[asterisk-users] fail2ban and pjsip in asterisk 12 and 13
Hi,
Info !!! not a question !!!
the pjsip logger is different:
[Sep 15 07:33:27] NOTICE[65267] res_pjsip/pjsip_distributor.c: Request
from '1001 sip:1001@81.20.137.222' failed for '85.25.197.23:5071'
(callid: 1bfa1fcfee1e20dbe9bbbcac5d7bdffc) - No matching endpoint found
and here the RegEx for fail2ban to catch this log:
|NOTICE.* .*: Request from '.*' failed for 'HOST(:[0-9]{1,5})?' (.*) -
No matching endpoint found
Regards|
--
*Rainer Piper*
Integration engineer
Koeslinstr. 56
53123 BONN
GERMANY
Phone: +49 228 97167161 callto:004922897167161
P2P: sip:rai...@sip.soho-piper.de:5072 (pjsip-test)
XMPP: rai...@xmpp.soho-piper.de
--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] fail2ban and pjsip in asterisk 12 and 13
Hi Rainer,
On 15-09-14 09:07, Rainer Piper wrote:
Hi,
Info !!! not a question !!!
the pjsip logger is different:
[Sep 15 07:33:27] NOTICE[65267] res_pjsip/pjsip_distributor.c: Request
from '1001 sip:1001@81.20.137.222' failed for '85.25.197.23:5071'
(callid: 1bfa1fcfee1e20dbe9bbbcac5d7bdffc) - No matching endpoint found
and here the RegEx for fail2ban to catch this log:
|NOTICE.* .*: Request from '.*' failed for 'HOST(:[0-9]{1,5})?' (.*) -
No matching endpoint found
Thanks for sharing. If you use github it would be nice if you could
submit a pull request so that it becomes part of the Asterisk rules in
the next Fail2ban version (0.9.1).
https://github.com/fail2ban/fail2ban/pulls
HTH,
Patrick
--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] fail2ban and pjsip in asterisk 12 and 13
On Mon, Sep 15, 2014 at 6:21 AM, Patrick Laimbock patr...@laimbock.com
wrote:
Hi Rainer,
On 15-09-14 09:07, Rainer Piper wrote:
Hi,
Info !!! not a question !!!
the pjsip logger is different:
[Sep 15 07:33:27] NOTICE[65267] res_pjsip/pjsip_distributor.c: Request
from '1001 sip:1001@81.20.137.222' failed for '85.25.197.23:5071'
(callid: 1bfa1fcfee1e20dbe9bbbcac5d7bdffc) - No matching endpoint found
and here the RegEx for fail2ban to catch this log:
|NOTICE.* .*: Request from '.*' failed for 'HOST(:[0-9]{1,5})?' (.*) -
No matching endpoint found
Thanks for sharing. If you use github it would be nice if you could submit
a pull request so that it becomes part of the Asterisk rules in the next
Fail2ban version (0.9.1).
https://github.com/fail2ban/fail2ban/pulls
HTH,
Patrick
Why would you not use the SECURITY log format, which have the exact same
format between chan_sip and chan_pjsip, and have a consistent format from
Asterisk 10+?
https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Event+Logger
--
Matthew Jordan
Digium, Inc. | Engineering Manager
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
Check us out at: http://digium.com http://asterisk.org
--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] fail2ban and pjsip in asterisk 12 and 13
Am 15.09.2014 um 15:26 schrieb Matthew Jordan:
On Mon, Sep 15, 2014 at 6:21 AM, Patrick Laimbock
patr...@laimbock.com mailto:patr...@laimbock.com wrote:
Hi Rainer,
On 15-09-14 09:07, Rainer Piper wrote:
Hi,
Info !!! not a question !!!
the pjsip logger is different:
[Sep 15 07:33:27] NOTICE[65267] res_pjsip/pjsip_distributor.c:
Request
from '1001 sip:1001@81.20.137.222
mailto:sip%3A1001@81.20.137.222' failed for
'85.25.197.23:5071 http://85.25.197.23:5071'
(callid: 1bfa1fcfee1e20dbe9bbbcac5d7bdffc) - No matching
endpoint found
and here the RegEx for fail2ban to catch this log:
|NOTICE.* .*: Request from '.*' failed for
'HOST(:[0-9]{1,5})?' (.*) -
No matching endpoint found
Thanks for sharing. If you use github it would be nice if you
could submit a pull request so that it becomes part of the
Asterisk rules in the next Fail2ban version (0.9.1).
https://github.com/fail2ban/fail2ban/pulls
HTH,
Patrick
Why would you not use the SECURITY log format, which have the exact
same format between chan_sip and chan_pjsip, and have a consistent
format from Asterisk 10+?
https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Event+Logger
--
Matthew Jordan
Digium, Inc. | Engineering Manager
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
Check us out at: http://digium.com http://asterisk.org
Thanks for security_log = security
Ok ... I switched the
security_log = security
in logger.conf on and I'm going to write a RegEx for Fail2ban.
log sample - security log of wrong password:
[Sep 15 15:51:26] SECURITY[17378] res_security_log.c:
SecurityEvent=ChallengeResponseFailed,EventTV=2014-09-15T15:51:26.126+0200,Severity=Error,Service=PJSIP,EventVersion=1,AccountID=7002,SessionID=80DFFBE5-4C3B-E411-8429-AD5D2362CB3E@192.168.8.10,LocalAddress=IPV4/UDP/178.5.154.91/5072,RemoteAddress=IPV4/UDP/192.168.8.10/6012,Challenge=1410789078/000dd605e4bd1b6dd7488afafafafafaf,Response=8fc17a017a3ac5eea21ca86c6c0f5ee8,ExpectedResponse=
--
*Rainer Piper*
Integration engineer
Koeslinstr. 56
53123 BONN
GERMANY
Phone: +49 228 97167161 callto:004922897167161
P2P: sip:rai...@sip.soho-piper.de:5072 (pjsip-test)
XMPP: rai...@xmpp.soho-piper.de
--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] fail2ban and pjsip in asterisk 12 and 13
Hi Patrick,
github done ;-)
what is HTH ???
Am 15.09.2014 um 13:21 schrieb Patrick Laimbock:
Hi Rainer,
On 15-09-14 09:07, Rainer Piper wrote:
Hi,
Info !!! not a question !!!
the pjsip logger is different:
[Sep 15 07:33:27] NOTICE[65267] res_pjsip/pjsip_distributor.c: Request
from '1001 sip:1001@81.20.137.222' failed for '85.25.197.23:5071'
(callid: 1bfa1fcfee1e20dbe9bbbcac5d7bdffc) - No matching endpoint found
and here the RegEx for fail2ban to catch this log:
|NOTICE.* .*: Request from '.*' failed for 'HOST(:[0-9]{1,5})?' (.*) -
No matching endpoint found
Thanks for sharing. If you use github it would be nice if you could
submit a pull request so that it becomes part of the Asterisk rules in
the next Fail2ban version (0.9.1).
https://github.com/fail2ban/fail2ban/pulls
HTH,
Patrick
--
*Rainer Piper*
Integration engineer
Koeslinstr. 56
53123 BONN
GERMANY
Phone: +49 228 97167161
P2P: sip:rai...@sip.soho-piper.de:5072 (pjsip-test)
XMPP: rai...@xmpp.soho-piper.de
--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] fail2ban and pjsip in asterisk 12 and 13
(this is not where your reply belongs) On Monday 15 Sep 2014, Rainer Piper wrote: Hi Patrick, github done ;-) what is HTH ??? HTH == Hope That Helps. -- AJS Note: Originating address only accepts e-mail from list! If replying off- list, change address to asterisk1list at earthshod dot co dot uk . -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] fail2ban and pjsip in asterisk 12 and 13
oh ... thanks :-[ Am 15.09.2014 um 17:30 schrieb A J Stiles: (this is not where your reply belongs) On Monday 15 Sep 2014, Rainer Piper wrote: Hi Patrick, github done ;-) what is HTH ??? HTH == Hope That Helps. -- *Rainer Piper* Integration engineer Koeslinstr. 56 53123 BONN GERMANY Phone: +49 228 97167161 P2P: sip:rai...@sip.soho-piper.de:5072 (pjsip-test) XMPP: rai...@xmpp.soho-piper.de -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] fail2ban and pjsip in asterisk 12 and 13
On 15-09-14 17:22, Rainer Piper wrote: Hi Patrick, github done ;-) Thanks! what is HTH ??? Hope this/that helps http://www.internetslang.com/ http://www.urbandictionary.com/define.php?term=internet%20slang HTH :) Patrick -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
