Difference between revisions of "Talk:Asterisk"
(→New REGEX for Asterisk 1.8: new section) |
|||
| Line 22: | Line 22: | ||
When you are in need of a custom term paper, essay, [http://www.bestdissertation.com custom papers], research paper , dissertation or any other writing services, just remember that we have the professional essay writing help you need at a price you can afford. | When you are in need of a custom term paper, essay, [http://www.bestdissertation.com custom papers], research paper , dissertation or any other writing services, just remember that we have the professional essay writing help you need at a price you can afford. | ||
| + | |||
| + | == New REGEX for Asterisk 1.8 == | ||
| + | |||
| + | Asterisk 1.8 includes the port number in the log entry so it broke the existing regex for detecting the host IP.<br><br> | ||
| + | |||
| + | Here is a sample of the new logs for a bad password login attempt<br> | ||
| + | <code> | ||
| + | Nov 4 18:30:40 localhost asterisk[32229]: NOTICE[32257]: chan_sip.c:23417 in handle_request_register: Registration from 'XXXXXXXXXXXXXXXXX' failed for '192.168.200.100:36998' - Wrong password<br> | ||
| + | </code> | ||
| + | |||
| + | Notice the port is listed with the offending IP separated by a colon.<br><br> | ||
| + | |||
| + | Here are new regex's that work by not including the colon port number in the <HOST> variable that gets passed to iptables. Edit your asterisk filter in the /etc/fail2ban/filters.d/ directory accordingly. | ||
| + | |||
| + | <code> | ||
| + | Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Wrong password<br> | ||
| + | Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - No matching peer found<br> | ||
| + | Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Username/auth name mismatch<br> | ||
| + | Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Device does not match ACL<br> | ||
| + | Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Peer is not supposed to register | ||
| + | </code> | ||
Revision as of 04:02, 5 November 2010
I have the following asterisk failures in syslog (not /var/log/asterisk/messages)...
Sep 30 19:53:49 hostname asterisk[30888]: NOTICE[30924]: chan_sip.c:18390 in handle_request_register: Registration from '"123"<sip:123@phone.example.net>' failed for '192.0.2.1' - Wrong password
Sep 30 19:57:43 hostname asterisk[30888]: NOTICE[30924]: chan_sip.c:18390 in handle_request_register: Registration from '"123"<sip:321@phone.example.net>' failed for '192.0.2.1' - No matching peer found
Sep 30 19:59:03 hostname asterisk[30888]: NOTICE[30924]: chan_sip.c:18390 in handle_request_register: Registration from '"123"<sip:123@phone.example.net>' failed for '192.0.2.1' - Username/auth name mismatch
The filter I am using (which appears to work for all the above log entries) is as follows...
failregex = NOTICE[[][0-9]*]: chan_sip.c:.* Registration from .* failed for [']<HOST>['].*$
You should change logger time format in /etc/asterisk/logger.conf
[general] dateformat=%F %T
For full information check http://www.voip-info.org/wiki/view/Fail2Ban+(with+iptables)+And+Asterisk
Education
When you are in need of a custom term paper, essay, custom papers, research paper , dissertation or any other writing services, just remember that we have the professional essay writing help you need at a price you can afford.
New REGEX for Asterisk 1.8
Asterisk 1.8 includes the port number in the log entry so it broke the existing regex for detecting the host IP.
Here is a sample of the new logs for a bad password login attempt
Nov 4 18:30:40 localhost asterisk[32229]: NOTICE[32257]: chan_sip.c:23417 in handle_request_register: Registration from 'XXXXXXXXXXXXXXXXX' failed for '192.168.200.100:36998' - Wrong password
Notice the port is listed with the offending IP separated by a colon.
Here are new regex's that work by not including the colon port number in the <HOST> variable that gets passed to iptables. Edit your asterisk filter in the /etc/fail2ban/filters.d/ directory accordingly.
Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Wrong password
Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - No matching peer found
Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Username/auth name mismatch
Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Device does not match ACL
Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Peer is not supposed to register
