Re: [asterisk-users] sip attack.. fail2ban not stopping attack
On Sat, Dec 25, 2010 at 04:04:59PM -0700, Dave George wrote: My server is being attached all day and fail2ban is not stopping the attack. I updated stamstamp to match fail2ban requirements. How about posting your fail2ban config? -- Daniel Tryba -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] sip attack.. fail2ban not stopping attack
jail.conf [asterisk-iptables] enabled = true filter = asterisk action = iptables-allports[name=ASTERISK, protocol=all] sendmail-whois[name=ASTERISK, dest=root, sender=fail2...@example.org] logpath = /var/log/asterisk/messages maxretry = 5 bantime = 259200 filter asterisk.conf [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local #before = common.conf [Definition] #_daemon = asterisk # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named host. The tag HOST can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?Phost\S+) # Values: TEXT # failregex = NOTICE.* .*: Registration from '.*' failed for 'HOST' - Wrong password NOTICE.* .*: Registration from '.*' failed for 'HOST' - No matching peer found NOTICE.* .*: Registration from '.*' failed for 'HOST' - Username/auth name mismatch NOTICE.* .*: Registration from '.*' failed for 'HOST' - Device does not match ACL NOTICE.* HOST failed to authenticate as '.*'$ NOTICE.* .*: No registration for peer '.*' \(from HOST\) NOTICE.* .*: Host HOST failed MD5 authentication for '.*' (.*) NOTICE.* .*: Failed to authenticate user .*@HOST.* ignoreregex = logger.conf [general] ; ; Customize the display of debug message time stamps ; this example is the ISO 8601 date format (-mm-dd HH:MM:SS) ; ; see strftime(3) Linux manual for format specifiers. Note that there is also ; a fractional second parameter which may be used in this field. Use %1q ; for tenths, %2q for hundredths, etc. ; dateformat=%F %T ; ISO 8601 date format ;dateformat=%F %T.%3q ; with milliseconds Dave -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Daniel Tryba Sent: Monday, December 27, 2010 5:16 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] sip attack.. fail2ban not stopping attack On Sat, Dec 25, 2010 at 04:04:59PM -0700, Dave George wrote: My server is being attached all day and fail2ban is not stopping the attack. I updated stamstamp to match fail2ban requirements. How about posting your fail2ban config? -- Daniel Tryba -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] sip attack.. fail2ban not stopping attack
Le 27/12/2010 16:20, dave george a écrit : [...] [Definition] #_daemon = asterisk # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named host. The tag HOST can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?Phost\S+) # Values: TEXT # failregex = NOTICE.* .*: Registration from '.*' failed for 'HOST' - Wrong password NOTICE.* .*: Registration from '.*' failed for 'HOST' - No matching peer found NOTICE.* .*: Registration from '.*' failed for 'HOST' - Username/auth name mismatch NOTICE.* .*: Registration from '.*' failed for 'HOST' - Device does not match ACL NOTICE.*HOST failed to authenticate as '.*'$ NOTICE.* .*: No registration for peer '.*' \(fromHOST\) NOTICE.* .*: HostHOST failed MD5 authentication for '.*' (.*) NOTICE.* .*: Failed to authenticate user .*@HOST.* ignoreregex = [...] How looks your asterisk notice file? --- Daniel -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] sip attack.. fail2ban not stopping attack
Simply to reduce the attack, and then improve the defense: If you don't need traffic from some area that is attacking you, just put the whole area in IPTables. A list is available on VOIP-INFO.org. Cull out what you want to allow. Then tune Fail2Ban at your leisure. Cary Fitch -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] sip attack.. fail2ban not stopping attack
With asterisk 1.8+ it should be: failregex = NOTICE.* .*: Registration from '.*' failed for 'HOST(:[0-9]{1,5})?' - Wrong password NOTICE.* .*: Registration from '.*' failed for 'HOST(:[0-9]{1,5})?' - No matching peer found NOTICE.* .*: Registration from '.*' failed for 'HOST(:[0-9]{1,5})?' - Username/auth name mismatch NOTICE.* .*: Registration from '.*' failed for 'HOST(:[0-9]{1,5})?' - Device does not match ACL NOTICE.* .*: Registration from '.*' failed for 'HOST(:[0-9]{1,5})?' - Peer is not supposed to register NOTICE.* HOST failed to authenticate as '.*'$ NOTICE.* .*: No registration for peer '.*' \(from HOST\) NOTICE.* .*: Host HOST failed MD5 authentication for '.*' (.*) NOTICE.* .*: Failed to authenticate user .*@HOST.* since format of notice has changed (asterisk now adds port after HOST) Nick On Mon, Dec 27, 2010 at 6:03 PM, Administrator TOOTAI ad...@tootai.net wrote: Le 27/12/2010 16:20, dave george a écrit : [...] [Definition] #_daemon = asterisk # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named host. The tag HOST can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?Phost\S+) # Values: TEXT # failregex = NOTICE.* .*: Registration from '.*' failed for 'HOST' - Wrong password NOTICE.* .*: Registration from '.*' failed for 'HOST' - No matching peer found NOTICE.* .*: Registration from '.*' failed for 'HOST' - Username/auth name mismatch NOTICE.* .*: Registration from '.*' failed for 'HOST' - Device does not match ACL NOTICE.*HOST failed to authenticate as '.*'$ NOTICE.* .*: No registration for peer '.*' \(fromHOST\) NOTICE.* .*: HostHOST failed MD5 authentication for '.*' (.*) NOTICE.* .*: Failed to authenticate user .*@HOST.* ignoreregex = [...] How looks your asterisk notice file? --- Daniel -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] sip attack.. fail2ban not stopping attack
On Mon, Dec 27, 2010 at 10:20:13AM -0500, dave george wrote: [snip fail2ban config] Well, all looks fine. Your filter is correct. Your message log is also in the correct format. You can test this with: fail2ban-regex /var/log/asterisk/messages /etc/fail2ban/filter.d/asterisk.conf So is fail2ban actually running (like someone already suggested)? $ ps auxwww | grep fail Other things it could be: -a broken backend in jail.conf (try polling). -running as an unprivileged user (can't read asterisk/messages). -- When you do things right, people won't be sure you've done anything at all. Daniel Tryba -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] sip attack.. fail2ban not stopping attack
My server is being attached all day and fail2ban is not stopping the attack. I updated stamstamp to match fail2ban requirements. [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 sip:7...@x.x.x.x' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 sip:7...@x.x.x.x' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 sip:7...@x.x.x.x' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 sip:7...@x.x.x.x' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 sip:7...@x.x.x.x' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 sip:7...@x.x.x.x' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 sip:7...@x.x.x.x' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 sip:7...@x.x.x.x' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 sip:7...@x.x.x.x' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 sip:70 Dave -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] sip attack.. fail2ban not stopping attack
Make sure you have dateformat=%F %T in logger.conf On Sun, Dec 26, 2010 at 1:04 AM, Dave George dgeo...@teletoneinc.com wrote: My server is being attached all day and fail2ban is not stopping the attack. I updated stamstamp to match fail2ban requirements. [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 Dave -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] sip attack.. fail2ban not stopping attack
Yes we have that set in logger.conf. -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Nick Ustinov Sent: Saturday, December 25, 2010 6:25 PM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] sip attack.. fail2ban not stopping attack Make sure you have dateformat=%F %T in logger.conf On Sun, Dec 26, 2010 at 1:04 AM, Dave George dgeo...@teletoneinc.com wrote: My server is being attached all day and fail2ban is not stopping the attack. I updated stamstamp to match fail2ban requirements. [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 Dave -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] sip attack.. fail2ban not stopping attack
On Sat, Dec 25, 2010 at 7:41 PM, dave george dgeo...@teletoneinc.comwrote: Yes we have that set in logger.conf. -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Nick Ustinov Sent: Saturday, December 25, 2010 6:25 PM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] sip attack.. fail2ban not stopping attack Make sure you have dateformat=%F %T in logger.conf On Sun, Dec 26, 2010 at 1:04 AM, Dave George dgeo...@teletoneinc.com wrote: My server is being attached all day and fail2ban is not stopping the attack. I updated stamstamp to match fail2ban requirements. [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 ' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '7002 Dave If all else fails, check your /var/log/fail2ban log file. Any error messages there? A typo in the file name of the log file to check; a jail that is set up but not turned on; double check your set up. Use iptables -L -n to check that fail2ban is properly setting up a chain to block ip's. Is the fail2ban service even running? murf -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users