Hello
I'm using the Fail2ban. I configuration below. I want to try to
prevent the continuous password. Fail2ban password that does not
prevent this form. (Asterisk 1.8 / Elastix interface)
What could be the problem ?
Asterisk log;
"Registration from '<sip:3060 at sip.x.eu;transport=UDP>'
failed for
'x.x.x.x:32956' - Wrong password"
Fail2ban asterisk filter;
# Fail2Ban filter for asterisk authentication failures
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = asterisk
__pid_re = (?:\[\d+\])
# All Asterisk log messages begin like this:
log_prefix= (?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])?
\S+:\d*( in \w+:)?
failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration
from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong
password|Username/auth name mismatch|No m$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from
'[^']*' \(<HOST>:\d+\) to extension '\d+' rejected
because extension
not found in context 'de$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST>
failed to authenticate as '[^']*'$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration
for peer '[^']*' \(from <HOST>\)$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST>
failed MD5 authentication for '[^']*' \([^)]+\)$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from
'[^']*' \(<HOST>:\d+\) to extension '\d+' rejected
because extension
not found in context 'de$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST>
failed to authenticate as '[^']*'$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration
for peer '[^']*' \(from <HOST>\)$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST>
failed MD5 authentication for '[^']*' \([^)]+\)$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to
authenticate (user|device) [^@]+@<HOST>\S*$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s
(?:handle_request_subscribe: )?Sending fake auth rejection for
(device|user) \d*<sip:[^@]+@<HOST>>;tag=$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s
SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",S$
^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])?
)Ext\. s: "Rejecting unknown SIP connection from <HOST>"$
ignoreregex
# Author: Xavier Devlamynck / Daniel Black
#
# General log format - main/logger.c:ast_log
# Address format - ast_sockaddr_stringify
#
# First regex: channels/chan_sip.c
#
# main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in
s
On 2015-09-13 10:16, Gokan Atmaca wrote:> Hello > > I'm using the Fail2ban. I configuration below. I want to try to > prevent the continuous password. Fail2ban password that does not > prevent this form. (Asterisk 1.8 / Elastix interface) > > What could be the problem ? > > Asterisk log; > "Registration from '<sip:3060 at sip.x.eu;transport=UDP>' failed for > 'x.x.x.x:32956' - Wrong password" > > > Fail2ban asterisk filter; > > # Fail2Ban filter for asterisk authentication failures > # > > [INCLUDES] > > # Read common prefixes. If any customizations available -- read them > from > > # common.local > before = common.conf > > > [Definition] > > _daemon = asterisk > > __pid_re = (?:\[\d+\]) > > # All Asterisk log messages begin like this: > log_prefix= (?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])? > \S+:\d*( in \w+:)? > > failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration > from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong > password|Username/auth name mismatch|No m$ > ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from > '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension > not found in context 'de$ > ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> > failed to authenticate as '[^']*'$ > ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration > for peer '[^']*' \(from <HOST>\)$ > ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> > failed MD5 authentication for '[^']*' \([^)]+\)$ > ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from > '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension > not found in context 'de$ > ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> > failed to authenticate as '[^']*'$ > ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration > for peer '[^']*' \(from <HOST>\)$ > ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> > failed MD5 authentication for '[^']*' \([^)]+\)$ > ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to > authenticate (user|device) [^@]+@<HOST>\S*$ > ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s > (?:handle_request_subscribe: )?Sending fake auth rejection for > (device|user) \d*<sip:[^@]+@<HOST>>;tag=$ > ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s > SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",S$ > > ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? > )Ext\. s: "Rejecting unknown SIP connection from <HOST>"$ > > ignoreregex > > > # Author: Xavier Devlamynck / Daniel Black > # > # General log format - main/logger.c:ast_log > # Address format - ast_sockaddr_stringify > # > # First regex: channels/chan_sip.c > # > # main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in sIn the fail2ban website they have several versions of asterisk.conf depending on the version of Asterisk you are using. If you have the latest fail2ban that one has the version for Asterisk 11. Go there and download the correct version for your setup. -- Telecomunicaciones Abiertas de M?xico S.A. de C.V. Carlos Ch?vez dCAP #1349 +52 (55)9116-91161
>> >> I'm using the Fail2ban. I configuration below. I want to try to >> prevent the continuous password. Fail2ban password that does not >> prevent this form. (Asterisk 1.8 / Elastix interface) >>hi Asterisk version 1.8 Fail2ban version 0.8.14 config: https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/asterisk.conf But it does not prevent. On Sun, Sep 13, 2015 at 7:11 PM, Carlos Chavez <cursor at telecomabmex.com> wrote:> On 2015-09-13 10:16, Gokan Atmaca wrote: >> >> Hello >> >> I'm using the Fail2ban. I configuration below. I want to try to >> prevent the continuous password. Fail2ban password that does not >> prevent this form. (Asterisk 1.8 / Elastix interface) >> >> What could be the problem ? >> >> Asterisk log; >> "Registration from '<sip:3060 at sip.x.eu;transport=UDP>' failed for >> 'x.x.x.x:32956' - Wrong password" >> >> >> Fail2ban asterisk filter; >> >> # Fail2Ban filter for asterisk authentication failures >> # >> >> [INCLUDES] >> >> # Read common prefixes. If any customizations available -- read them from >> >> # common.local >> before = common.conf >> >> >> [Definition] >> >> _daemon = asterisk >> >> __pid_re = (?:\[\d+\]) >> >> # All Asterisk log messages begin like this: >> log_prefix= (?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])? >> \S+:\d*( in \w+:)? >> >> failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration >> from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong >> password|Username/auth name mismatch|No m$ >> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from >> '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension >> not found in context 'de$ >> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> >> failed to authenticate as '[^']*'$ >> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration >> for peer '[^']*' \(from <HOST>\)$ >> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> >> failed MD5 authentication for '[^']*' \([^)]+\)$ >> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from >> '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension >> not found in context 'de$ >> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> >> failed to authenticate as '[^']*'$ >> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration >> for peer '[^']*' \(from <HOST>\)$ >> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> >> failed MD5 authentication for '[^']*' \([^)]+\)$ >> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to >> authenticate (user|device) [^@]+@<HOST>\S*$ >> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s >> (?:handle_request_subscribe: )?Sending fake auth rejection for >> (device|user) \d*<sip:[^@]+@<HOST>>;tag=$ >> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s >> >> SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",S$ >> >> ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? >> )Ext\. s: "Rejecting unknown SIP connection from <HOST>"$ >> >> ignoreregex >> >> >> # Author: Xavier Devlamynck / Daniel Black >> # >> # General log format - main/logger.c:ast_log >> # Address format - ast_sockaddr_stringify >> # >> # First regex: channels/chan_sip.c >> # >> # main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in s > > > In the fail2ban website they have several versions of asterisk.conf > depending on the version of Asterisk you are using. If you have the latest > fail2ban that one has the version for Asterisk 11. Go there and download > the correct version for your setup. > > -- > Telecomunicaciones Abiertas de M?xico S.A. de C.V. > Carlos Ch?vez > dCAP #1349 > +52 (55)9116-91161 > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users
On 9/13/15 11:16 AM, Gokan Atmaca wrote:> Hello > > I'm using the Fail2ban. I configuration below. I want to try to > prevent the continuous password. Fail2ban password that does not > prevent this form. (Asterisk 1.8 / Elastix interface) > > What could be the problem ? > > Asterisk log; > "Registration from '<sip:3060 at sip.x.eu;transport=UDP>' failed for > 'x.x.x.x:32956' - Wrong password"Sometimes minor tweaks to the file are in order. My suggestion is to use the fail2ban-regex utility to test the log file entry until it is detected. Just put the line generated by asterisk in a test file and then run the regex. # /usr/bin/fail2ban-regex -? Usage: /usr/bin/fail2ban-regex [OPTIONS] <LOG> <REGEX> [IGNOREREGEX] example: /usr/bin/fail2ban-regex testlogfile /etc/fail2ban/filter.d/asterisk.conf> > > Fail2ban asterisk filter; > > # Fail2Ban filter for asterisk authentication failures > # > > [INCLUDES] > > # Read common prefixes. If any customizations available -- read them from > > # common.local > before = common.conf > > > [Definition] > > _daemon = asterisk > > __pid_re = (?:\[\d+\]) > > # All Asterisk log messages begin like this: > log_prefix= (?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])? > \S+:\d*( in \w+:)? > > failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration > from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong > password|Username/auth name mismatch|No m$ > ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from > '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension > not found in context 'de$ > ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> > failed to authenticate as '[^']*'$ > ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration > for peer '[^']*' \(from <HOST>\)$ > ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> > failed MD5 authentication for '[^']*' \([^)]+\)$ > ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from > '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension > not found in context 'de$ > ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> > failed to authenticate as '[^']*'$ > ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration > for peer '[^']*' \(from <HOST>\)$ > ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> > failed MD5 authentication for '[^']*' \([^)]+\)$ > ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to > authenticate (user|device) [^@]+@<HOST>\S*$ > ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s > (?:handle_request_subscribe: )?Sending fake auth rejection for > (device|user) \d*<sip:[^@]+@<HOST>>;tag=$ > ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s > SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",S$ > ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? > )Ext\. s: "Rejecting unknown SIP connection from <HOST>"$ > > ignoreregex > > > # Author: Xavier Devlamynck / Daniel Black > # > # General log format - main/logger.c:ast_log > # Address format - ast_sockaddr_stringify > # > # First regex: channels/chan_sip.c > # > # main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in s >-- Technical Support http://www.cellroute.net
I solved the problem. "action.d/iptables-custom.conf" include only udp. service fail2ban restart Thank you. On Sun, Sep 13, 2015 at 9:17 PM, Andres <andres at telesip.net> wrote:> On 9/13/15 11:16 AM, Gokan Atmaca wrote: >> >> Hello >> >> I'm using the Fail2ban. I configuration below. I want to try to >> prevent the continuous password. Fail2ban password that does not >> prevent this form. (Asterisk 1.8 / Elastix interface) >> >> What could be the problem ? >> >> Asterisk log; >> "Registration from '<sip:3060 at sip.x.eu;transport=UDP>' failed for >> 'x.x.x.x:32956' - Wrong password" > > Sometimes minor tweaks to the file are in order. My suggestion is to use > the fail2ban-regex utility to test the log file entry until it is detected. > Just put the line generated by asterisk in a test file and then run the > regex. > > # /usr/bin/fail2ban-regex -? > Usage: /usr/bin/fail2ban-regex [OPTIONS] <LOG> <REGEX> [IGNOREREGEX] > > example: > > /usr/bin/fail2ban-regex testlogfile /etc/fail2ban/filter.d/asterisk.conf > > > > > >> >> >> Fail2ban asterisk filter; >> >> # Fail2Ban filter for asterisk authentication failures >> # >> >> [INCLUDES] >> >> # Read common prefixes. If any customizations available -- read them from >> >> # common.local >> before = common.conf >> >> >> [Definition] >> >> _daemon = asterisk >> >> __pid_re = (?:\[\d+\]) >> >> # All Asterisk log messages begin like this: >> log_prefix= (?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])? >> \S+:\d*( in \w+:)? >> >> failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration >> from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong >> password|Username/auth name mismatch|No m$ >> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from >> '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension >> not found in context 'de$ >> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> >> failed to authenticate as '[^']*'$ >> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration >> for peer '[^']*' \(from <HOST>\)$ >> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> >> failed MD5 authentication for '[^']*' \([^)]+\)$ >> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from >> '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension >> not found in context 'de$ >> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> >> failed to authenticate as '[^']*'$ >> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration >> for peer '[^']*' \(from <HOST>\)$ >> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> >> failed MD5 authentication for '[^']*' \([^)]+\)$ >> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to >> authenticate (user|device) [^@]+@<HOST>\S*$ >> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s >> (?:handle_request_subscribe: )?Sending fake auth rejection for >> (device|user) \d*<sip:[^@]+@<HOST>>;tag=$ >> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s >> >> SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",S$ >> >> ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? >> )Ext\. s: "Rejecting unknown SIP connection from <HOST>"$ >> >> ignoreregex >> >> >> # Author: Xavier Devlamynck / Daniel Black >> # >> # General log format - main/logger.c:ast_log >> # Address format - ast_sockaddr_stringify >> # >> # First regex: channels/chan_sip.c >> # >> # main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in s >> > > > -- > Technical Support > http://www.cellroute.net > > > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users