Talk:Asterisk

From Fail2ban
Revision as of 04:03, 5 November 2010 by Haze (Talk | contribs)

Jump to: navigation, search

I have the following asterisk failures in syslog (not /var/log/asterisk/messages)...

Sep 30 19:53:49 hostname asterisk[30888]: NOTICE[30924]: chan_sip.c:18390 in handle_request_register: Registration from '"123"<sip:123@phone.example.net>' failed for '192.0.2.1' - Wrong password

Sep 30 19:57:43 hostname asterisk[30888]: NOTICE[30924]: chan_sip.c:18390 in handle_request_register: Registration from '"123"<sip:321@phone.example.net>' failed for '192.0.2.1' - No matching peer found

Sep 30 19:59:03 hostname asterisk[30888]: NOTICE[30924]: chan_sip.c:18390 in handle_request_register: Registration from '"123"<sip:123@phone.example.net>' failed for '192.0.2.1' - Username/auth name mismatch


The filter I am using (which appears to work for all the above log entries) is as follows...

failregex = NOTICE[[][0-9]*]: chan_sip.c:.* Registration from .* failed for [']<HOST>['].*$


You should change logger time format in /etc/asterisk/logger.conf 

[general]
dateformat=%F %T

For full information check http://www.voip-info.org/wiki/view/Fail2Ban+(with+iptables)+And+Asterisk

New REGEX for Asterisk 1.8

Asterisk 1.8 includes the port number in the log entry so it broke the existing regex for detecting the host IP.

Here is a sample of the new logs for a bad password login attempt
Nov 4 18:30:40 localhost asterisk[32229]: NOTICE[32257]: chan_sip.c:23417 in handle_request_register: Registration from 'XXXXXXXXXXXXXXXXX' failed for '192.168.200.100:36998' - Wrong password

Notice the port is listed with the offending IP separated by a colon.

Here are new regex's that work by not including the colon port number in the <HOST> variable that gets passed to iptables. Edit your asterisk filter in the /etc/fail2ban/filters.d/ directory accordingly.

Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Wrong password
Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - No matching peer found
Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Username/auth name mismatch
Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Device does not match ACL
Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Peer is not supposed to register

Retrieved from "https://fail2ban.org/wiki/index.php?title=Talk:Asterisk&oldid=2912"