Patrick Lists
2011-Dec-29 15:03 UTC
[asterisk-users] Asterisk fail2ban filters - show us yours
Hi, In the thread "Interesting attack tonight & fail2ban them" Bruce B mentioned it would be nice to have input from the Community to come up with the best set of fail2ban filters. That's a great idea. So let's start with Bruce's filters (thanks!) and take it from there. Anyone have any improvements and/or additions? Apologies for the line wrap. No idea how to prevent that in Thunderbird. The filters are also at http://pastebin.com/6T9M1W3F Not sure but it may be possible that logging has changed between Asterisk 1.4, 1.6, 1.8 and 10 so please mention the asterisk version with your filters. For Asterisk 1.8: failregex = Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Wrong password Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - No matching peer found Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Device does not match ACL Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Username/auth name mismatch Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Peer is not supposed to register NOTICE.* <HOST> failed to authenticate as '.*'$ NOTICE.* .*: No registration for peer '.*' (from <HOST>) NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*) VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing 'ss-noservice' (language '.*') There are 2 lines that I have which are not in this list: NOTICE.* .*: Registration from '.*' failed for '<HOST>' - ACL error (permit/deny) NOTICE.* .*: Failed to authenticate user .*@<HOST>.* How about those (no idea for which Asterisk version they are)? Regards, Patrick
Diego Aguirre (DagMoller)
2011-Dec-29 15:10 UTC
[asterisk-users] Asterisk fail2ban filters - show us yours
Hi, I Have added this line for asterisk 1.8 (i have allowguest=yes and context=default in sip.conf): NOTICE.* .*: Call from '.*' (<HOST>) to extension '.*' rejected because extension not found in context 'default'. Em 29-12-2011 13:03, Patrick Lists escreveu:> Hi, > > In the thread "Interesting attack tonight & fail2ban them" Bruce B mentioned it would be nice to have input from the Community to come up with the best set of fail2ban filters. That's a great idea. So let's start with Bruce's filters (thanks!) and take it from there. Anyone have any improvements and/or additions? Apologies for the line wrap. No idea how to prevent that in Thunderbird. The filters are also at http://pastebin.com/6T9M1W3F > > Not sure but it may be possible that logging has changed between Asterisk 1.4, 1.6, 1.8 and 10 so please mention the asterisk version with your filters. > > For Asterisk 1.8: > > failregex = Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Wrong password > Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - No matching peer found > Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Device does not match ACL > Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Username/auth name mismatch > Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Peer is not supposed to register > NOTICE.* <HOST> failed to authenticate as '.*'$ > NOTICE.* .*: No registration for peer '.*' (from <HOST>) > NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*) > VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing 'ss-noservice' (language '.*') > > > There are 2 lines that I have which are not in this list: > > NOTICE.* .*: Registration from '.*' failed for '<HOST>' - ACL error (permit/deny) > NOTICE.* .*: Failed to authenticate user .*@<HOST>.* > > How about those (no idea for which Asterisk version they are)? > > Regards, > Patrick > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users-- Diego Aguirre (DagMoller) Infodag Consultoria FWD#: 459696 Enum#: +55 21 8871-4916 (e164.org) DUNDi-br#: 21 8871-4916