Hi,
In the thread "Interesting attack tonight & fail2ban them" Bruce B
mentioned it would be nice to have input from the Community to come up
with the best set of fail2ban filters. That's a great idea. So let's
start with Bruce's filters (thanks!) and take it from there. Anyone have
any improvements and/or additions? Apologies for the line wrap. No idea
how to prevent that in Thunderbird. The filters are also at
http://pastebin.com/6T9M1W3F
Not sure but it may be possible that logging has changed between
Asterisk 1.4, 1.6, 1.8 and 10 so please mention the asterisk version
with your filters.
For Asterisk 1.8:
failregex = Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' -
Wrong password
Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' -
No matching peer found
Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' -
Device does not match ACL
Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' -
Username/auth name mismatch
Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' -
Peer is not supposed to register
NOTICE.* <HOST> failed to authenticate as '.*'$
NOTICE.* .*: No registration for peer '.*' (from <HOST>)
NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*'
(.*)
VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing
'ss-noservice' (language '.*')
There are 2 lines that I have which are not in this list:
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - ACL error
(permit/deny)
NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
How about those (no idea for which Asterisk version they are)?
Regards,
Patrick
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
