Hi list , someone on the list has seen this type of connection
attempts in asterisk, fail2ban does not stop
2015-01-08 14:59:47] SECURITY[21515] res_security_log.c:
SecurityEvent="ChallengeSent",EventTV="1420750787-386840",Severity="Informational",Service="SIP",EventVersion="1",AccountID="sip:100
at
173.230.133.20",SessionID="0x169f528",LocalAddress="IPV4/UDP/173.230.133.20/5060",RemoteAddress="IPV4/UDP/63.141.229.58/5078",Challenge="770e84a3"
[2015-01-08 15:20:20] SECURITY[21515] res_security_log.c:
SecurityEvent="ChallengeSent",EventTV="1420752020-854997",Severity="Informational",Service="SIP",EventVersion="1",AccountID="sip:102
at
173.230.133.20",SessionID="0x169f528",LocalAddress="IPV4/UDP/173.230.133.20/5060",RemoteAddress="IPV4/UDP/198.204.241.58/5074",Challenge="23965594"
I modified the fail2ban with the filter, but still not detected
asterisk.conf
log_prefix= \[\]\s*(?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[\S+\d*\])? \S+:\d*
failregex = ^%(log_prefix)s Registration from '[^']*' failed for
'<HOST>(:\d+)?' - Wrong password$
^%(log_prefix)s Registration from '[^']*' failed for
'<HOST>(:\d+)?' - No matching peer found$
^%(log_prefix)s Registration from '[^']*' failed for
'<HOST>(:\d+)?' - Username/auth name mismatch$
^%(log_prefix)s Registration from '[^']*' failed for
'<HOST>(:\d+)?' - Device does not match ACL$
^%(log_prefix)s Registration from '[^']*' failed for
'<HOST>(:\d+)?' - Peer is not supposed to register$
^%(log_prefix)s Registration from '[^']*' failed for
'<HOST>(:\d+)?' - ACL error \(permit/deny\)$
^%(log_prefix)s Registration from '[^']*' failed for
'<HOST>(:\d+)?' - Not a local domain$
^%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\)
to
extension '\d+' rejected because extension not found in context
'default'
\.$
^%(log_prefix)s Host <HOST> failed to authenticate as
'[^']*'$
^%(log_prefix)s No registration for peer '[^']*' \(from
<HOST>\)$
^%(log_prefix)s Host <HOST> failed MD5 authentication for
'[^']*' \([^)]+\)$
^%(log_prefix)s Failed to authenticate (user|device)
[^@]+@<HOST>\S*$
^%(log_prefix)s (?:handle_request_subscribe: )?Sending
fake auth rejection for (device|user)
\d*<sip:[^@]+@<HOST>>;tag=\w+\S*
$
^%(log_prefix)s
SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severit
y="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d+",SessionID="0x[\da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",Rem
oteAddress="IPV[46]/(UD|TC)P/<HOST>/\d+"(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?$
ignoreregex
--
rickygm
http://gnuforever.homelinux.com
On 01/08/2015 11:37 PM, ricky gutierrez wrote:> Hi list , someone on the list has seen this type of connection > attempts in asterisk, fail2ban does not stop > > 2015-01-08 14:59:47] SECURITY[21515] res_security_log.c: > SecurityEvent="ChallengeSent",EventTV="1420750787-386840",Severity="Informational",Service="SIP",EventVersion="1",AccountID="sip:100 at 173.230.133.20",SessionID="0x169f528",LocalAddress="IPV4/UDP/173.230.133.20/5060",RemoteAddress="IPV4/UDP/63.141.229.58/5078",Challenge="770e84a3" > [2015-01-08 15:20:20] SECURITY[21515] res_security_log.c: > SecurityEvent="ChallengeSent",EventTV="1420752020-854997",Severity="Informational",Service="SIP",EventVersion="1",AccountID="sip:102 at 173.230.133.20",SessionID="0x169f528",LocalAddress="IPV4/UDP/173.230.133.20/5060",RemoteAddress="IPV4/UDP/198.204.241.58/5074",Challenge="23965594" > > > I modified the fail2ban with the filter, but still not detectedDo you really want to detect "ChallengeSent"? That should occur also on legitimate login processes... -S -- (o_ Stefan Gofferje | SCLT, MCP, CCSA //\ Reg'd Linux User #247167 | VCP #2263 V_/_ Heckler & Koch - the original point and click interface -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4079 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20150109/adb0935d/attachment.bin>
Hello;
Did you remember to uncomment the dateformat in
/etc/asterisk/logger.conf? That's necessary for fail2ban to work.
Logger.conf
[general]
dateformat=%F %T
Regards;
John
-----Original Message-----
From: asterisk-users-bounces at lists.digium.com
[mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of ricky
gutierrez
Sent: Thursday, January 08, 2015 4:38 PM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: [asterisk-users] SEMI OFF-TOPIC - Fail2ban
Hi list , someone on the list has seen this type of connection attempts in
asterisk, fail2ban does not stop
2015-01-08 14:59:47] SECURITY[21515] res_security_log.c:
SecurityEvent="ChallengeSent",EventTV="1420750787-386840",Severity="Informat
ional",Service="SIP",EventVersion="1",AccountID="sip:100
at 173.230.133.20",Ses
sionID="0x169f528",LocalAddress="IPV4/UDP/173.230.133.20/5060",RemoteAddress
="IPV4/UDP/63.141.229.58/5078",Challenge="770e84a3"
[2015-01-08 15:20:20] SECURITY[21515] res_security_log.c:
SecurityEvent="ChallengeSent",EventTV="1420752020-854997",Severity="Informat
ional",Service="SIP",EventVersion="1",AccountID="sip:102
at 173.230.133.20",Ses
sionID="0x169f528",LocalAddress="IPV4/UDP/173.230.133.20/5060",RemoteAddress
="IPV4/UDP/198.204.241.58/5074",Challenge="23965594"
I modified the fail2ban with the filter, but still not detected
asterisk.conf
log_prefix= \[\]\s*(?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[\S+\d*\])? \S+:\d*
failregex = ^%(log_prefix)s Registration from '[^']*' failed for
'<HOST>(:\d+)?' - Wrong password$
^%(log_prefix)s Registration from '[^']*' failed for
'<HOST>(:\d+)?' - No matching peer found$
^%(log_prefix)s Registration from '[^']*' failed for
'<HOST>(:\d+)?' - Username/auth name mismatch$
^%(log_prefix)s Registration from '[^']*' failed for
'<HOST>(:\d+)?' - Device does not match ACL$
^%(log_prefix)s Registration from '[^']*' failed for
'<HOST>(:\d+)?' - Peer is not supposed to register$
^%(log_prefix)s Registration from '[^']*' failed for
'<HOST>(:\d+)?' - ACL error \(permit/deny\)$
^%(log_prefix)s Registration from '[^']*' failed for
'<HOST>(:\d+)?' - Not a local domain$
^%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\)
to extension
'\d+' rejected because extension not found in context 'default'
\.$
^%(log_prefix)s Host <HOST> failed to authenticate as
'[^']*'$
^%(log_prefix)s No registration for peer '[^']*' \(from
<HOST>\)$
^%(log_prefix)s Host <HOST> failed MD5 authentication for
'[^']*' \([^)]+\)$
^%(log_prefix)s Failed to authenticate (user|device)
[^@]+@<HOST>\S*$
^%(log_prefix)s (?:handle_request_subscribe: )?Sending fake auth
rejection for (device|user) \d*<sip:[^@]+@<HOST>>;tag=\w+\S* $
^%(log_prefix)s
SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPa
ssword)",EventTV="[\d-]+",Severit
y="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d+",SessionID="0x[\
da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",Rem
oteAddress="IPV[46]/(UD|TC)P/<HOST>/\d+"(,Challenge="\w+",ReceivedChallenge"\w+")?(,ReceivedHash="[\da-f]+")?$
ignoreregex
--
rickygm
http://gnuforever.homelinux.com
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to
Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
2015-01-09 9:05 GMT-06:00 Tech Support <asterisk at voipbusiness.us>:> Hello; > Did you remember to uncomment the dateformat in > /etc/asterisk/logger.conf? That's necessary for fail2ban to work. > > Logger.conf > [general] > dateformat=%F %T > >Hi , I'll show my logger dateformat=%F %T ; ISO 8601 date format use_callids= yes appendhostname= no security=> security,notice regardss -- rickygm http://gnuforever.homelinux.com
2015-01-09 3:53 GMT-06:00 Stefan Gofferje <lists at home.gofferje.net>:> > Do you really want to detect "ChallengeSent"? That should occur also on > legitimate login processes... >Hi , strange thing is that I still have not this asterisk in production and I see many attempts Connection. Now keep in mind that when a connection of authentication is successful the message changes and is not exactly what you mention: ## SecurityEvent="SuccessfulAuth",EventTV="1420832883-140932",#### I think this type of connection attempts messages with my asterisk that fail2ban not detected. I'm no expert, but the log not lie ;) regardss -- rickygm http://gnuforever.homelinux.com