Wrong mailing list. On Mon, Oct 28, 2013 at 7:30 PM, Roa Jose <[email protected]> wrote: > Try install Fail2ban for Linux and enable plugin of asterisk > > http://www.fail2ban.org/wiki/index.php/Asterisk > > > > > > On Mon, Oct 28, 2013 at 9:46 AM, Ryan Short <[email protected]> wrote: >> >> Hi all, >> >> I'm having an issue with a brute force password attempt not being blocked >> and I'm not sure why, there are two rules as far as I can tell in the >> asterisk_rules.xml file, the latter should trigger when the former hits a >> certain number of failed attempts. >> >> The 6210 rule is being hit and is being logged in the alerts.log file: >> >> ** Alert 1382974360.1666067: - syslog,asterisk,authentication_failed, >> 2013 Oct 28 15:32:40 demopbx->/var/log/messages >> Rule: 6210 (level 5) -> 'Login session failed.' >> Oct 28 15:32:38 demopbx asterisk[3545]: NOTICE[3609]: chan_sip.c:27919 in >> handle_request_register: Registration from '"502" >> <sip:[email protected]>' failed for '85.64.90.98:5063' - Wrong password >> >> ** Alert 1382974390.1666442: - syslog,asterisk,authentication_failed, >> 2013 Oct 28 15:33:10 demopbx->/var/log/messages >> Rule: 6210 (level 5) -> 'Login session failed.' >> Oct 28 15:33:09 demopbx asterisk[3545]: NOTICE[3609]: chan_sip.c:27919 in >> handle_request_register: Registration from '"502" >> <sip:[email protected]>' failed for '85.64.90.98:5063' - Wrong password >> >> ** Alert 1382974420.1666817: - syslog,asterisk,authentication_failed, >> 2013 Oct 28 15:33:40 demopbx->/var/log/messages >> Rule: 6210 (level 5) -> 'Login session failed.' >> Oct 28 15:33:39 demopbx asterisk[3545]: NOTICE[3609]: chan_sip.c:27919 in >> handle_request_register: Registration from '"502" >> <sip:[email protected]>' failed for '85.64.90.98:5063' - Wrong password >> >> However nothing is being done about it as the multiple failed logins rule >> (6251) is not being triggered. >> >> >> Not sure if this is useful, but when I try and test the rules by >> performing: >> >> cat ossectest | /var/ossec/bin/ossec-logtest -v >> >> I get: >> >> Trying rule: 6200 - Asterisk messages grouped. >> *Rule 6200 matched. >> *Trying child rules. >> Trying rule: 6201 - Asterisk notice messages grouped. >> *Rule 6201 matched. >> *Trying child rules. >> Trying rule: 6210 - Login session failed. >> *Rule 6210 matched. >> *Trying child rules. >> Trying rule: 6251 - Multiple failed logins. >> Trying rule: 40111 - Multiple authentication failures. >> >> **Phase 3: Completed filtering (rules). >> Rule id: '6210' >> Level: '5' >> Description: 'Login session failed.' >> **Alert to be generated. >> >> ossectest contains: >> >> Oct 28 15:02:17 demopbx asterisk[3545]: NOTICE[3609]: chan_sip.c:27919 in >> handle_request_register: Registration from '"502" >> <sip:[email protected]>' failed for '85.64.90.98:5063' - Wrong password >> Oct 28 15:02:18 demopbx asterisk[3545]: NOTICE[3609]: chan_sip.c:27919 in >> handle_request_register: Registration from '"502" >> <sip:[email protected]>' failed for '85.64.90.98:5063' - Wrong password >> Oct 28 15:02:19 demopbx asterisk[3545]: NOTICE[3609]: chan_sip.c:27919 in >> handle_request_register: Registration from '"502" >> <sip:[email protected]>' failed for '85.64.90.98:5063' - Wrong password >> Oct 28 15:02:20 demopbx asterisk[3545]: NOTICE[3609]: chan_sip.c:27919 in >> handle_request_register: Registration from '"502" >> <sip:[email protected]>' failed for '85.64.90.98:5063' - Wrong password >> Oct 28 15:02:21 demopbx asterisk[3545]: NOTICE[3609]: chan_sip.c:27919 in >> handle_request_register: Registration from '"502" >> <sip:[email protected]>' failed for '85.64.90.98:5063' - Wrong password >> Oct 28 15:02:22 demopbx asterisk[3545]: NOTICE[3609]: chan_sip.c:27919 in >> handle_request_register: Registration from '"502" >> <sip:[email protected]>' failed for '85.64.90.98:5063' - Wrong password >> Oct 28 15:02:23 demopbx asterisk[3545]: NOTICE[3609]: chan_sip.c:27919 in >> handle_request_register: Registration from '"502" >> <sip:[email protected]>' failed for '85.64.90.98:5063' - Wrong password >> Oct 28 15:02:24 demopbx asterisk[3545]: NOTICE[3609]: chan_sip.c:27919 in >> handle_request_register: Registration from '"502" >> <sip:[email protected]>' failed for '85.64.90.98:5063' - Wrong password >> Oct 28 15:02:25 demopbx asterisk[3545]: NOTICE[3609]: chan_sip.c:27919 in >> handle_request_register: Registration from '"502" >> <sip:[email protected]>' failed for '85.64.90.98:5063' - Wrong password >> >> >> Not sure if ossec-logtest tests the file as a whole or just takes them >> line by line. >> >> >> I've tried altering the threshold and number of failed attempts before a >> block occurs because I noticed they're only trying a connection every 30 >> seconds and wasn't sure if they were bypassing the checks like that, the two >> rules are as follows: >> >> <rule id="6210" level="5"> >> <if_sid>6201</if_sid> >> <match>Wrong password</match> >> <description>Login session failed.</description> >> <group>authentication_failed,</group> >> </rule> >> >> <rule id="6251" level="10" frequency="2"> >> <if_matched_sid>6210</if_matched_sid> >> <same_source_ip /> >> <description>Multiple failed logins.</description> >> </rule> >> >> >> I tried 6251 with a threshold of the default 300 and an increased 600. >> >> >> Any help would be appreciated. >> >> >> >> Best Regards >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out.
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
