Re: [asterisk-users] fail2ban and pjsip in asterisk 12 and 13
Hi Rainer, On 15-09-14 09:07, Rainer Piper wrote: Hi, Info !!! not a question !!! the pjsip logger is different: [Sep 15 07:33:27] NOTICE[65267] res_pjsip/pjsip_distributor.c: Request from '1001 sip:1001@81.20.137.222' failed for '85.25.197.23:5071' (callid: 1bfa1fcfee1e20dbe9bbbcac5d7bdffc) - No matching endpoint found and here the RegEx for fail2ban to catch this log: |NOTICE.* .*: Request from '.*' failed for 'HOST(:[0-9]{1,5})?' (.*) - No matching endpoint found Thanks for sharing. If you use github it would be nice if you could submit a pull request so that it becomes part of the Asterisk rules in the next Fail2ban version (0.9.1). https://github.com/fail2ban/fail2ban/pulls HTH, Patrick -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] fail2ban and pjsip in asterisk 12 and 13
On Mon, Sep 15, 2014 at 6:21 AM, Patrick Laimbock patr...@laimbock.com wrote: Hi Rainer, On 15-09-14 09:07, Rainer Piper wrote: Hi, Info !!! not a question !!! the pjsip logger is different: [Sep 15 07:33:27] NOTICE[65267] res_pjsip/pjsip_distributor.c: Request from '1001 sip:1001@81.20.137.222' failed for '85.25.197.23:5071' (callid: 1bfa1fcfee1e20dbe9bbbcac5d7bdffc) - No matching endpoint found and here the RegEx for fail2ban to catch this log: |NOTICE.* .*: Request from '.*' failed for 'HOST(:[0-9]{1,5})?' (.*) - No matching endpoint found Thanks for sharing. If you use github it would be nice if you could submit a pull request so that it becomes part of the Asterisk rules in the next Fail2ban version (0.9.1). https://github.com/fail2ban/fail2ban/pulls HTH, Patrick Why would you not use the SECURITY log format, which have the exact same format between chan_sip and chan_pjsip, and have a consistent format from Asterisk 10+? https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Event+Logger -- Matthew Jordan Digium, Inc. | Engineering Manager 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA Check us out at: http://digium.com http://asterisk.org -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] fail2ban and pjsip in asterisk 12 and 13
Am 15.09.2014 um 15:26 schrieb Matthew Jordan: On Mon, Sep 15, 2014 at 6:21 AM, Patrick Laimbock patr...@laimbock.com mailto:patr...@laimbock.com wrote: Hi Rainer, On 15-09-14 09:07, Rainer Piper wrote: Hi, Info !!! not a question !!! the pjsip logger is different: [Sep 15 07:33:27] NOTICE[65267] res_pjsip/pjsip_distributor.c: Request from '1001 sip:1001@81.20.137.222 mailto:sip%3A1001@81.20.137.222' failed for '85.25.197.23:5071 http://85.25.197.23:5071' (callid: 1bfa1fcfee1e20dbe9bbbcac5d7bdffc) - No matching endpoint found and here the RegEx for fail2ban to catch this log: |NOTICE.* .*: Request from '.*' failed for 'HOST(:[0-9]{1,5})?' (.*) - No matching endpoint found Thanks for sharing. If you use github it would be nice if you could submit a pull request so that it becomes part of the Asterisk rules in the next Fail2ban version (0.9.1). https://github.com/fail2ban/fail2ban/pulls HTH, Patrick Why would you not use the SECURITY log format, which have the exact same format between chan_sip and chan_pjsip, and have a consistent format from Asterisk 10+? https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Event+Logger -- Matthew Jordan Digium, Inc. | Engineering Manager 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA Check us out at: http://digium.com http://asterisk.org Thanks for security_log = security Ok ... I switched the security_log = security in logger.conf on and I'm going to write a RegEx for Fail2ban. log sample - security log of wrong password: [Sep 15 15:51:26] SECURITY[17378] res_security_log.c: SecurityEvent=ChallengeResponseFailed,EventTV=2014-09-15T15:51:26.126+0200,Severity=Error,Service=PJSIP,EventVersion=1,AccountID=7002,SessionID=80DFFBE5-4C3B-E411-8429-AD5D2362CB3E@192.168.8.10,LocalAddress=IPV4/UDP/178.5.154.91/5072,RemoteAddress=IPV4/UDP/192.168.8.10/6012,Challenge=1410789078/000dd605e4bd1b6dd7488afafafafafaf,Response=8fc17a017a3ac5eea21ca86c6c0f5ee8,ExpectedResponse= -- *Rainer Piper* Integration engineer Koeslinstr. 56 53123 BONN GERMANY Phone: +49 228 97167161 callto:004922897167161 P2P: sip:rai...@sip.soho-piper.de:5072 (pjsip-test) XMPP: rai...@xmpp.soho-piper.de -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] fail2ban and pjsip in asterisk 12 and 13
Hi Patrick, github done ;-) what is HTH ??? Am 15.09.2014 um 13:21 schrieb Patrick Laimbock: Hi Rainer, On 15-09-14 09:07, Rainer Piper wrote: Hi, Info !!! not a question !!! the pjsip logger is different: [Sep 15 07:33:27] NOTICE[65267] res_pjsip/pjsip_distributor.c: Request from '1001 sip:1001@81.20.137.222' failed for '85.25.197.23:5071' (callid: 1bfa1fcfee1e20dbe9bbbcac5d7bdffc) - No matching endpoint found and here the RegEx for fail2ban to catch this log: |NOTICE.* .*: Request from '.*' failed for 'HOST(:[0-9]{1,5})?' (.*) - No matching endpoint found Thanks for sharing. If you use github it would be nice if you could submit a pull request so that it becomes part of the Asterisk rules in the next Fail2ban version (0.9.1). https://github.com/fail2ban/fail2ban/pulls HTH, Patrick -- *Rainer Piper* Integration engineer Koeslinstr. 56 53123 BONN GERMANY Phone: +49 228 97167161 P2P: sip:rai...@sip.soho-piper.de:5072 (pjsip-test) XMPP: rai...@xmpp.soho-piper.de -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] fail2ban and pjsip in asterisk 12 and 13
(this is not where your reply belongs) On Monday 15 Sep 2014, Rainer Piper wrote: Hi Patrick, github done ;-) what is HTH ??? HTH == Hope That Helps. -- AJS Note: Originating address only accepts e-mail from list! If replying off- list, change address to asterisk1list at earthshod dot co dot uk . -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] fail2ban and pjsip in asterisk 12 and 13
oh ... thanks :-[ Am 15.09.2014 um 17:30 schrieb A J Stiles: (this is not where your reply belongs) On Monday 15 Sep 2014, Rainer Piper wrote: Hi Patrick, github done ;-) what is HTH ??? HTH == Hope That Helps. -- *Rainer Piper* Integration engineer Koeslinstr. 56 53123 BONN GERMANY Phone: +49 228 97167161 P2P: sip:rai...@sip.soho-piper.de:5072 (pjsip-test) XMPP: rai...@xmpp.soho-piper.de -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] fail2ban and pjsip in asterisk 12 and 13
On 15-09-14 17:22, Rainer Piper wrote: Hi Patrick, github done ;-) Thanks! what is HTH ??? Hope this/that helps http://www.internetslang.com/ http://www.urbandictionary.com/define.php?term=internet%20slang HTH :) Patrick -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users