some p-o-s is constantly trying to hack (my) asterisk > and /var/log/asterisk/messages is littered with entries like this > every minute or so: Do they occur more than <maxretry> times per <findtime> as configured for your jail? > > [2015-03-16 18:46:34] NOTICE[3453] chan_sip.c: hacking attempt > detected '195.154.56.42' > [2015-03-16 18:46:34] NOTICE[3453] chan_sip.c: Sending fake auth > rejection for device > 30001<sip:30001@<asterisk-machine-ip>>;tag=8314aeaa If <asterisk-machine-ip> is your server and not the host fail2ban should block, the regex seems incorrect and should be fixed.
Instead, it seems the regex should check for the "hacking attempt detected" message above, assuming 195.154.56.42 is the IP which should be blocked by fail2ban. > fail2ban is doing nothing about it. In /etc/fail2ban/jail.local I have this: > > [asterisk] > > enabled = true > filter = asterisk > action = iptables-multiport[name=asterisk-tcp, port="5060,5061", > protocol=tcp] > iptables-multiport[name=asterisk-udp, port="5060,5061", > protocol=udp] > sendmail-whois[name=Asterisk, dest=root, > [email protected]] > logpath = /var/log/asterisk/messages > maxretry = 2 > > and /etc/fail2ban/filter.d/asterisk.conf contains this: > > <snip> > failregex = > ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s > (?:handle_request_subscribe: )?Sending fake auth rejection for > (device|user) \d*<sip:[^@]+@<HOST>>;tag=\w+\S*$ These work for me, so fail2ban should be matching the log message as expected: fail2ban-regex "[2015-03-16 18:46:34] NOTICE[3453] chan_sip.c: Sending fake auth rejection for device 30001<sip:[email protected]>;tag=8314aeaa" " (?:handle_request_subscribe: )?Sending fake auth rejection for (device|user) \d*<sip:[^@]+@<HOST>>;tag=\w+\S*$" fail2ban-regex "[2015-03-17 21:06:34] NOTICE[3453] chan_sip.c: Sending fake auth rejection for device 30001<sip:[email protected]>;tag=8314aeaa" /etc/fail2ban/filter.d/asterisk.conf Can you run the above commands? They should each match one line. > > I've tried replacing asterisk.conf with an older version I found here: > http://liberatech.mx/archivos/fail2ban/asterisk.conf but it made no > difference. > > how can I resolve this and get fail2ban to recognize the hack attempt > and block the offending ip? > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming The Go Parallel Website, sponsored > by Intel and developed in partnership with Slashdot Media, is your hub for all > things parallel software development, from weekly thought leadership blogs to > news, videos, case studies, tutorials and more. Take a look and join the > conversation now. http://goparallel.sourceforge.net/ > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users ------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
