Revision as of 17:42, 18 August 2010

Asterisk is an open source VOIP PBX. If you have your asterisk exposed to the Internet, you may see people bruteforcing for usernames and passwords; apart from the obvious security risks, this often occurs at a high rate, causing high CPU and bandwidth usage.

Asterisk 1.4 (Debian: 1:1.4.21.2~dfsg-3+lenny1)

The first line is from /var/log/asterisk/messages, which is written by asterisk. It is not usable for fail2ban (0.8.3) because of the timestamp that is enclosed in brackets.

The second line is what you get if you instruct asterisk to log to syslog by adding syslog.local0 => notice,warning,error to /etc/asterisk/logger.conf (and obviously configuring your syslogd to log local0 to some file).

[Aug 8 14:31:33] NOTICE[1687] chan_sip.c: Registration from '"150"<sip:150@hostname>' failed for '192.0.2.1' - No matching peer found
Aug 8 14:31:33 hostname asterisk[1617]: NOTICE[1687]: chan_sip.c:15642 in handle_request_register: Registration from '"154"<sip:154@hostname>' failed for '192.0.2.1' - No matching peer found

Failregex

The regular expressions below are proposed failregex for this software. Multiple regular expressions for failregex will only work with a version of Fail2ban greater than or equal to 0.7.6.

The tag <HOST> in the regular expressions below is just an alias for (?:::f{4,6}:)?(?P<host>\S+). The replacement is done automatically by Fail2ban when adding the regular expression. At the moment, exactly one named group host or <HOST> tag must be present in each regular expression.

Please, before editing this section, propose your changes in the discussion page first.

failregex = asterisk.*chan_sip.c.*Registration from .* failed for '<HOST>' - No matching peer found

Original page content

Hello all,

I have fail2ban installed on CentOS 4.7 with Shoreline Firewall (Shorewall) and IpTables. This works well with SSH, Apache and Named bans. However, I am still trying to get it to ban failed SIP registration attempts in Asterisk.

My jail.conf contains the following for Asterisk:

[asterisk-iptables]

enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
              sendmail[name=ASTERISK, dest=you@yourmail.co.uk, sender=fail2ban@local.local]
logpath  = /var/log/messages
maxretry = 2
bantime = 259200

Here is the filter.d/asterisk file:

# Fail2Ban configuration file
#
#
# $Revision: 250 $
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf


[Definition]

#_daemon = asterisk

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#

failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch
            NOTICE.* <HOST> failed to authenticate as '.*'$
            NOTICE.* .*: No registration for peer '.*' (from )
            NOTICE.* .*: Host  failed MD5 authentication for '.*' (.*)
   
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

I cannot figure out why this is not banning. Do I have the right log file? This is the one I was directed to in the online instructions. Can anyone help me please?

Thank you in advance for any assistance

Phil

Difference between revisions of "Asterisk"

Revision as of 17:42, 18 August 2010

Failregex

Original page content

Navigation menu

Page actions

Page actions

Personal tools

Navigation

Tools

Search