Difference between revisions of "Talk:Asterisk"
(→Asterisk + Fail2ban: new section) |
|||
| Line 39: | Line 39: | ||
Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Peer is not supposed to register | Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Peer is not supposed to register | ||
</code> | </code> | ||
| + | |||
| + | == Asterisk + Fail2ban == | ||
| + | |||
| + | Fail2ban can not be used w/Asterisk simply because Asterisk does not log enough info for fail2ban to take action. More info: http://forums.asterisk.org/viewtopic.php?p=159984 | ||
| + | There should be a big disclaimer warning users about this issue. | ||
Revision as of 21:49, 25 March 2012
I have the following asterisk failures in syslog (not /var/log/asterisk/messages)...
Sep 30 19:53:49 hostname asterisk[30888]: NOTICE[30924]: chan_sip.c:18390 in handle_request_register: Registration from '"123"<sip:123@phone.example.net>' failed for '192.0.2.1' - Wrong password
Sep 30 19:57:43 hostname asterisk[30888]: NOTICE[30924]: chan_sip.c:18390 in handle_request_register: Registration from '"123"<sip:321@phone.example.net>' failed for '192.0.2.1' - No matching peer found
Sep 30 19:59:03 hostname asterisk[30888]: NOTICE[30924]: chan_sip.c:18390 in handle_request_register: Registration from '"123"<sip:123@phone.example.net>' failed for '192.0.2.1' - Username/auth name mismatch
The filter I am using (which appears to work for all the above log entries) is as follows...
failregex = NOTICE[[][0-9]*]: chan_sip.c:.* Registration from .* failed for [']<HOST>['].*$
You should change logger time format in /etc/asterisk/logger.conf
[general] dateformat=%F %T
For full information check http://www.voip-info.org/wiki/view/Fail2Ban+(with+iptables)+And+Asterisk
New REGEX for Asterisk 1.8
Asterisk 1.8 includes the port number in the log entry so it broke the existing regex for detecting the host IP.
Here is a sample of the new logs for a bad password login attempt
Nov 4 18:30:40 localhost asterisk[32229]: NOTICE[32257]: chan_sip.c:23417 in handle_request_register: Registration from 'XXXXXXXXXXXXXXXXX' failed for '192.168.200.100:36998' - Wrong password
Notice the port is listed with the offending IP separated by a colon.
Here are new regex's that work by not including the colon port number in the <HOST> variable that gets passed to iptables. Edit your asterisk filter in the /etc/fail2ban/filters.d/ directory accordingly.
Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Wrong password
Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - No matching peer found
Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Username/auth name mismatch
Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Device does not match ACL
Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Peer is not supposed to register
Asterisk + Fail2ban
Fail2ban can not be used w/Asterisk simply because Asterisk does not log enough info for fail2ban to take action. More info: http://forums.asterisk.org/viewtopic.php?p=159984 There should be a big disclaimer warning users about this issue.
