Re: [asterisk-users] fail2ban does not work for my asterisk installation
Kyle Kienapfel doctor.whom at gmail.com writes: NOTICE.* .*: Registration from '.*' failed for 'HOST' - ACL error \(permit/deny\) I don't see slashes in front of the brackets on what you posted to the mailing list. I'm posting my config to see if the mailing list mangles it or not. I think Kyle found the OP's issue. Additionally, the - ACL error (permit/deny) log message was found in asterisk 1.2.x and no longer seems to occur in the later versions of asterisk. Lonnie -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] fail2ban does not work for my asterisk installation
Thank you doctor whom, It is working for me now. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] fail2ban does not work for my asterisk installation
Thanks for your reply. My configuration is correct. It works with ssh: many attacks have been stopped. Also, the config has worked for asterisk one time: I have seen that in the fail2ban.log file. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] fail2ban does not work for my asterisk installation
On Mon, Aug 2, 2010 at 12:15 PM, mosbah abdelkader mosbah.abdelka...@gmail.com wrote: Thanks for your reply. My configuration is correct. It works with ssh: many attacks have been stopped. Also, the config has worked for asterisk one time: I have seen that in the fail2ban.log file. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users p...@prometheus:/var/log/asterisk# sudo cat /etc/fail2ban/filter.d/asterisk.conf # http://www.voip-info.org/wiki/view/Fail2Ban+(with+iptables)+And+Asterisk [Definition] #_daemon = asterisk # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named host. The tag HOST can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?Phost\S+) # Values: TEXT # failregex = NOTICE.* .*: Registration from '.*' failed for 'HOST' - Wrong password NOTICE.* .*: Registration from '.*' failed for 'HOST' - No matching peer found NOTICE.* .*: Registration from '.*' failed for 'HOST' - Username/auth name mismatch NOTICE.* .*: Registration from '.*' failed for 'HOST' - Device does not match ACL NOTICE.* HOST failed to authenticate as '.*'$ NOTICE.* .*: No registration for peer '.*' \(from HOST\) NOTICE.* .*: Host HOST failed MD5 authentication for '.*' (.*) NOTICE.* .*: Failed to authenticate user .*@HOST.* NOTICE.* .*: Registration from '.*' failed for 'HOST' - ACL error \(permit/deny\) # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = p...@prometheus:/var/log/asterisk# sudo I don't see slashes in front of the brackets on what you posted to the mailing list. I'm posting my config to see if the mailing list mangles it or not. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] fail2ban does not work for my asterisk installation
The failregex statement in my jail.conf file is: * failregex* = NOTICE.* .*: Registration from '.*' failed for 'HOST' - Wrong password NOTICE.* .*: Registration from '.*' failed for 'HOST' - No matching peer found NOTICE.* .*: Registration from '.*' failed for 'HOST' - Username/auth name mismatch NOTICE.* .*: Registration from '.*' failed for 'HOST' - Device does not match ACL NOTICE.* HOST failed to authenticate as '.*'$ NOTICE.* .*: No registration for peer '.*' (from HOST) NOTICE.* .*: Host HOST failed MD5 authentication for '.*' (.*) NOTICE.* .*: Registration from '.*' failed for 'HOST' - ACL error (permit/deny) This is a log entry in /var/log/asterisk/full that shows the scan being performed: *2010-08-01 07:00:13 NOTICE[22540] chan_sip.c: Registration from '123456sip:123...@' failed for '193.158.62.48' - ACL error (permit/deny)* The problem is that fail2ban does not detect this attack that was performed for an amount of time of about half an hour. Please help me identify the problem. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] fail2ban does not work for my asterisk installation
On Sun, Aug 1, 2010 at 2:27 PM, mosbah abdelkader mosbah.abdelka...@gmail.com wrote: The failregex statement in my jail.conf file is: Aren't the regex supposed to be in filters/myjail.conf ? Are you testing the regex with the fail2ban-regex client? Maybe you need to avoid some of the quotes and simplify the expressions, then play with the regex tests. /r -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users