Re: [asterisk-users] sip attack.. fail2ban not stopping attack
On Sat, Dec 25, 2010 at 04:04:59PM -0700, Dave George wrote: My server is being attached all day and fail2ban is not stopping the attack. I updated stamstamp to match fail2ban requirements. How about posting your fail2ban config? -- Daniel Tryba -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] sip attack.. fail2ban not stopping attack
jail.conf
[asterisk-iptables]
enabled = true
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
sendmail-whois[name=ASTERISK, dest=root,
sender=fail2...@example.org]
logpath = /var/log/asterisk/messages
maxretry = 5
bantime = 259200
filter asterisk.conf
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf
[Definition]
#_daemon = asterisk
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named host. The tag HOST
can
# be used for standard IP/hostname matching and is only an alias
for
# (?:::f{4,6}:)?(?Phost\S+)
# Values: TEXT
#
failregex = NOTICE.* .*: Registration from '.*' failed for 'HOST' - Wrong
password
NOTICE.* .*: Registration from '.*' failed for 'HOST' - No
matching peer found
NOTICE.* .*: Registration from '.*' failed for 'HOST' -
Username/auth name mismatch
NOTICE.* .*: Registration from '.*' failed for 'HOST' - Device
does not match ACL
NOTICE.* HOST failed to authenticate as '.*'$
NOTICE.* .*: No registration for peer '.*' \(from HOST\)
NOTICE.* .*: Host HOST failed MD5 authentication for '.*' (.*)
NOTICE.* .*: Failed to authenticate user .*@HOST.*
ignoreregex =
logger.conf
[general]
;
; Customize the display of debug message time stamps
; this example is the ISO 8601 date format (-mm-dd HH:MM:SS)
;
; see strftime(3) Linux manual for format specifiers. Note that there is
also
; a fractional second parameter which may be used in this field. Use %1q
; for tenths, %2q for hundredths, etc.
;
dateformat=%F %T ; ISO 8601 date format
;dateformat=%F %T.%3q ; with milliseconds
Dave
-Original Message-
From: asterisk-users-boun...@lists.digium.com
[mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Daniel Tryba
Sent: Monday, December 27, 2010 5:16 AM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-users] sip attack.. fail2ban not stopping attack
On Sat, Dec 25, 2010 at 04:04:59PM -0700, Dave George wrote:
My server is being attached all day and fail2ban is not stopping the
attack. I updated stamstamp to match fail2ban requirements.
How about posting your fail2ban config?
--
Daniel Tryba
--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] sip attack.. fail2ban not stopping attack
Le 27/12/2010 16:20, dave george a écrit :
[...]
[Definition]
#_daemon = asterisk
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named host. The tag HOST
can
# be used for standard IP/hostname matching and is only an alias
for
# (?:::f{4,6}:)?(?Phost\S+)
# Values: TEXT
#
failregex = NOTICE.* .*: Registration from '.*' failed for 'HOST' - Wrong
password
NOTICE.* .*: Registration from '.*' failed for 'HOST' - No
matching peer found
NOTICE.* .*: Registration from '.*' failed for 'HOST' -
Username/auth name mismatch
NOTICE.* .*: Registration from '.*' failed for 'HOST' - Device
does not match ACL
NOTICE.*HOST failed to authenticate as '.*'$
NOTICE.* .*: No registration for peer '.*' \(fromHOST\)
NOTICE.* .*: HostHOST failed MD5 authentication for '.*' (.*)
NOTICE.* .*: Failed to authenticate user .*@HOST.*
ignoreregex =
[...]
How looks your asterisk notice file?
---
Daniel
--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] sip attack.. fail2ban not stopping attack
Simply to reduce the attack, and then improve the defense: If you don't need traffic from some area that is attacking you, just put the whole area in IPTables. A list is available on VOIP-INFO.org. Cull out what you want to allow. Then tune Fail2Ban at your leisure. Cary Fitch -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] sip attack.. fail2ban not stopping attack
With asterisk 1.8+ it should be:
failregex = NOTICE.* .*: Registration from '.*' failed for
'HOST(:[0-9]{1,5})?' - Wrong password
NOTICE.* .*: Registration from '.*' failed for
'HOST(:[0-9]{1,5})?' - No matching peer found
NOTICE.* .*: Registration from '.*' failed for
'HOST(:[0-9]{1,5})?' - Username/auth name mismatch
NOTICE.* .*: Registration from '.*' failed for
'HOST(:[0-9]{1,5})?' - Device does not match ACL
NOTICE.* .*: Registration from '.*' failed for
'HOST(:[0-9]{1,5})?' - Peer is not supposed to register
NOTICE.* HOST failed to authenticate as '.*'$
NOTICE.* .*: No registration for peer '.*' \(from HOST\)
NOTICE.* .*: Host HOST failed MD5 authentication for
'.*' (.*)
NOTICE.* .*: Failed to authenticate user .*@HOST.*
since format of notice has changed (asterisk now adds port after HOST)
Nick
On Mon, Dec 27, 2010 at 6:03 PM, Administrator TOOTAI ad...@tootai.net wrote:
Le 27/12/2010 16:20, dave george a écrit :
[...]
[Definition]
#_daemon = asterisk
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
The
# host must be matched by a group named host. The tag HOST
can
# be used for standard IP/hostname matching and is only an alias
for
# (?:::f{4,6}:)?(?Phost\S+)
# Values: TEXT
#
failregex = NOTICE.* .*: Registration from '.*' failed for 'HOST' -
Wrong
password
NOTICE.* .*: Registration from '.*' failed for 'HOST' - No
matching peer found
NOTICE.* .*: Registration from '.*' failed for 'HOST' -
Username/auth name mismatch
NOTICE.* .*: Registration from '.*' failed for 'HOST' -
Device
does not match ACL
NOTICE.*HOST failed to authenticate as '.*'$
NOTICE.* .*: No registration for peer '.*' \(fromHOST\)
NOTICE.* .*: HostHOST failed MD5 authentication for '.*'
(.*)
NOTICE.* .*: Failed to authenticate user .*@HOST.*
ignoreregex =
[...]
How looks your asterisk notice file?
---
Daniel
--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] sip attack.. fail2ban not stopping attack
On Mon, Dec 27, 2010 at 10:20:13AM -0500, dave george wrote: [snip fail2ban config] Well, all looks fine. Your filter is correct. Your message log is also in the correct format. You can test this with: fail2ban-regex /var/log/asterisk/messages /etc/fail2ban/filter.d/asterisk.conf So is fail2ban actually running (like someone already suggested)? $ ps auxwww | grep fail Other things it could be: -a broken backend in jail.conf (try polling). -running as an unprivileged user (can't read asterisk/messages). -- When you do things right, people won't be sure you've done anything at all. Daniel Tryba -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] sip attack.. fail2ban not stopping attack
My server is being attached all day and fail2ban is not stopping the attack. I updated stamstamp to match fail2ban requirements. [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 sip:7...@x.x.x.x' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 sip:7...@x.x.x.x' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 sip:7...@x.x.x.x' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 sip:7...@x.x.x.x' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 sip:7...@x.x.x.x' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 sip:7...@x.x.x.x' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 sip:7...@x.x.x.x' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 sip:7...@x.x.x.x' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 sip:7...@x.x.x.x' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 sip:70 Dave -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] sip attack.. fail2ban not stopping attack
Make sure you have dateformat=%F %T in logger.conf On Sun, Dec 26, 2010 at 1:04 AM, Dave George dgeo...@teletoneinc.com wrote: My server is being attached all day and fail2ban is not stopping the attack. I updated stamstamp to match fail2ban requirements. [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 Dave -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] sip attack.. fail2ban not stopping attack
Yes we have that set in logger.conf. -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Nick Ustinov Sent: Saturday, December 25, 2010 6:25 PM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] sip attack.. fail2ban not stopping attack Make sure you have dateformat=%F %T in logger.conf On Sun, Dec 26, 2010 at 1:04 AM, Dave George dgeo...@teletoneinc.com wrote: My server is being attached all day and fail2ban is not stopping the attack. I updated stamstamp to match fail2ban requirements. [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 Dave -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] sip attack.. fail2ban not stopping attack
On Sat, Dec 25, 2010 at 7:41 PM, dave george dgeo...@teletoneinc.comwrote: Yes we have that set in logger.conf. -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Nick Ustinov Sent: Saturday, December 25, 2010 6:25 PM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] sip attack.. fail2ban not stopping attack Make sure you have dateformat=%F %T in logger.conf On Sun, Dec 26, 2010 at 1:04 AM, Dave George dgeo...@teletoneinc.com wrote: My server is being attached all day and fail2ban is not stopping the attack. I updated stamstamp to match fail2ban requirements. [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 Dave If all else fails, check your /var/log/fail2ban log file. Any error messages there? A typo in the file name of the log file to check; a jail that is set up but not turned on; double check your set up. Use iptables -L -n to check that fail2ban is properly setting up a chain to block ip's. Is the fail2ban service even running? murf -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
