Hello Anyone have a working copy of Fail2ban asterisk filter asterisk.conf for Asterisk 16 running PJSIP. I have tried 10 different filters but none of them show any matches when testing with fail2ban-regex I see date template hits but no matches.... My log [2019-06-06 15:37:20] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"2405" <sip:2405 at asterisk>' failed for '71.127.239.22:65476' (callid: 50670137772977-30593645157868 at 192.168.1.8) - Failed to authenticate [2019-06-06 15:37:52] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"as100" <sip:as100 at 95.179.170.109>' failed for '188.214.128.172:5076' (callid: 03e7f9d2dcdf4252506c440137e822b7) - No matching endpoint found [2019-06-06 15:37:58] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"2405" <sip:2405 at asterisk>' failed for '71.127.239.22:65476' (callid: 352844365933467-383842003849650 at 192.168.1.8) - Failed to authenticate [2019-06-06 15:37:58] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"2405" <sip:2405 at asterisk>' failed for '71.127.239.22:65476' (callid: 352844365933467-383842003849650 at 192.168.1.8) - Failed to authenticate [2019-06-06 15:37:58] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"2405" <sip:2405 at asterisk>' failed for '71.127.239.22:65476' (callid: 352844365933467-383842003849650 at 192.168.1.8) - Failed to authenticate [2019-06-06 15:37:58] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"2405" <sip:2405 at asterisk>' failed for '71.127.239.22:65476' (callid: 352844365933467-383842003849650 at 192.168.1.8) - Failed to authenticate [2019-06-06 15:38:36] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"2405" <sip:2405 at asterisk>' failed for '71.127.239.22:65476' (callid: 352413680053562-322991201237060 at 192.168.1.8) - Failed to authenticate [2019-06-06 15:38:36] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"2405" <sip:2405 at asterisk>' failed for '71.127.239.22:65476' (callid: 352413680053562-322991201237060 at 192.168.1.8) - Failed to authenticate [2019-06-06 15:38:36] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"2405" <sip:2405 at asterisk>' failed for '71.127.239.22:65476' (callid: 352413680053562-322991201237060 at 192.168.1.8) - Failed to authenticate [2019-06-06 15:38:36] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"2405" <sip:2405 at asterisk>' failed for '71.127.239.22:65476' (callid: 352413680053562-322991201237060 at 192.168.1.8) - Failed to authenticate [2019-06-06 15:39:14] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"2405" <sip:2405 at asterisk>' failed for '71.127.239.22:65476' (callid: 211973110361898-30014604441241 at 192.168.1.8) - Failed to authenticate [2019-06-06 15:39:14] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"2405" <sip:2405 at asterisk>' failed for '71.127.239.22:65476' (callid: 211973110361898-30014604441241 at 192.168.1.8) - Failed to authenticate [2019-06-06 15:39:14] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"2405" <sip:2405 at asterisk>' failed for '71.127.239.22:65476' (callid: 211973110361898-30014604441241 at 192.168.1.8) - Failed to authenticate [2019-06-06 15:39:14] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"2405" <sip:2405 at asterisk>' failed for '71.127.239.22:65476' (callid: 211973110361898-30014604441241 at 192.168.1.8) - Failed to authenticate [2019-06-06 15:39:17] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"as100" <sip:as100 at 95.179.170.109>' failed for '188.214.128.172:5071' (callid: 8e12f1560bfe2c3ed5be895108727c46) - No matching endpoint found Any help is much appreciated. Thanks John Bittner CTO [xaccellogoemail] 380 US Highway 46, Suite 500 Totowa, NJ 07512 Phone: 201.806.2602 x2405 Fax: 201.806.2604 Cell: 973.390.1090 www.xaccel.net<http://www.xaccel.net/> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information which should not be shared or forwarded. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the e-mail. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20190606/841fbff3/attachment.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 4300 bytes Desc: image001.png URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20190606/841fbff3/attachment.png>
Hopefully, this helps someone else. This seems to be working for me. # Fail2Ban configuration file [INCLUDES] #before = common.conf [Definition] failregex = NOTICE.* .*: Request \'REGISTER\' from '.*' failed for '<HOST>:.*' .* - No matching endpoint found NOTICE.* .*: Request \'REGISTER\' from '.*' failed for '<HOST>:.*' .* - Failed to authenticate NOTICE.* .*: Request \'REGISTER\' from '.*' failed for '<HOST>:.*' .* - Error to authenticate NOTICE.* .*: Request \'INVITE\' from '.*' failed for '<HOST>:.*' .* John Bittner Xaccel From: asterisk-users [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of John T. Bittner Sent: Thursday, June 6, 2019 3:40 PM To: asterisk-users at lists.digium.com Subject: [asterisk-users] Fail2ban for asterisk 16 PJSIP Hello Anyone have a working copy of Fail2ban asterisk filter asterisk.conf for Asterisk 16 running PJSIP. I have tried 10 different filters but none of them show any matches when testing with fail2ban-regex I see date template hits but no matches.... My log [2019-06-06 15:37:20] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"2405" <sip:2405 at asterisk>' failed for '71.127.239.22:65476' (callid: 50670137772977-30593645157868 at 192.168.1.8<mailto:50670137772977-30593645157868 at 192.168.1.8>) - Failed to authenticate [2019-06-06 15:37:52] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"as100" <sip:as100 at 95.179.170.109>' failed for '188.214.128.172:5076' (callid: 03e7f9d2dcdf4252506c440137e822b7) - No matching endpoint found [2019-06-06 15:37:58] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"2405" <sip:2405 at asterisk>' failed for '71.127.239.22:65476' (callid: 352844365933467-383842003849650 at 192.168.1.8<mailto:352844365933467-383842003849650 at 192.168.1.8>) - Failed to authenticate [2019-06-06 15:37:58] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"2405" <sip:2405 at asterisk>' failed for '71.127.239.22:65476' (callid: 352844365933467-383842003849650 at 192.168.1.8<mailto:352844365933467-383842003849650 at 192.168.1.8>) - Failed to authenticate [2019-06-06 15:37:58] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"2405" <sip:2405 at asterisk>' failed for '71.127.239.22:65476' (callid: 352844365933467-383842003849650 at 192.168.1.8<mailto:352844365933467-383842003849650 at 192.168.1.8>) - Failed to authenticate [2019-06-06 15:37:58] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"2405" <sip:2405 at asterisk>' failed for '71.127.239.22:65476' (callid: 352844365933467-383842003849650 at 192.168.1.8<mailto:352844365933467-383842003849650 at 192.168.1.8>) - Failed to authenticate [2019-06-06 15:38:36] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"2405" <sip:2405 at asterisk>' failed for '71.127.239.22:65476' (callid: 352413680053562-322991201237060 at 192.168.1.8<mailto:352413680053562-322991201237060 at 192.168.1.8>) - Failed to authenticate [2019-06-06 15:38:36] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"2405" <sip:2405 at asterisk>' failed for '71.127.239.22:65476' (callid: 352413680053562-322991201237060 at 192.168.1.8<mailto:352413680053562-322991201237060 at 192.168.1.8>) - Failed to authenticate [2019-06-06 15:38:36] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"2405" <sip:2405 at asterisk>' failed for '71.127.239.22:65476' (callid: 352413680053562-322991201237060 at 192.168.1.8<mailto:352413680053562-322991201237060 at 192.168.1.8>) - Failed to authenticate [2019-06-06 15:38:36] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"2405" <sip:2405 at asterisk>' failed for '71.127.239.22:65476' (callid: 352413680053562-322991201237060 at 192.168.1.8<mailto:352413680053562-322991201237060 at 192.168.1.8>) - Failed to authenticate [2019-06-06 15:39:14] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"2405" <sip:2405 at asterisk>' failed for '71.127.239.22:65476' (callid: 211973110361898-30014604441241 at 192.168.1.8<mailto:211973110361898-30014604441241 at 192.168.1.8>) - Failed to authenticate [2019-06-06 15:39:14] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"2405" <sip:2405 at asterisk>' failed for '71.127.239.22:65476' (callid: 211973110361898-30014604441241 at 192.168.1.8<mailto:211973110361898-30014604441241 at 192.168.1.8>) - Failed to authenticate [2019-06-06 15:39:14] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"2405" <sip:2405 at asterisk>' failed for '71.127.239.22:65476' (callid: 211973110361898-30014604441241 at 192.168.1.8<mailto:211973110361898-30014604441241 at 192.168.1.8>) - Failed to authenticate [2019-06-06 15:39:14] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"2405" <sip:2405 at asterisk>' failed for '71.127.239.22:65476' (callid: 211973110361898-30014604441241 at 192.168.1.8<mailto:211973110361898-30014604441241 at 192.168.1.8>) - Failed to authenticate [2019-06-06 15:39:17] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"as100" <sip:as100 at 95.179.170.109>' failed for '188.214.128.172:5071' (callid: 8e12f1560bfe2c3ed5be895108727c46) - No matching endpoint found Any help is much appreciated. Thanks John Bittner CTO [xaccellogoemail] 380 US Highway 46, Suite 500 Totowa, NJ 07512 Phone: 201.806.2602 x2405 Fax: 201.806.2604 Cell: 973.390.1090 www.xaccel.net<http://www.xaccel.net/> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information which should not be shared or forwarded. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the e-mail. ________________________________ Teach Canit xAntispam if this mail is spam: Spam<http://mx1.xantispam.net/canit/b.php?c=s&i=020lvFIiR&m=5b7b9282412f&rlm=xaccel-net> Not spam<http://mx1.xantispam.net/canit/b.php?c=n&i=020lvFIiR&m=5b7b9282412f&rlm=xaccel-net> Forget previous vote<http://mx1.xantispam.net/canit/b.php?c=f&i=020lvFIiR&m=5b7b9282412f&rlm=xaccel-net> -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20190608/68d55320/attachment.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 4300 bytes Desc: image001.png URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20190608/68d55320/attachment.png>
Administrator TOOTAI
2019-Jun-08 13:06 UTC
[asterisk-users] Fail2ban for asterisk 16 PJSIP
Le 08/06/2019 à 05:20, John T. Bittner a écrit :> Hopefully, this helps someone else. > > > This seems to be working for me. > > # Fail2Ban configuration file > > [INCLUDES] > > #before = common.conf > > [Definition] > > failregex = NOTICE.* .*: Request \'REGISTER\' from '.*' failed for > '<HOST>:.*' .* - No matching endpoint found > > NOTICE.* .*: Request \'REGISTER\' from '.*' failed for > '<HOST>:.*' .* - Failed to authenticate > > NOTICE.* .*: Request \'REGISTER\' from '.*' failed for > '<HOST>:.*' .* - Error to authenticate > > NOTICE.* .*: Request \'INVITE\' from '.*' failed for > '<HOST>:.*' .* > > John Bittner > > Xaccel[...] We have this rules: [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = asterisk __pid_re = (?:\s*\[\d+\]) iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4} # All Asterisk log messages begin like this: log_prefix= (?:NOTICE|SECURITY|WARNING)%(__pid_re)s:?(?:\[C-[\da-f]*\])? [^:]+:\d*(?:(?: in)? \w+:)? prefregex = ^%(__prefix_line)s%(log_prefix)s <F-CONTENT>.+</F-CONTENT>$ failregex = ^Registration from '[^']*' failed for '<HOST>(:\d+)?' - (?:Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not ma tch ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$ ^Call from '[^']*' \(<HOST>:\d+\) to extension '[^']*' rejected because extension not found in context ^(?:Host )?<HOST> (?:failed (?:to authenticate\b|MD5 authentication\b)|tried to authenticate with nonexistent user\b) ^No registration for peer '[^']*' \(from <HOST>\)$ ^hacking attempt detected '<HOST>'$ ^SecurityEvent="(?:FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)"(?:(?:,(?!RemoteAddress=)\w+="[^"]*")*|.*?),RemoteAddress="IPV[46]/(UDP|TCP |WS)/<HOST>/\d+"(?:,(?!RemoteAddress=)\w+="[^"]*")*$ ^"Rejecting unknown SIP connection from <HOST>"$ ^Request (?:'[^']*' )?from '(?:[^']*|.*?)' failed for '<HOST>(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching endpoint found|Not match Endpoint(?: Contact)? ACL|(? :Failed|Error) to authenticate)\s*$ # FreePBX (todo: make optional in v.0.10): # ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )[^:]+: Friendly Scanner from <HOST>$ ignoreregex = datepattern = {^LN-BEG} # Author: Xavier Devlamynck / Daniel Black -- Daniel