Hello Anyone have a working copy of Fail2ban asterisk filter asterisk.conf for Asterisk 16 running PJSIP. I have tried 10 different filters but none of them show any matches when testing with fail2ban-regex I see date template hits but no matches.... My log [2019-06-06 15:37:20] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"2405" <sip:2405 at asterisk>' failed for '71.127.239.22:65476' (callid: 50670137772977-30593645157868 at 192.168.1.8) - Failed to authenticate [2019-06-06 15:37:52] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"as100" <sip:as100 at 95.179.170.109>' failed for '188.214.128.172:5076' (callid: 03e7f9d2dcdf4252506c440137e822b7) - No matching endpoint found [2019-06-06 15:37:58] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"2405" <sip:2405 at asterisk>' failed for '71.127.239.22:65476' (callid: 352844365933467-383842003849650 at 192.168.1.8) - Failed to authenticate [2019-06-06 15:37:58] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"2405" <sip:2405 at asterisk>' failed for '71.127.239.22:65476' (callid: 352844365933467-383842003849650 at 192.168.1.8) - Failed to authenticate [2019-06-06 15:37:58] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"2405" <sip:2405 at asterisk>' failed for '71.127.239.22:65476' (callid: 352844365933467-383842003849650 at 192.168.1.8) - Failed to authenticate [2019-06-06 15:37:58] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"2405" <sip:2405 at asterisk>' failed for '71.127.239.22:65476' (callid: 352844365933467-383842003849650 at 192.168.1.8) - Failed to authenticate [2019-06-06 15:38:36] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"2405" <sip:2405 at asterisk>' failed for '71.127.239.22:65476' (callid: 352413680053562-322991201237060 at 192.168.1.8) - Failed to authenticate [2019-06-06 15:38:36] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"2405" <sip:2405 at asterisk>' failed for '71.127.239.22:65476' (callid: 352413680053562-322991201237060 at 192.168.1.8) - Failed to authenticate [2019-06-06 15:38:36] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"2405" <sip:2405 at asterisk>' failed for '71.127.239.22:65476' (callid: 352413680053562-322991201237060 at 192.168.1.8) - Failed to authenticate [2019-06-06 15:38:36] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"2405" <sip:2405 at asterisk>' failed for '71.127.239.22:65476' (callid: 352413680053562-322991201237060 at 192.168.1.8) - Failed to authenticate [2019-06-06 15:39:14] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"2405" <sip:2405 at asterisk>' failed for '71.127.239.22:65476' (callid: 211973110361898-30014604441241 at 192.168.1.8) - Failed to authenticate [2019-06-06 15:39:14] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"2405" <sip:2405 at asterisk>' failed for '71.127.239.22:65476' (callid: 211973110361898-30014604441241 at 192.168.1.8) - Failed to authenticate [2019-06-06 15:39:14] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"2405" <sip:2405 at asterisk>' failed for '71.127.239.22:65476' (callid: 211973110361898-30014604441241 at 192.168.1.8) - Failed to authenticate [2019-06-06 15:39:14] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"2405" <sip:2405 at asterisk>' failed for '71.127.239.22:65476' (callid: 211973110361898-30014604441241 at 192.168.1.8) - Failed to authenticate [2019-06-06 15:39:17] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"as100" <sip:as100 at 95.179.170.109>' failed for '188.214.128.172:5071' (callid: 8e12f1560bfe2c3ed5be895108727c46) - No matching endpoint found Any help is much appreciated. Thanks John Bittner CTO [xaccellogoemail] 380 US Highway 46, Suite 500 Totowa, NJ 07512 Phone: 201.806.2602 x2405 Fax: 201.806.2604 Cell: 973.390.1090 www.xaccel.net<http://www.xaccel.net/> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information which should not be shared or forwarded. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the e-mail. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20190606/841fbff3/attachment.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 4300 bytes Desc: image001.png URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20190606/841fbff3/attachment.png>
Hopefully, this helps someone else.
This seems to be working for me.
# Fail2Ban configuration file
[INCLUDES]
#before = common.conf
[Definition]
failregex = NOTICE.* .*: Request \'REGISTER\' from '.*' failed
for '<HOST>:.*' .* - No matching endpoint found
NOTICE.* .*: Request \'REGISTER\' from '.*' failed
for '<HOST>:.*' .* - Failed to authenticate
NOTICE.* .*: Request \'REGISTER\' from '.*' failed
for '<HOST>:.*' .* - Error to authenticate
NOTICE.* .*: Request \'INVITE\' from '.*' failed for
'<HOST>:.*' .*
John Bittner
Xaccel
From: asterisk-users [mailto:asterisk-users-bounces at lists.digium.com] On
Behalf Of John T. Bittner
Sent: Thursday, June 6, 2019 3:40 PM
To: asterisk-users at lists.digium.com
Subject: [asterisk-users] Fail2ban for asterisk 16 PJSIP
Hello
Anyone have a working copy of Fail2ban asterisk filter asterisk.conf
for Asterisk 16 running PJSIP.
I have tried 10 different filters but none of them show any matches when testing
with
fail2ban-regex
I see date template hits but no matches....
My log
[2019-06-06 15:37:20] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request
'REGISTER' from '"2405" <sip:2405 at asterisk>'
failed for '71.127.239.22:65476' (callid: 50670137772977-30593645157868
at 192.168.1.8<mailto:50670137772977-30593645157868 at 192.168.1.8>) -
Failed to authenticate
[2019-06-06 15:37:52] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request
'INVITE' from '"as100" <sip:as100 at
95.179.170.109>' failed for '188.214.128.172:5076' (callid:
03e7f9d2dcdf4252506c440137e822b7) - No matching endpoint found
[2019-06-06 15:37:58] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request
'REGISTER' from '"2405" <sip:2405 at asterisk>'
failed for '71.127.239.22:65476' (callid:
352844365933467-383842003849650 at
192.168.1.8<mailto:352844365933467-383842003849650 at 192.168.1.8>) -
Failed to authenticate
[2019-06-06 15:37:58] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request
'REGISTER' from '"2405" <sip:2405 at asterisk>'
failed for '71.127.239.22:65476' (callid:
352844365933467-383842003849650 at
192.168.1.8<mailto:352844365933467-383842003849650 at 192.168.1.8>) -
Failed to authenticate
[2019-06-06 15:37:58] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request
'REGISTER' from '"2405" <sip:2405 at asterisk>'
failed for '71.127.239.22:65476' (callid:
352844365933467-383842003849650 at
192.168.1.8<mailto:352844365933467-383842003849650 at 192.168.1.8>) -
Failed to authenticate
[2019-06-06 15:37:58] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request
'REGISTER' from '"2405" <sip:2405 at asterisk>'
failed for '71.127.239.22:65476' (callid:
352844365933467-383842003849650 at
192.168.1.8<mailto:352844365933467-383842003849650 at 192.168.1.8>) -
Failed to authenticate
[2019-06-06 15:38:36] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request
'REGISTER' from '"2405" <sip:2405 at asterisk>'
failed for '71.127.239.22:65476' (callid:
352413680053562-322991201237060 at
192.168.1.8<mailto:352413680053562-322991201237060 at 192.168.1.8>) -
Failed to authenticate
[2019-06-06 15:38:36] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request
'REGISTER' from '"2405" <sip:2405 at asterisk>'
failed for '71.127.239.22:65476' (callid:
352413680053562-322991201237060 at
192.168.1.8<mailto:352413680053562-322991201237060 at 192.168.1.8>) -
Failed to authenticate
[2019-06-06 15:38:36] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request
'REGISTER' from '"2405" <sip:2405 at asterisk>'
failed for '71.127.239.22:65476' (callid:
352413680053562-322991201237060 at
192.168.1.8<mailto:352413680053562-322991201237060 at 192.168.1.8>) -
Failed to authenticate
[2019-06-06 15:38:36] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request
'REGISTER' from '"2405" <sip:2405 at asterisk>'
failed for '71.127.239.22:65476' (callid:
352413680053562-322991201237060 at
192.168.1.8<mailto:352413680053562-322991201237060 at 192.168.1.8>) -
Failed to authenticate
[2019-06-06 15:39:14] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request
'REGISTER' from '"2405" <sip:2405 at asterisk>'
failed for '71.127.239.22:65476' (callid: 211973110361898-30014604441241
at 192.168.1.8<mailto:211973110361898-30014604441241 at 192.168.1.8>) -
Failed to authenticate
[2019-06-06 15:39:14] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request
'REGISTER' from '"2405" <sip:2405 at asterisk>'
failed for '71.127.239.22:65476' (callid: 211973110361898-30014604441241
at 192.168.1.8<mailto:211973110361898-30014604441241 at 192.168.1.8>) -
Failed to authenticate
[2019-06-06 15:39:14] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request
'REGISTER' from '"2405" <sip:2405 at asterisk>'
failed for '71.127.239.22:65476' (callid: 211973110361898-30014604441241
at 192.168.1.8<mailto:211973110361898-30014604441241 at 192.168.1.8>) -
Failed to authenticate
[2019-06-06 15:39:14] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request
'REGISTER' from '"2405" <sip:2405 at asterisk>'
failed for '71.127.239.22:65476' (callid: 211973110361898-30014604441241
at 192.168.1.8<mailto:211973110361898-30014604441241 at 192.168.1.8>) -
Failed to authenticate
[2019-06-06 15:39:17] NOTICE[18081] res_pjsip/pjsip_distributor.c: Request
'INVITE' from '"as100" <sip:as100 at
95.179.170.109>' failed for '188.214.128.172:5071' (callid:
8e12f1560bfe2c3ed5be895108727c46) - No matching endpoint found
Any help is much appreciated.
Thanks
John Bittner
CTO
[xaccellogoemail]
380 US Highway 46, Suite 500
Totowa, NJ 07512
Phone: 201.806.2602 x2405
Fax: 201.806.2604
Cell: 973.390.1090
www.xaccel.net<http://www.xaccel.net/>
CONFIDENTIALITY NOTICE:
This e-mail message, including any attachments, is for the sole use of the
intended recipient(s) and may contain confidential
and privileged information which should not be shared or forwarded. Any
unauthorized review, use, disclosure or distribution
is prohibited. If you are not the intended recipient, please contact the sender
by reply e-mail and destroy all copies of the e-mail.
________________________________
Teach Canit xAntispam if this mail is spam:
Spam<http://mx1.xantispam.net/canit/b.php?c=s&i=020lvFIiR&m=5b7b9282412f&rlm=xaccel-net>
Not
spam<http://mx1.xantispam.net/canit/b.php?c=n&i=020lvFIiR&m=5b7b9282412f&rlm=xaccel-net>
Forget previous
vote<http://mx1.xantispam.net/canit/b.php?c=f&i=020lvFIiR&m=5b7b9282412f&rlm=xaccel-net>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20190608/68d55320/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 4300 bytes
Desc: image001.png
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20190608/68d55320/attachment.png>
Administrator TOOTAI
2019-Jun-08 13:06 UTC
[asterisk-users] Fail2ban for asterisk 16 PJSIP
Le 08/06/2019 à 05:20, John T. Bittner a écrit :> Hopefully, this helps someone else. > > > This seems to be working for me. > > # Fail2Ban configuration file > > [INCLUDES] > > #before = common.conf > > [Definition] > > failregex = NOTICE.* .*: Request \'REGISTER\' from '.*' failed for > '<HOST>:.*' .* - No matching endpoint found > > NOTICE.* .*: Request \'REGISTER\' from '.*' failed for > '<HOST>:.*' .* - Failed to authenticate > > NOTICE.* .*: Request \'REGISTER\' from '.*' failed for > '<HOST>:.*' .* - Error to authenticate > > NOTICE.* .*: Request \'INVITE\' from '.*' failed for > '<HOST>:.*' .* > > John Bittner > > Xaccel[...] We have this rules: [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = asterisk __pid_re = (?:\s*\[\d+\]) iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4} # All Asterisk log messages begin like this: log_prefix= (?:NOTICE|SECURITY|WARNING)%(__pid_re)s:?(?:\[C-[\da-f]*\])? [^:]+:\d*(?:(?: in)? \w+:)? prefregex = ^%(__prefix_line)s%(log_prefix)s <F-CONTENT>.+</F-CONTENT>$ failregex = ^Registration from '[^']*' failed for '<HOST>(:\d+)?' - (?:Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not ma tch ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$ ^Call from '[^']*' \(<HOST>:\d+\) to extension '[^']*' rejected because extension not found in context ^(?:Host )?<HOST> (?:failed (?:to authenticate\b|MD5 authentication\b)|tried to authenticate with nonexistent user\b) ^No registration for peer '[^']*' \(from <HOST>\)$ ^hacking attempt detected '<HOST>'$ ^SecurityEvent="(?:FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)"(?:(?:,(?!RemoteAddress=)\w+="[^"]*")*|.*?),RemoteAddress="IPV[46]/(UDP|TCP |WS)/<HOST>/\d+"(?:,(?!RemoteAddress=)\w+="[^"]*")*$ ^"Rejecting unknown SIP connection from <HOST>"$ ^Request (?:'[^']*' )?from '(?:[^']*|.*?)' failed for '<HOST>(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching endpoint found|Not match Endpoint(?: Contact)? ACL|(? :Failed|Error) to authenticate)\s*$ # FreePBX (todo: make optional in v.0.10): # ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )[^:]+: Friendly Scanner from <HOST>$ ignoreregex = datepattern = {^LN-BEG} # Author: Xavier Devlamynck / Daniel Black -- Daniel