I solved the problem. "action.d/iptables-custom.conf" include only udp. service fail2ban restart Thank you. On Sun, Sep 13, 2015 at 9:17 PM, Andres <andres at telesip.net> wrote:> On 9/13/15 11:16 AM, Gokan Atmaca wrote: >> >> Hello >> >> I'm using the Fail2ban. I configuration below. I want to try to >> prevent the continuous password. Fail2ban password that does not >> prevent this form. (Asterisk 1.8 / Elastix interface) >> >> What could be the problem ? >> >> Asterisk log; >> "Registration from '<sip:3060 at sip.x.eu;transport=UDP>' failed for >> 'x.x.x.x:32956' - Wrong password" > > Sometimes minor tweaks to the file are in order. My suggestion is to use > the fail2ban-regex utility to test the log file entry until it is detected. > Just put the line generated by asterisk in a test file and then run the > regex. > > # /usr/bin/fail2ban-regex -? > Usage: /usr/bin/fail2ban-regex [OPTIONS] <LOG> <REGEX> [IGNOREREGEX] > > example: > > /usr/bin/fail2ban-regex testlogfile /etc/fail2ban/filter.d/asterisk.conf > > > > > >> >> >> Fail2ban asterisk filter; >> >> # Fail2Ban filter for asterisk authentication failures >> # >> >> [INCLUDES] >> >> # Read common prefixes. If any customizations available -- read them from >> >> # common.local >> before = common.conf >> >> >> [Definition] >> >> _daemon = asterisk >> >> __pid_re = (?:\[\d+\]) >> >> # All Asterisk log messages begin like this: >> log_prefix= (?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])? >> \S+:\d*( in \w+:)? >> >> failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration >> from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong >> password|Username/auth name mismatch|No m$ >> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from >> '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension >> not found in context 'de$ >> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> >> failed to authenticate as '[^']*'$ >> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration >> for peer '[^']*' \(from <HOST>\)$ >> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> >> failed MD5 authentication for '[^']*' \([^)]+\)$ >> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from >> '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension >> not found in context 'de$ >> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> >> failed to authenticate as '[^']*'$ >> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration >> for peer '[^']*' \(from <HOST>\)$ >> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> >> failed MD5 authentication for '[^']*' \([^)]+\)$ >> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to >> authenticate (user|device) [^@]+@<HOST>\S*$ >> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s >> (?:handle_request_subscribe: )?Sending fake auth rejection for >> (device|user) \d*<sip:[^@]+@<HOST>>;tag=$ >> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s >> >> SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",S$ >> >> ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? >> )Ext\. s: "Rejecting unknown SIP connection from <HOST>"$ >> >> ignoreregex >> >> >> # Author: Xavier Devlamynck / Daniel Black >> # >> # General log format - main/logger.c:ast_log >> # Address format - ast_sockaddr_stringify >> # >> # First regex: channels/chan_sip.c >> # >> # main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in s >> > > > -- > Technical Support > http://www.cellroute.net > > > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users
Another problem is too late to do the ban. The reason for this yetmemse of CPU power. I'm simulating an attack. Of course, eating CPU. One reason, now forbids. Abstracts must be strong if we are eating our resources is a serious attack. On Mon, Sep 14, 2015 at 9:14 AM, Gokan Atmaca <linux.gokan at gmail.com> wrote:> I solved the problem. "action.d/iptables-custom.conf" include only udp. > service fail2ban restart > > Thank you. > > On Sun, Sep 13, 2015 at 9:17 PM, Andres <andres at telesip.net> wrote: >> On 9/13/15 11:16 AM, Gokan Atmaca wrote: >>> >>> Hello >>> >>> I'm using the Fail2ban. I configuration below. I want to try to >>> prevent the continuous password. Fail2ban password that does not >>> prevent this form. (Asterisk 1.8 / Elastix interface) >>> >>> What could be the problem ? >>> >>> Asterisk log; >>> "Registration from '<sip:3060 at sip.x.eu;transport=UDP>' failed for >>> 'x.x.x.x:32956' - Wrong password" >> >> Sometimes minor tweaks to the file are in order. My suggestion is to use >> the fail2ban-regex utility to test the log file entry until it is detected. >> Just put the line generated by asterisk in a test file and then run the >> regex. >> >> # /usr/bin/fail2ban-regex -? >> Usage: /usr/bin/fail2ban-regex [OPTIONS] <LOG> <REGEX> [IGNOREREGEX] >> >> example: >> >> /usr/bin/fail2ban-regex testlogfile /etc/fail2ban/filter.d/asterisk.conf >> >> >> >> >> >>> >>> >>> Fail2ban asterisk filter; >>> >>> # Fail2Ban filter for asterisk authentication failures >>> # >>> >>> [INCLUDES] >>> >>> # Read common prefixes. If any customizations available -- read them from >>> >>> # common.local >>> before = common.conf >>> >>> >>> [Definition] >>> >>> _daemon = asterisk >>> >>> __pid_re = (?:\[\d+\]) >>> >>> # All Asterisk log messages begin like this: >>> log_prefix= (?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])? >>> \S+:\d*( in \w+:)? >>> >>> failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration >>> from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong >>> password|Username/auth name mismatch|No m$ >>> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from >>> '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension >>> not found in context 'de$ >>> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> >>> failed to authenticate as '[^']*'$ >>> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration >>> for peer '[^']*' \(from <HOST>\)$ >>> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> >>> failed MD5 authentication for '[^']*' \([^)]+\)$ >>> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from >>> '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension >>> not found in context 'de$ >>> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> >>> failed to authenticate as '[^']*'$ >>> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration >>> for peer '[^']*' \(from <HOST>\)$ >>> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> >>> failed MD5 authentication for '[^']*' \([^)]+\)$ >>> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to >>> authenticate (user|device) [^@]+@<HOST>\S*$ >>> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s >>> (?:handle_request_subscribe: )?Sending fake auth rejection for >>> (device|user) \d*<sip:[^@]+@<HOST>>;tag=$ >>> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s >>> >>> SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",S$ >>> >>> ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? >>> )Ext\. s: "Rejecting unknown SIP connection from <HOST>"$ >>> >>> ignoreregex >>> >>> >>> # Author: Xavier Devlamynck / Daniel Black >>> # >>> # General log format - main/logger.c:ast_log >>> # Address format - ast_sockaddr_stringify >>> # >>> # First regex: channels/chan_sip.c >>> # >>> # main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in s >>> >> >> >> -- >> Technical Support >> http://www.cellroute.net >> >> >> >> -- >> _____________________________________________________________________ >> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- >> New to Asterisk? Join us for a live introductory webinar every Thurs: >> http://www.asterisk.org/hello >> >> asterisk-users mailing list >> To UNSUBSCRIBE or update options visit: >> http://lists.digium.com/mailman/listinfo/asterisk-users
On Mon, 14 Sep 2015, Gokan Atmaca wrote:> Another problem is too late to do the ban. The reason for this yetmemse > of CPU power. I'm simulating an attack. Of course, eating CPU. One > reason, now forbids. Abstracts must be strong if we are eating our > resources is a serious attack.The problem with fail2ban is it is an 'after the fact' approach. It depends on packets already going where they don't belong and put the responsibility on the application (Asterisk) to log the offending packets so fail2ban can scan the logs and create rules. Years ago (2010?) Gordon Henderson published an iptables script that handled things like invite and registration flooding. If you take care of these things before they eat resources and before they get to the logging that fail2ban depends on you will save a lot of cycles. If Gordon is still on list, maybe he can re-publish. I'd be interested to see if he has any new tricks included. -- Thanks in advance, ------------------------------------------------------------------------- Steve Edwards sedwards at sedwards.com Voice: +1-760-468-3867 PST