subject:"\[asterisk\-users\] fail2ban \+ asterisk"

Re: [asterisk-users] fail2ban Asterisk 13.13.1

2017-03-25 Thread Ludovic Gasc

2017-03-02 16:38 GMT+01:00 Patrick Laimbock :

> This commit mentions improved pjsip support:
>
> https://github.com/fail2ban/fail2ban/commit/f85fb45b29768f68
> 7546ba25f805977cf00b6e43
>
>
I confirm that we have improved asterisk pjsip support in fail2ban,
however, I think we might still have some corner cases not covered by our
patches.

For now, finally we enable security logs for two main reasons: it works for
everything out of box, and it generates less logs than pjsip or chan_sip:
fail2ban consumes less CPU time to parse logs.

--
Ludovic Gasc (GMLudo)
Lead Developer Architect at ALLOcloud
https://be.linkedin.com/in/ludovicgasc


>
>
> --
> _
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> Check out the new Asterisk community forum at:
> https://community.asterisk.org/
>
> New to Asterisk? Start here:
>  https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>
-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] fail2ban Asterisk 13.13.1

2017-03-02 Thread Patrick Laimbock


On 02-03-17 13:52, Bryant Zimmerman wrote:

John V

Are you using pjsip? We are have several test servers and  I just
checked my /etc/fail2ban/filter.d/asterisk.conf and it is not updated
for pjsip implementations.  Looking at the security log files and the
regex I noticed that some items are being banned but others are not due
to changes in the messages for pjsip.
Anyone got an updated asterisk.conf for fail2ban.


The latest upstream version of asterisk.conf can be found here:

https://github.com/fail2ban/fail2ban/blob/0.10/config/filter.d/asterisk.conf

This commit mentions improved pjsip support:

https://github.com/fail2ban/fail2ban/commit/f85fb45b29768f687546ba25f805977cf00b6e43

HTH,
Patrick



--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
 https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] fail2ban Asterisk 13.13.1

2017-03-02 Thread Bryant Zimmerman

John V

 Are you using pjsip? We are have several test servers and  I just checked my 
/etc/fail2ban/filter.d/asterisk.conf and it is not updated for pjsip 
implementations.  Looking at the security log files and the regex I noticed 
that some items are being banned but others are not due to changes in the 
messages for pjsip.
 Anyone got an updated asterisk.conf for fail2ban.

 Bryant



 From: "Telium Technical Support" <supp...@telium.ca>
Sent: Wednesday, March 1, 2017 9:54 PM
To: "Asterisk Users Mailing List - Non-Commercial Discussion" 
<asterisk-users@lists.digium.com>
Subject: Re: [asterisk-users] fail2ban Asterisk 13.13.1

If this is a small site, I recommend you download the free version of SecAst 
(www.telium.ca) and replace fail2ban.  SecAst does NOT use the log file, or 
regexes, to match etc.instead it talks to Asterisk through the AMI to extract 
security information.  Messing with regexes is a losing battle, and the lag in 
reading logs can allow an attacker 100+ registration attempts before fail2ban 
even does anything (assuming the IP is exposed in the Asterisk log).



If this is a large install then post in the commercial list for more 
information.



-Raj-



From: asterisk-users-boun...@lists.digium.com 
[mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Tech Support
Sent: Wednesday, March 1, 2017 2:37 PM
To: 'Asterisk Users Mailing List - Non-Commercial Discussion' 
<asterisk-users@lists.digium.com>
Subject: Re: [asterisk-users] fail2ban Asterisk 13.13.1



It's possible that you need to increase the value of 'findtime' to 
something greater than 300 secs. You also may want to set "timestamp = yes" in 
asterisk.conf so each line in the CLI will be time stamped. Time stamping it 
will be the definitive determination on whether or not the 'findtime' is the 
culprit.

Regards;

John V.



From: asterisk-users-boun...@lists.digium.com 
[mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Motty Cruz
Sent: Wednesday, March 01, 2017 01:29 PM
To: 'Asterisk Users Mailing List - Non-Commercial Discussion'
Subject: [asterisk-users] fail2ban Asterisk 13.13.1



Hello, fail2ban does not ban offending IP.



NOTICE[29784] chan_sip.c: Registration from 
'"user3"<sip:1005@asterisk-ip:5060>' failed for 'offending-IP:53417' - Wrong 
password

NOTICE[29784] chan_sip.c: Registration from 
'"user3"<sip:1005@asterisk-ip:5060>' failed for 'offending-IP:53911' - Wrong 
password





# A host is banned if it has generated "maxretry" during the last "findtime"

# seconds.

findtime  = 300



[asterisk-iptables]

enable = true

port = 5060,5061

filter   = asterisk

action   = iptables-allports[name=ASTERISK, protocol=all]

  sendmail[name=ASTERISK, dest=mo...@email.com, 
sender=fail2...@asterisk-ip.com]

#action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", 
protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]

   %(banaction)s[name=%(__name__)s-udp, port="%(port)s", 
protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]

   %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]

logpath  = /var/log/asterisk/messages

maxretry = 3

findtime  = 300

bantime  = -1





in filter.d

asterisk.conf

failregex = ^%(__prefix_line)s%(log_prefix)s Registration from '[^']*' failed 
for '(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching 
peer found|Not a local domain|Device does not match ACL|Peer is not supposed to 
register|ACL error \(permit/deny\)|Not a local domain)$

^%(__prefix_line)s%(log_prefix)s Call from '[^']*' \(:\d+\) 
to extension '[^']*' rejected because extension not found in context

^%(__prefix_line)s%(log_prefix)s Host  failed to authenticate 
as '[^']*'$

^%(__prefix_line)s%(log_prefix)s No registration for peer '[^']*' 
\(from \)$

^%(__prefix_line)s%(log_prefix)s Host  failed MD5 
authentication for '[^']*' \([^)]+\)$

^%(__prefix_line)s%(log_prefix)s Failed to authenticate 
(user|device) [^@]+@\S*$

^%(__prefix_line)s%(log_prefix)s hacking attempt detected ''$

^%(__prefix_line)s%(log_prefix)s 
SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="(\d*|)",SessionID=".+",LocalAddress="IPV[46]/(UDP|TCP|WS)/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UDP|TCP|WS)//\d+"(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",ExpectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$

^%(__prefix_line)s%(log_pre

Re: [asterisk-users] fail2ban Asterisk 13.13.1

2017-03-02 Thread Julie M

On Thursday 02 Mar 2017, Telium Technical Support wrote:
> If this is a small site, I recommend you download the free version of
> SecAst (www.telium.ca  ) and replace fail2ban. 
> SecAst does NOT use the log file, or regexes, to match etc.instead it
> talks to Asterisk through the AMI to extract security information. 
> Messing with regexes is a losing battle, and the lag in reading logs can
> allow an attacker 100+ registration attempts before fail2ban even does
> anything (assuming the IP is exposed in the Asterisk log).

I would recommend exactly the opposite.  If you install proprietary, binary-
only software on your system, you have no way to verify its integrity.  This 
is no throwaway portable device, it is the heart of your business's telephone 
system.  Do not go compromising its security by installing software that can't 
be independently verified.  

Ask yourself two questions:  (1)  Would you eat a cake that did not have the 
ingredients listed on the box?  And  (2)  why would the manufacturer *not* 
tell you what ingredients they were using -- unless they suspected that if you 
knew for sure what was actually in the cake, you might not be so inclined to 
eat it after all?

-- 
Julie

Note:  Originating address only accepts e-mail from list!  If replying off-
list, change address to asterisk1list at earthshod dot co dot uk .

-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] fail2ban Asterisk 13.13.1

2017-03-01 Thread Telium Technical Support

If this is a small site, I recommend you download the free version of SecAst
(www.telium.ca <http://www.telium.ca> ) and replace fail2ban.  SecAst does
NOT use the log file, or regexes, to match etc.instead it talks to Asterisk
through the AMI to extract security information.  Messing with regexes is a
losing battle, and the lag in reading logs can allow an attacker 100+
registration attempts before fail2ban even does anything (assuming the IP is
exposed in the Asterisk log).

 

If this is a large install then post in the commercial list for more
information.

 

-Raj-

 

From: asterisk-users-boun...@lists.digium.com
[mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Tech Support
Sent: Wednesday, March 1, 2017 2:37 PM
To: 'Asterisk Users Mailing List - Non-Commercial Discussion'
<asterisk-users@lists.digium.com>
Subject: Re: [asterisk-users] fail2ban Asterisk 13.13.1

 

It's possible that you need to increase the value of 'findtime' to
something greater than 300 secs. You also may want to set "timestamp = yes"
in asterisk.conf so each line in the CLI will be time stamped. Time stamping
it will be the definitive determination on whether or not the 'findtime' is
the culprit.

Regards;

John V.  

 

From: asterisk-users-boun...@lists.digium.com
<mailto:asterisk-users-boun...@lists.digium.com>
[mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Motty Cruz
Sent: Wednesday, March 01, 2017 01:29 PM
To: 'Asterisk Users Mailing List - Non-Commercial Discussion'
Subject: [asterisk-users] fail2ban Asterisk 13.13.1

 

Hello, fail2ban does not ban offending IP. 

 

NOTICE[29784] chan_sip.c: Registration from
'"user3"<sip:1005@asterisk-ip:5060>' failed for 'offending-IP:53417' - Wrong
password

NOTICE[29784] chan_sip.c: Registration from
'"user3"<sip:1005@asterisk-ip:5060>' failed for 'offending-IP:53911' - Wrong
password

 

 

# A host is banned if it has generated "maxretry" during the last "findtime"

# seconds.

findtime  = 300

 

[asterisk-iptables]

enable = true

port = 5060,5061

filter   = asterisk

action   = iptables-allports[name=ASTERISK, protocol=all]

  sendmail[name=ASTERISK, dest=mo...@email.com
<mailto:dest=mo...@email.com> , sender=fail2...@asterisk-ip.com
<mailto:sender=fail2...@asterisk-ip.com> ]

#action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s",
protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]

   %(banaction)s[name=%(__name__)s-udp, port="%(port)s",
protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]

   %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]

logpath  = /var/log/asterisk/messages

maxretry = 3

findtime  = 300

bantime  = -1

 

 

in filter.d

asterisk.conf

failregex = ^%(__prefix_line)s%(log_prefix)s Registration from '[^']*'
failed for '(:\d+)?' - (Wrong password|Username/auth name mismatch|No
matching peer found|Not a local domain|Device does not match ACL|Peer is not
supposed to register|ACL error \(permit/deny\)|Not a local domain)$

^%(__prefix_line)s%(log_prefix)s Call from '[^']*'
\(:\d+\) to extension '[^']*' rejected because extension not found in
context

^%(__prefix_line)s%(log_prefix)s Host  failed to
authenticate as '[^']*'$

^%(__prefix_line)s%(log_prefix)s No registration for peer
'[^']*' \(from \)$

^%(__prefix_line)s%(log_prefix)s Host  failed MD5
authentication for '[^']*' \([^)]+\)$

^%(__prefix_line)s%(log_prefix)s Failed to authenticate
(user|device) [^@]+@\S*$

^%(__prefix_line)s%(log_prefix)s hacking attempt detected
''$

^%(__prefix_line)s%(log_prefix)s
SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPa
ssword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",Eve
ntVersion="\d+",AccountID="(\d*|)",SessionID=".+",LocalAddress="IPV
[46]/(UDP|TCP|WS)/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UDP|TCP|WS)//\d+"(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",Ex
pectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$

^%(__prefix_line)s%(log_prefix)s "Rejecting unknown SIP
connection from "$

^%(__prefix_line)s%(log_prefix)s Request (?:'[^']*' )?from
'[^']*' failed for '(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching
endpoint found|Not match Endpoint(?: Contact)? ACL|(?:Failed|Error) to
authenticate)\s*$

 

failregex = NOTICE.* .*: Registration from '.*' failed for '' - Wrong
password

NOTICE.* .*: Registration from '.*' failed for ':.*' - No
matching peer found

NOTICE.* .*: Registration from '.*' failed for '' - No
matching peer found

Re: [asterisk-users] fail2ban Asterisk 13.13.1

2017-03-01 Thread Tech Support

It's possible that you need to increase the value of 'findtime' to
something greater than 300 secs. You also may want to set "timestamp = yes"
in asterisk.conf so each line in the CLI will be time stamped. Time stamping
it will be the definitive determination on whether or not the 'findtime' is
the culprit.

Regards;

John V.  

 

From: asterisk-users-boun...@lists.digium.com
[mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Motty Cruz
Sent: Wednesday, March 01, 2017 01:29 PM
To: 'Asterisk Users Mailing List - Non-Commercial Discussion'
Subject: [asterisk-users] fail2ban Asterisk 13.13.1

 

Hello, fail2ban does not ban offending IP. 

 

NOTICE[29784] chan_sip.c: Registration from
'"user3"<sip:1005@asterisk-ip:5060>' failed for 'offending-IP:53417' - Wrong
password

NOTICE[29784] chan_sip.c: Registration from
'"user3"<sip:1005@asterisk-ip:5060>' failed for 'offending-IP:53911' - Wrong
password

 

 

# A host is banned if it has generated "maxretry" during the last "findtime"

# seconds.

findtime  = 300

 

[asterisk-iptables]

enable = true

port = 5060,5061

filter   = asterisk

action   = iptables-allports[name=ASTERISK, protocol=all]

  sendmail[name=ASTERISK, dest=mo...@email.com,
sender=fail2...@asterisk-ip.com]

#action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s",
protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]

   %(banaction)s[name=%(__name__)s-udp, port="%(port)s",
protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]

   %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]

logpath  = /var/log/asterisk/messages

maxretry = 3

findtime  = 300

bantime  = -1

 

 

in filter.d

asterisk.conf

failregex = ^%(__prefix_line)s%(log_prefix)s Registration from '[^']*'
failed for '(:\d+)?' - (Wrong password|Username/auth name mismatch|No
matching peer found|Not a local domain|Device does not match ACL|Peer is not
supposed to register|ACL error \(permit/deny\)|Not a local domain)$

^%(__prefix_line)s%(log_prefix)s Call from '[^']*'
\(:\d+\) to extension '[^']*' rejected because extension not found in
context

^%(__prefix_line)s%(log_prefix)s Host  failed to
authenticate as '[^']*'$

^%(__prefix_line)s%(log_prefix)s No registration for peer
'[^']*' \(from \)$

^%(__prefix_line)s%(log_prefix)s Host  failed MD5
authentication for '[^']*' \([^)]+\)$

^%(__prefix_line)s%(log_prefix)s Failed to authenticate
(user|device) [^@]+@\S*$

^%(__prefix_line)s%(log_prefix)s hacking attempt detected
''$

^%(__prefix_line)s%(log_prefix)s
SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPa
ssword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",Eve
ntVersion="\d+",AccountID="(\d*|)",SessionID=".+",LocalAddress="IPV
[46]/(UDP|TCP|WS)/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UDP|TCP|WS)//\d+"(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",Ex
pectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$

^%(__prefix_line)s%(log_prefix)s "Rejecting unknown SIP
connection from "$

^%(__prefix_line)s%(log_prefix)s Request (?:'[^']*' )?from
'[^']*' failed for '(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching
endpoint found|Not match Endpoint(?: Contact)? ACL|(?:Failed|Error) to
authenticate)\s*$

 

failregex = NOTICE.* .*: Registration from '.*' failed for '' - Wrong
password

NOTICE.* .*: Registration from '.*' failed for ':.*' - No
matching peer found

NOTICE.* .*: Registration from '.*' failed for '' - No
matching peer found

NOTICE.* .*: Registration from '.*' failed for '' -
Username/auth name mismatch

NOTICE.* .*: Registration from '.*' failed for '' - Device
does not match ACL

NOTICE.* .*: Registration from '.*' failed for '' - Peer
is not supposed to register

NOTICE.* .*: Registration from '.*' failed for '' - ACL
error (permit/deny)

NOTICE.* .*: Registration from '.*' failed for '' - Device
does not match ACL

NOTICE.*  failed to authenticate as '.*'$

NOTICE.* .*: No registration for peer '.*' \(from \)

NOTICE.* .*: Host  failed MD5 authentication for '.*' (.*)

NOTICE.* .*: Failed to authenticate user .*@
<mailto:.*@%3cHOST%3e.*> .*

NOTICE.* .*: Sending fake auth rejection for device .*\<sip:.*\@
<sip:.*\@%3cHOST> \>;tag=.*

NOTICE.* .*: Registration from '\".*\".*' failed for '' -
No matching peer found

NOTICE.* .*: Registration from '\".*\".*' fai

Re: [asterisk-users] fail2ban Asterisk 13.13.1

2017-03-01 Thread Антон Сацкий

Think that U should ask in Fain2ban LIST

2017-03-01 20:29 GMT+02:00 Motty Cruz :

> Hello, fail2ban does not ban offending IP.
>
>
>
> NOTICE[29784] chan_sip.c: Registration from 
> '"user3"'
> failed for 'offending-IP:53417' - Wrong password
>
> NOTICE[29784] chan_sip.c: Registration from 
> '"user3"'
> failed for ‘offending-IP:53911' - Wrong password
>
>
>
> systemctl status fail2ban
>
> ● fail2ban.service - Fail2Ban Service
>
>Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled;
> vendor preset: disabled)
>
>Active: active (running) since Wed 2017-03-01 00:40:43 PST; 470min ago
>
>  Docs: man:fail2ban(1)
>
>
>
> jail.local
>
> [DEFAULT]
>
> # "bantime" is the number of seconds that a host is banned.
>
> bantime  = -1
>
>
>
> # A host is banned if it has generated "maxretry" during the last
> "findtime"
>
> # seconds.
>
> findtime  = 300
>
>
>
> # "maxretry" is the number of failures before a host get banned.
>
> maxretry = 3
>
>
>
> [asterisk-iptables]
>
> enable = true
>
> port = 5060,5061
>
> filter   = asterisk
>
> action   = iptables-allports[name=ASTERISK, protocol=all]
>
>   sendmail[name=ASTERISK, dest=mo...@email.com, sender=
> fail2...@asterisk-ip.com]
>
> #action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s",
> protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
>
>%(banaction)s[name=%(__name__)s-udp, port="%(port)s",
> protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
>
>%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
>
> logpath  = /var/log/asterisk/messages
>
> maxretry = 3
>
> findtime  = 300
>
> bantime  = -1
>
>
>
>
>
> in filter.d
>
> asterisk.conf
>
> failregex = ^%(__prefix_line)s%(log_prefix)s Registration from '[^']*'
> failed for '(:¥d+)?' - (Wrong password|Username/auth name mismatch|No
> matching peer found|Not a local domain|Device does not match ACL|Peer is
> not supposed to register|ACL error ¥(permit/deny¥)|Not a local domain)$
>
> ^%(__prefix_line)s%(log_prefix)s Call from '[^']*'
> ¥(:¥d+¥) to extension '[^']*' rejected because extension not found in
> context
>
> ^%(__prefix_line)s%(log_prefix)s Host  failed to
> authenticate as '[^']*'$
>
> ^%(__prefix_line)s%(log_prefix)s No registration for peer
> '[^']*' ¥(from ¥)$
>
> ^%(__prefix_line)s%(log_prefix)s Host  failed MD5
> authentication for '[^']*' ¥([^)]+¥)$
>
> ^%(__prefix_line)s%(log_prefix)s Failed to authenticate
> (user|device) [^@]+@¥S*$
>
> ^%(__prefix_line)s%(log_prefix)s hacking attempt detected
> ''$
>
> ^%(__prefix_line)s%(log_prefix)s SecurityEvent="(FailedACL|
> InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="([¥
> d-]+|%(iso8601)s)",Severity="[¥w]+",Service="[¥w]+",
> EventVersion="¥d+",AccountID="(¥d*|)",SessionID=".+
> ",LocalAddress="IPV[46]/(UDP|TCP|WS)/[¥da-fA-F:.]+/¥d+",
> RemoteAddress="IPV[46]/(UDP|TCP|WS)//¥d+"(,Challenge="[¥w/]+")?(,
> ReceivedChallenge="¥w+")?(,Response="¥w+",ExpectedResponse="¥w*")?(,
> ReceivedHash="[¥da-f]+")?(,ACLName="¥w+")?$
>
> ^%(__prefix_line)s%(log_prefix)s "Rejecting unknown SIP
> connection from "$
>
> ^%(__prefix_line)s%(log_prefix)s Request (?:'[^']*' )?from
> '[^']*' failed for '(?::¥d+)?'¥s¥(callid: [^¥)]*¥) - (?:No matching
> endpoint found|Not match Endpoint(?: Contact)? ACL|(?:Failed|Error) to
> authenticate)¥s*$
>
>
>
> failregex = NOTICE.* .*: Registration from '.*' failed for '' -
> Wrong password
>
> NOTICE.* .*: Registration from '.*' failed for ':.*' -
> No matching peer found
>
> NOTICE.* .*: Registration from '.*' failed for '' - No
> matching peer found
>
> NOTICE.* .*: Registration from '.*' failed for '' -
> Username/auth name mismatch
>
> NOTICE.* .*: Registration from '.*' failed for '' -
> Device does not match ACL
>
> NOTICE.* .*: Registration from '.*' failed for '' - Peer
> is not supposed to register
>
> NOTICE.* .*: Registration from '.*' failed for '' - ACL
> error (permit/deny)
>
> NOTICE.* .*: Registration from '.*' failed for '' -
> Device does not match ACL
>
> NOTICE.*  failed to authenticate as '.*'$
>
> NOTICE.* .*: No registration for peer '.*' ¥(from ¥)
>
> NOTICE.* .*: Host  failed MD5 authentication for '.*'
> (.*)
>
> NOTICE.* .*: Failed to authenticate user .*@.*
>
> NOTICE.* .*: Sending fake auth rejection for device
> .*¥;tag=.*
>
> NOTICE.* .*: Registration from '¥".*¥".*' failed for ''
> - No matching peer found
>
> NOTICE.* .*: Registration from '¥".*¥".*' failed for ''
> - Wrong password
>
>
>
> ignoreregex =
>
>
>
> Thanks
>
> Motty
>
> --
> _
> -- Bandwidth and Colocation

[asterisk-users] fail2ban Asterisk 13.13.1

2017-03-01 Thread Motty Cruz

Hello, fail2ban does not ban offending IP. 

 

NOTICE[29784] chan_sip.c: Registration from
'"user3"' failed for 'offending-IP:53417' - Wrong
password

NOTICE[29784] chan_sip.c: Registration from
'"user3"' failed for ‘offending-IP:53911' -
Wrong password

 

systemctl status fail2ban

● fail2ban.service - Fail2Ban Service

   Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor
preset: disabled)

   Active: active (running) since Wed 2017-03-01 00:40:43 PST; 470min ago

 Docs: man:fail2ban(1)

 

jail.local

[DEFAULT]

# "bantime" is the number of seconds that a host is banned.

bantime  = -1

 

# A host is banned if it has generated "maxretry" during the last "findtime"

# seconds.

findtime  = 300

 

# "maxretry" is the number of failures before a host get banned.

maxretry = 3

 

[asterisk-iptables]

enable = true

port = 5060,5061

filter   = asterisk

action   = iptables-allports[name=ASTERISK, protocol=all]

  sendmail[name=ASTERISK, dest=mo...@email.com,
sender=fail2...@asterisk-ip.com]

#action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s",
protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]

   %(banaction)s[name=%(__name__)s-udp, port="%(port)s",
protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]

   %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]

logpath  = /var/log/asterisk/messages

maxretry = 3

findtime  = 300

bantime  = -1

 

 

in filter.d

asterisk.conf

failregex = ^%(__prefix_line)s%(log_prefix)s Registration from '[^']*'
failed for '(:\d+)?' - (Wrong password|Username/auth name mismatch|No
matching peer found|Not a local domain|Device does not match ACL|Peer is not
supposed to register|ACL error \(permit/deny\)|Not a local domain)$

^%(__prefix_line)s%(log_prefix)s Call from '[^']*'
\(:\d+\) to extension '[^']*' rejected because extension not found in
context

^%(__prefix_line)s%(log_prefix)s Host  failed to
authenticate as '[^']*'$

^%(__prefix_line)s%(log_prefix)s No registration for peer
'[^']*' \(from \)$

^%(__prefix_line)s%(log_prefix)s Host  failed MD5
authentication for '[^']*' \([^)]+\)$

^%(__prefix_line)s%(log_prefix)s Failed to authenticate
(user|device) [^@]+@\S*$

^%(__prefix_line)s%(log_prefix)s hacking attempt detected
''$

^%(__prefix_line)s%(log_prefix)s
SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPa
ssword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",Eve
ntVersion="\d+",AccountID="(\d*|)",SessionID=".+",LocalAddress="IPV
[46]/(UDP|TCP|WS)/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UDP|TCP|WS)//\d+"(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",Ex
pectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$

^%(__prefix_line)s%(log_prefix)s "Rejecting unknown SIP
connection from "$

^%(__prefix_line)s%(log_prefix)s Request (?:'[^']*' )?from '[^']
*' failed for '(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching
endpoint found|Not match Endpoint(?: Contact)? ACL|(?:Failed|Error) to
authenticate)\s*$

 

failregex = NOTICE.* .*: Registration from '.*' failed for '' - Wrong
password

NOTICE.* .*: Registration from '.*' failed for ':.*' - No
matching peer found

NOTICE.* .*: Registration from '.*' failed for '' - No
matching peer found

NOTICE.* .*: Registration from '.*' failed for '' -
Username/auth name mismatch

NOTICE.* .*: Registration from '.*' failed for '' - Device
does not match ACL

NOTICE.* .*: Registration from '.*' failed for '' - Peer
is not supposed to register

NOTICE.* .*: Registration from '.*' failed for '' - ACL
error (permit/deny)

NOTICE.* .*: Registration from '.*' failed for '' - Device
does not match ACL

NOTICE.*  failed to authenticate as '.*'$

NOTICE.* .*: No registration for peer '.*' \(from \)

NOTICE.* .*: Host  failed MD5 authentication for '.*' (.*)

NOTICE.* .*: Failed to authenticate user .*@.*

NOTICE.* .*: Sending fake auth rejection for device
.*\;tag=.*

NOTICE.* .*: Registration from '\".*\".*' failed for '' -
No matching peer found

NOTICE.* .*: Registration from '\".*\".*' failed for '' -
Wrong password

 

ignoreregex =

 

Thanks

Motty

-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] fail2ban + asterisk

2011-03-07 Thread Matt Darnell

On Sat, Mar 5, 2011 at 8:54 PM, Pezhman Lali l...@lopl.net wrote:
 Dear
 this note is only for fresh administrators don't think about asterisk
 security.


Do you know where you go to 'un-ban' an IP if they made some mistake?

Using webmin I was not able to find the IP address that was was banned.

Thanks,
Matt

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] fail2ban + asterisk

2011-03-07 Thread Matt Darnell

On Mon, Mar 7, 2011 at 9:15 AM, Jamie A. Stapleton
jstaple...@computer-business.com wrote:
 iptables -L -v

 will give you the IP address that was banned

 -Original Message-
 From: asterisk-users-boun...@lists.digium.com 
 [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of


Thanks Jamie,

I will look around to see the steps to clear an IP.

Do you know if you can do this through webmin?  I know there is an
iptables plug-in.

-Matt

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] fail2ban + asterisk

2011-03-07 Thread David Quinton

On Mon, 7 Mar 2011 08:50:27 -1000, Matt Darnell
mattdarn...@gmail.com wrote:

On Sat, Mar 5, 2011 at 8:54 PM, Pezhman Lali l...@lopl.net wrote:
 Dear
 this note is only for fresh administrators don't think about asterisk
 security.


Do you know where you go to 'un-ban' an IP if they made some mistake?

Using webmin I was not able to find the IP address that was was banned.

I'm no expert but ISTR that Webmin has its own set of Iptables rules,
so I'm not sure that it'll show the Asterisk chain?


--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

[asterisk-users] fail2ban + asterisk

2011-03-05 Thread Pezhman Lali

Dear
this note is only for fresh administrators don't think about asterisk
security.
I found fail2ban very useful for anti asterisk hacking, so I want to share
it with fresh admins.
some hackers try your sip or iax2 ip with a lot of username/password, may be
after 1 million try, one username/password was accepted.  so in 2-3 hours,
they use all of the credit of the hacked user.
fail2ban, runs as service, and checks the logs, and blocks the suspicious
IPs.

for more info:

http://www.fail2ban.org/wiki/index.php/Asterisk
http://www.voip-info.org/wiki/view/Fail2Ban+(with+iptables)+And+Asterisk

best
--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] fail2ban Asterisk 13.13.1

Re: [asterisk-users] fail2ban Asterisk 13.13.1

Re: [asterisk-users] fail2ban Asterisk 13.13.1

Re: [asterisk-users] fail2ban Asterisk 13.13.1

Re: [asterisk-users] fail2ban Asterisk 13.13.1

Re: [asterisk-users] fail2ban Asterisk 13.13.1

Re: [asterisk-users] fail2ban Asterisk 13.13.1

[asterisk-users] fail2ban Asterisk 13.13.1

Re: [asterisk-users] fail2ban + asterisk

Re: [asterisk-users] fail2ban + asterisk

Re: [asterisk-users] fail2ban + asterisk

[asterisk-users] fail2ban + asterisk

12 matches

Site Navigation

Mail list logo

Footer information