Difference between revisions of "Asterisk"

Hello all,

I have fail2ban installed on CentOS 4.7 with Shoreline Firewall (Shorewall) and IpTables. This works well with SSH, Apache and Named bans. However, I am still trying to get it to ban failed SIP registration attempts in Asterisk.

My jail.conf contains the following for Asterisk:

[asterisk-iptables]

enabled = true filter = asterisk action = iptables-allports[name=ASTERISK, protocol=all]

          sendmail[name=ASTERISK, dest=you@yourmail.co.uk, sender=fail2ban@local.local]

logpath = /var/log/messages maxretry = 2 bantime = 259200

Here is the filter.d/asterisk file:

1. Fail2Ban configuration file
4. $Revision: 250 $

[INCLUDES]

1. Read common prefixes. If any customizations available -- read them from
2. common.local
3. before = common.conf

[Definition]

1. _daemon = asterisk

1. Option: failregex
2. Notes.: regex to match the password failures messages in the logfile. The
3. host must be matched by a group named "host". The tag "<HOST>" can
4. be used for standard IP/hostname matching and is only an alias for
5. (?:::f{4,6}:)?(?P<host>\S+)
6. Values: TEXT

failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password

           NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found
           NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch
           NOTICE.* <HOST> failed to authenticate as '.*'$
           NOTICE.* .*: No registration for peer '.*' (from )
           NOTICE.* .*: Host  failed MD5 authentication for '.*' (.*)

1. Option: ignoreregex
2. Notes.: regex to ignore. If this regex matches, the line is ignored.
3. Values: TEXT

ignoreregex =

I cannot figure out why this is not banning. Do I have the right log file? This is the one I was directed to in the online instructions. Can anyone help me please?

Thank you in advance for any assistance

Phil