Re: [asterisk-users] Fail2ban for asterisk 16 PJSIP

Le 08/06/2019 à 05:20, John T. Bittner a écrit : Hopefully, this helps someone else. This seems to be working for me. # Fail2Ban configuration file [INCLUDES] #before = common.conf [Definition] failregex = NOTICE.* .*: Request \'REGISTER\' from '.*' failed for ':.*' .* - No matching

Re: [asterisk-users] Fail2ban for asterisk 16 PJSIP

-boun...@lists.digium.com] On Behalf Of John T. Bittner Sent: Thursday, June 6, 2019 3:40 PM To: asterisk-users@lists.digium.com Subject: [asterisk-users] Fail2ban for asterisk 16 PJSIP Hello Anyone have a working copy of Fail2ban asterisk filter asterisk.conf for Asterisk 16 running PJSIP. I have

[asterisk-users] Fail2ban for asterisk 16 PJSIP

Hello Anyone have a working copy of Fail2ban asterisk filter asterisk.conf for Asterisk 16 running PJSIP. I have tried 10 different filters but none of them show any matches when testing with fail2ban-regex I see date template hits but no matches My log [2019-06-06 15:37:20] NOTICE[18081]

Re: [asterisk-users] fail2ban Asterisk 13.13.1

2017-03-02 16:38 GMT+01:00 Patrick Laimbock : > This commit mentions improved pjsip support: > > https://github.com/fail2ban/fail2ban/commit/f85fb45b29768f68 > 7546ba25f805977cf00b6e43 > > I confirm that we have improved asterisk pjsip support in fail2ban, however, I think

Re: [asterisk-users] fail2ban Asterisk 13.13.1

On 02-03-17 13:52, Bryant Zimmerman wrote: John V Are you using pjsip? We are have several test servers and I just checked my /etc/fail2ban/filter.d/asterisk.conf and it is not updated for pjsip implementations. Looking at the security log files and the regex I noticed that some items are

Re: [asterisk-users] fail2ban Asterisk 13.13.1

iscussion" <asterisk-users@lists.digium.com> Subject: Re: [asterisk-users] fail2ban Asterisk 13.13.1 If this is a small site, I recommend you download the free version of SecAst (www.telium.ca) and replace fail2ban. SecAst does NOT use the log file, or regexes, to match etc.inst

Re: [asterisk-users] fail2ban Asterisk 13.13.1

On Thursday 02 Mar 2017, Telium Technical Support wrote: > If this is a small site, I recommend you download the free version of > SecAst (www.telium.ca ) and replace fail2ban. > SecAst does NOT use the log file, or regexes, to match etc.instead it > talks to Asterisk

Re: [asterisk-users] fail2ban Asterisk 13.13.1

terisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Tech Support Sent: Wednesday, March 1, 2017 2:37 PM To: 'Asterisk Users Mailing List - Non-Commercial Discussion' <asterisk-users@lists.digium.com> Subject: Re: [asterisk-users] fail2ban Aste

Re: [asterisk-users] fail2ban Asterisk 13.13.1

'findtime' is the culprit. Regards; John V. From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Motty Cruz Sent: Wednesday, March 01, 2017 01:29 PM To: 'Asterisk Users Mailing List - Non-Commercial Discussion' Subject: [asterisk-users

Re: [asterisk-users] fail2ban Asterisk 13.13.1

Think that U should ask in Fain2ban LIST 2017-03-01 20:29 GMT+02:00 Motty Cruz : > Hello, fail2ban does not ban offending IP. > > > > NOTICE[29784] chan_sip.c: Registration from > '"user3"' > failed for 'offending-IP:53417' - Wrong password > >

[asterisk-users] fail2ban Asterisk 13.13.1

Hello, fail2ban does not ban offending IP. NOTICE[29784] chan_sip.c: Registration from '"user3"' failed for 'offending-IP:53417' - Wrong password NOTICE[29784] chan_sip.c: Registration from '"user3"' failed for ‘offending-IP:53911' -

Re: [asterisk-users] Fail2ban

I solved the problem. "action.d/iptables-custom.conf" include only udp. service fail2ban restart Thank you. On Sun, Sep 13, 2015 at 9:17 PM, Andres wrote: > On 9/13/15 11:16 AM, Gokan Atmaca wrote: >> >> Hello >> >> I'm using the Fail2ban. I configuration below. I want to

Re: [asterisk-users] Fail2ban

On Mon, 14 Sep 2015, Gokan Atmaca wrote: Another problem is too late to do the ban. The reason for this yetmemse of CPU power. I'm simulating an attack. Of course, eating CPU. One reason, now forbids. Abstracts must be strong if we are eating our resources is a serious attack. The problem

Re: [asterisk-users] Fail2ban

Another problem is too late to do the ban. The reason for this yetmemse of CPU power. I'm simulating an attack. Of course, eating CPU. One reason, now forbids. Abstracts must be strong if we are eating our resources is a serious attack. On Mon, Sep 14, 2015 at 9:14 AM, Gokan Atmaca

Re: [asterisk-users] Fail2ban

On 2015-09-13 10:16, Gokan Atmaca wrote: Hello I'm using the Fail2ban. I configuration below. I want to try to prevent the continuous password. Fail2ban password that does not prevent this form. (Asterisk 1.8 / Elastix interface) What could be the problem ? Asterisk log; "Registration from

Re: [asterisk-users] Fail2ban

>> >> I'm using the Fail2ban. I configuration below. I want to try to >> prevent the continuous password. Fail2ban password that does not >> prevent this form. (Asterisk 1.8 / Elastix interface) >> hi Asterisk version 1.8 Fail2ban version 0.8.14 config:

[asterisk-users] Fail2ban

Hello I'm using the Fail2ban. I configuration below. I want to try to prevent the continuous password. Fail2ban password that does not prevent this form. (Asterisk 1.8 / Elastix interface) What could be the problem ? Asterisk log; "Registration from '' failed

Re: [asterisk-users] Fail2ban

On 9/13/15 11:16 AM, Gokan Atmaca wrote: Hello I'm using the Fail2ban. I configuration below. I want to try to prevent the continuous password. Fail2ban password that does not prevent this form. (Asterisk 1.8 / Elastix interface) What could be the problem ? Asterisk log; "Registration from

Re: [asterisk-users] Fail2ban

I'm using the Fail2ban. I configuration below. I want to try to prevent the continuous password. Fail2ban password that does not prevent this form. (Asterisk 1.8 / Elastix interface) Is this a home/small installation? If so try SecAst (from www.telium.ca) as a free drop in replacement for

[asterisk-users] fail2ban and pjsip in asterisk 12 and 13

Hi, Info !!! not a question !!! the pjsip logger is different: [Sep 15 07:33:27] NOTICE[65267] res_pjsip/pjsip_distributor.c: Request from '1001 sip:1001@81.20.137.222' failed for '85.25.197.23:5071' (callid: 1bfa1fcfee1e20dbe9bbbcac5d7bdffc) - No matching endpoint found and here the RegEx

Re: [asterisk-users] fail2ban and pjsip in asterisk 12 and 13

Hi Rainer, On 15-09-14 09:07, Rainer Piper wrote: Hi, Info !!! not a question !!! the pjsip logger is different: [Sep 15 07:33:27] NOTICE[65267] res_pjsip/pjsip_distributor.c: Request from '1001 sip:1001@81.20.137.222' failed for '85.25.197.23:5071' (callid: 1bfa1fcfee1e20dbe9bbbcac5d7bdffc)

Re: [asterisk-users] fail2ban and pjsip in asterisk 12 and 13

On Mon, Sep 15, 2014 at 6:21 AM, Patrick Laimbock patr...@laimbock.com wrote: Hi Rainer, On 15-09-14 09:07, Rainer Piper wrote: Hi, Info !!! not a question !!! the pjsip logger is different: [Sep 15 07:33:27] NOTICE[65267] res_pjsip/pjsip_distributor.c: Request from '1001

Re: [asterisk-users] fail2ban and pjsip in asterisk 12 and 13

Am 15.09.2014 um 15:26 schrieb Matthew Jordan: On Mon, Sep 15, 2014 at 6:21 AM, Patrick Laimbock patr...@laimbock.com mailto:patr...@laimbock.com wrote: Hi Rainer, On 15-09-14 09:07, Rainer Piper wrote: Hi, Info !!! not a question !!! the pjsip logger is

Re: [asterisk-users] fail2ban and pjsip in asterisk 12 and 13

Hi Patrick, github done ;-) what is HTH ??? Am 15.09.2014 um 13:21 schrieb Patrick Laimbock: Hi Rainer, On 15-09-14 09:07, Rainer Piper wrote: Hi, Info !!! not a question !!! the pjsip logger is different: [Sep 15 07:33:27] NOTICE[65267] res_pjsip/pjsip_distributor.c: Request from

Re: [asterisk-users] fail2ban and pjsip in asterisk 12 and 13

(this is not where your reply belongs) On Monday 15 Sep 2014, Rainer Piper wrote: Hi Patrick, github done ;-) what is HTH ??? HTH == Hope That Helps. -- AJS Note: Originating address only accepts e-mail from list! If replying off- list, change address to asterisk1list at earthshod

Re: [asterisk-users] fail2ban and pjsip in asterisk 12 and 13

oh ... thanks :-[ Am 15.09.2014 um 17:30 schrieb A J Stiles: (this is not where your reply belongs) On Monday 15 Sep 2014, Rainer Piper wrote: Hi Patrick, github done ;-) what is HTH ??? HTH == Hope That Helps. -- *Rainer Piper* Integration engineer Koeslinstr. 56 53123 BONN GERMANY

Re: [asterisk-users] fail2ban and pjsip in asterisk 12 and 13

On 15-09-14 17:22, Rainer Piper wrote: Hi Patrick, github done ;-) Thanks! what is HTH ??? Hope this/that helps http://www.internetslang.com/ http://www.urbandictionary.com/define.php?term=internet%20slang HTH :) Patrick --

[asterisk-users] fail2ban filter issue

Not sure if this has been answered but I cannot find a solution. I am running Asterisk 1.4.26.3 I am seeing the following lines in my log files: A: [2013-03-05 13:54:27] NOTICE[6928] chan_sip.c: Failed to authenticate user sip:192.210.138.12;tag=DmVIjOlfYiiL B: [2013-03-05

Re: [asterisk-users] fail2ban filter issue

eherr wrote: Not sure if this has been answered but I cannot find a solution. I am running Asterisk 1.4.26.3 Very VERY old. If you need to continue in 1.4, you should really up to the last 1.4.44 Many MANY changes and broken changes between 1.4.26 and 1.4.44 John Novack I am seeing the

[asterisk-users] fail2ban restarts

I have fail2ban running on my Asterisk box. Every so often I receive emails stating that the jails stopped and then started. Why does this happen? Why isn't it just continuously running? Thanks, -E -- _ --

Re: [asterisk-users] fail2ban restarts

On Sun, Jan 29, 2012 at 09:48:47AM -0500, eherr wrote: I have fail2ban running on my Asterisk box. Every so often I receive emails stating that the jails stopped and then started. Why does this happen? Why isn't it just continuously running? fail2ban is restarted when it switches its log

Re: [asterisk-users] fail2ban + asterisk

On Sat, Mar 5, 2011 at 8:54 PM, Pezhman Lali l...@lopl.net wrote: Dear this note is only for fresh administrators don't think about asterisk security. Do you know where you go to 'un-ban' an IP if they made some mistake? Using webmin I was not able to find the IP address that was was banned.

Re: [asterisk-users] fail2ban + asterisk

On Mon, Mar 7, 2011 at 9:15 AM, Jamie A. Stapleton jstaple...@computer-business.com wrote: iptables -L -v will give you the IP address that was banned -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of

Re: [asterisk-users] fail2ban + asterisk

On Mon, 7 Mar 2011 08:50:27 -1000, Matt Darnell mattdarn...@gmail.com wrote: On Sat, Mar 5, 2011 at 8:54 PM, Pezhman Lali l...@lopl.net wrote: Dear this note is only for fresh administrators don't think about asterisk security. Do you know where you go to 'un-ban' an IP if they made some

[asterisk-users] fail2ban + asterisk

Dear this note is only for fresh administrators don't think about asterisk security. I found fail2ban very useful for anti asterisk hacking, so I want to share it with fresh admins. some hackers try your sip or iax2 ip with a lot of username/password, may be after 1 million try, one

[asterisk-users] Fail2Ban CSF

Hello list, anyone knows if fail2ban works together with CSF (http://www.configserver.com/cp/csf.html) ?? I use CSF for blocking port scanning and blocking of IP-adresses. I wonder if fail2ban will overwrite rules in iptables of CSF and vica versa. Kind regards, Jonas. --

Re: [asterisk-users] Fail2ban integration issues with Asterisk 1.4.21 under Debian Lenny

Hi guys, Interesting discussion - I learnt quite a bit. Thanks. That said, no one's yet answered my two original questions. Anyone know? To repeat: 1. When I used the line dateformat=%F %T in the general section of logger.conf, the format in /var/log/asterisk/full did change, but the

Re: [asterisk-users] Fail2ban integration issues with Asterisk 1.4.21 under Debian Lenny

On Mon, 30 Aug 2010, J. Oquendo wrote: Gordon Henderson wrote: On Mon, 30 Aug 2010, J. Oquendo wrote: I also posted a very effective iptables script some weeks ago if you care to search the archives. It works and is extremely effective in blocking these types of attacks - however, it will

Re: [asterisk-users] Fail2ban integration issues with Asterisk 1.4.21 under Debian Lenny

On Tue, Aug 31, 2010 at 8:30 AM, Gordon Henderson gordon+aster...@drogon.net wrote: 3) Contact the UPSTREAM of the attacking host? Yes. No reply. And in the few times I've tried, I've only ever had a reply from Amazon - some 18 hours after the flood started and then it took another 12 hours

Re: [asterisk-users] Fail2ban integration issues with Asterisk 1.4.21 under Debian Lenny

On Tue, 31 Aug 2010, Randy R wrote: On Tue, Aug 31, 2010 at 8:30 AM, Gordon Henderson gordon+aster...@drogon.net wrote: 3) Contact the UPSTREAM of the attacking host? Yes. No reply. And in the few times I've tried, I've only ever had a reply from Amazon - some 18 hours after the flood

Re: [asterisk-users] Fail2ban integration issues with Asterisk 1.4.21 under Debian Lenny

On Tue, Aug 31, 2010 at 7:09 PM, Gordon Henderson gordon+aster...@drogon.net wrote: Their whole system is designed as a device to waste the time effort of those trying to submit reports, etc. to them. This is not the right list for the following comment, but vested interests always ruin life.

[asterisk-users] Fail2ban integration issues with Asterisk 1.4.21 under Debian Lenny

Hi, I've recently had a fairly prolonged SIP registration attack, 18 hours in this case and often with 200 attempts per second, and suspect I've had a number of these in the past. The main symptom I noticed previously was, because Asterisk was responding to each registration request it

Re: [asterisk-users] Fail2ban integration issues with Asterisk 1.4.21 under Debian Lenny

On Mon, 30 Aug 2010, Nikhil Nair wrote: Hi, I've recently had a fairly prolonged SIP registration attack, 18 hours in this case and often with 200 attempts per second, and suspect I've had a number of these in the past. Almost everyone has - read the fine archives, then google for

Re: [asterisk-users] Fail2ban integration issues with Asterisk 1.4.21 under Debian Lenny

Gordon Henderson wrote: So.. Get a copy of the sipvicious code from http://blog.sipvicious.org/ (or directly from http://code.google.com/p/sipvicious/ ) and learn how to use svcrash.py as that's the only thing that's going to ultimately stop a long-term attack on your site. For now,

Re: [asterisk-users] Fail2ban integration issues with Asterisk 1.4.21 under Debian Lenny

On Mon, 30 Aug 2010, J. Oquendo wrote: How about a little cron script without having to install anything? You could run it off the hour: rightnow=`date +%Y-%m-%d %k` grep $rightnow /var/log/asterisk/messages |\ awk '/No matching peer/' | sed's:'\''::g' |\ uniq | awk '{print iptables -A

Re: [asterisk-users] Fail2ban integration issues with Asterisk 1.4.21 under Debian Lenny

Gordon Henderson wrote: On Mon, 30 Aug 2010, J. Oquendo wrote: I also posted a very effective iptables script some weeks ago if you care to search the archives. It works and is extremely effective in blocking these types of attacks - however, it will not stop a broken sipvicious from

Re: [asterisk-users] Fail2ban integration issues with Asterisk 1.4.21 under Debian Lenny

On 10-08-30 01:53 PM, J. Oquendo wrote: Gordon Henderson wrote: On Mon, 30 Aug 2010, J. Oquendo wrote: I also posted a very effective iptables script some weeks ago if you care to search the archives. It works and is extremely effective in blocking these types of attacks - however,

Re: [asterisk-users] fail2ban does not work for my asterisk installation

Kyle Kienapfel doctor.whom at gmail.com writes: NOTICE.* .*: Registration from '.*' failed for 'HOST' - ACL error \(permit/deny\) I don't see slashes in front of the brackets on what you posted to the mailing list. I'm posting my config to see if the mailing list mangles it

Re: [asterisk-users] fail2ban does not work for my asterisk installation

Thank you doctor whom, It is working for me now. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs:

Re: [asterisk-users] fail2ban does not work for my asterisk installation

Thanks for your reply. My configuration is correct. It works with ssh: many attacks have been stopped. Also, the config has worked for asterisk one time: I have seen that in the fail2ban.log file. -- _ -- Bandwidth and

Re: [asterisk-users] fail2ban does not work for my asterisk installation

On Mon, Aug 2, 2010 at 12:15 PM, mosbah abdelkader mosbah.abdelka...@gmail.com wrote: Thanks for your reply. My configuration is correct. It works with ssh: many attacks have been stopped. Also, the config has worked for asterisk one time: I have seen that in the fail2ban.log file. --

[asterisk-users] fail2ban does not work for my asterisk installation

The failregex statement in my jail.conf file is: * failregex* = NOTICE.* .*: Registration from '.*' failed for 'HOST' - Wrong password NOTICE.* .*: Registration from '.*' failed for 'HOST' - No matching peer found NOTICE.* .*: Registration from '.*' failed for 'HOST' -

Re: [asterisk-users] fail2ban does not work for my asterisk installation

On Sun, Aug 1, 2010 at 2:27 PM, mosbah abdelkader mosbah.abdelka...@gmail.com wrote: The failregex statement in my jail.conf file is: Aren't the regex supposed to be in filters/myjail.conf ? Are you testing the regex with the fail2ban-regex client? Maybe you need to avoid some of the quotes

Re: [asterisk-users] Fail2ban - SuSEfirewall

The problem sounds like fail2ban is failing to write the new rules to a permanent file, which would otherwise allow the rules to persist after a reboot. Tilghman, That is exactly right. I'm thinking I need to revise the SuSEfirewall init scripts to follow up with restarting fail2ban,

[asterisk-users] Fail2ban - SuSEfirewall

I have tried to setup fail2ban on a machine running OpenSuSE 11. Everything looks fine, except the machine restarts the firewall whenever the DHCP lease is renewed, thus flushing all the fail2ban rules (I think.). It seems to me that a quick fix would be to have the system restart fail2ban

Re: [asterisk-users] Fail2ban - SuSEfirewall

On Mon, Jul 26, 2010 at 10:36 AM, Brent A. Torrenga li...@torrenga.com wrote: I have tried to setup fail2ban on a machine running OpenSuSE 11.  Everything looks fine, except the machine restarts the firewall whenever the DHCP lease is renewed, thus flushing all the fail2ban rules (I think…). 

Re: [asterisk-users] Fail2ban - SuSEfirewall

Randy R wrote: On Mon, Jul 26, 2010 at 10:36 AM, Brent A. Torrengali...@torrenga.com wrote: I have tried to setup fail2ban on a machine running OpenSuSE 11. Everything looks fine, except the machine restarts the firewall whenever the DHCP lease is renewed, thus flushing all the

Re: [asterisk-users] Fail2ban - SuSEfirewall

On Mon, Jul 26, 2010 at 12:19 PM, John Novack jnov...@stromberg-carlson.org wrote: Why isn't the Asterisk box on a static IP on the LAN? That seems to be asking for trouble using DHCP. I was assuming he meant the ISP DHCP renewal. /r --

Re: [asterisk-users] Fail2ban - SuSEfirewall

On Monday 26 July 2010 14:19:58 John Novack wrote: Randy R wrote: On Mon, Jul 26, 2010 at 10:36 AM, Brent A. Torrengali...@torrenga.com wrote: I have tried to setup fail2ban on a machine running OpenSuSE 11. Everything looks fine, except the machine restarts the firewall whenever the

Re: [asterisk-users] Fail2ban - SuSEfirewall

-Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of John Novack Sent: Monday, July 26, 2010 12:20 PM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] Fail2ban