Re: [asterisk-users] SEMI OFF-TOPIC - Fail2ban
On Fri, Jan 9, 2015 at 5:24 PM, Michelle Dupuis mdup...@ocg.ca wrote: I'd suggest taking a look at the free edition of SecAst ( www.generationd.com). It handles these messages perfectly (and can also use AMI security events) - so you don't need to constantly be updating fail2ban rules. It's a drop in replacement for fail2ban. -M- P.S. My opinions are my own and do not necessarily represent those of my employer. As an employee of Generation D System you can bet my opinions are biased though! It's nice to hear someone is making use of the AMI security events! -- Matthew Jordan Digium, Inc. | Engineering Manager 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA Check us out at: http://digium.com http://asterisk.org -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] SEMI OFF-TOPIC - Fail2ban
I'd suggest taking a look at the free edition of SecAst (www.generationd.com). It handles these messages perfectly (and can also use AMI security events) - so you don't need to constantly be updating fail2ban rules. It's a drop in replacement for fail2ban. -M- P.S. My opinions are my own and do not necessarily represent those of my employer. As an employee of Generation D System you can bet my opinions are biased though! From: asterisk-users-boun...@lists.digium.com asterisk-users-boun...@lists.digium.com on behalf of ricky gutierrez xserverli...@gmail.com Sent: Friday, January 9, 2015 3:02 PM To: Asterisk Users List Subject: Re: [asterisk-users] SEMI OFF-TOPIC - Fail2ban 2015-01-09 3:53 GMT-06:00 Stefan Gofferje li...@home.gofferje.net: Do you really want to detect ChallengeSent? That should occur also on legitimate login processes... Hi , strange thing is that I still have not this asterisk in production and I see many attempts Connection. Now keep in mind that when a connection of authentication is successful the message changes and is not exactly what you mention: ## SecurityEvent=SuccessfulAuth,EventTV=1420832883-140932, I think this type of connection attempts messages with my asterisk that fail2ban not detected. I'm no expert, but the log not lie ;) regardss -- rickygm http://gnuforever.homelinux.com -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] SEMI OFF-TOPIC - Fail2ban
On 01/08/2015 11:37 PM, ricky gutierrez wrote: Hi list , someone on the list has seen this type of connection attempts in asterisk, fail2ban does not stop 2015-01-08 14:59:47] SECURITY[21515] res_security_log.c: SecurityEvent=ChallengeSent,EventTV=1420750787-386840,Severity=Informational,Service=SIP,EventVersion=1,AccountID=sip:100@173.230.133.20,SessionID=0x169f528,LocalAddress=IPV4/UDP/173.230.133.20/5060,RemoteAddress=IPV4/UDP/63.141.229.58/5078,Challenge=770e84a3 [2015-01-08 15:20:20] SECURITY[21515] res_security_log.c: SecurityEvent=ChallengeSent,EventTV=1420752020-854997,Severity=Informational,Service=SIP,EventVersion=1,AccountID=sip:102@173.230.133.20,SessionID=0x169f528,LocalAddress=IPV4/UDP/173.230.133.20/5060,RemoteAddress=IPV4/UDP/198.204.241.58/5074,Challenge=23965594 I modified the fail2ban with the filter, but still not detected Do you really want to detect ChallengeSent? That should occur also on legitimate login processes... -S -- (o_ Stefan Gofferje| SCLT, MCP, CCSA //\ Reg'd Linux User #247167 | VCP #2263 V_/_ Heckler Koch - the original point and click interface smime.p7s Description: S/MIME Cryptographic Signature -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] SEMI OFF-TOPIC - Fail2ban
2015-01-09 9:05 GMT-06:00 Tech Support aster...@voipbusiness.us: Hello; Did you remember to uncomment the dateformat in /etc/asterisk/logger.conf? That's necessary for fail2ban to work. Logger.conf [general] dateformat=%F %T Hi , I'll show my logger dateformat=%F %T ; ISO 8601 date format use_callids= yes appendhostname= no security= security,notice regardss -- rickygm http://gnuforever.homelinux.com -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] SEMI OFF-TOPIC - Fail2ban
2015-01-09 3:53 GMT-06:00 Stefan Gofferje li...@home.gofferje.net: Do you really want to detect ChallengeSent? That should occur also on legitimate login processes... Hi , strange thing is that I still have not this asterisk in production and I see many attempts Connection. Now keep in mind that when a connection of authentication is successful the message changes and is not exactly what you mention: ## SecurityEvent=SuccessfulAuth,EventTV=1420832883-140932, I think this type of connection attempts messages with my asterisk that fail2ban not detected. I'm no expert, but the log not lie ;) regardss -- rickygm http://gnuforever.homelinux.com -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] SEMI OFF-TOPIC - Fail2ban
Hello; Did you remember to uncomment the dateformat in /etc/asterisk/logger.conf? That's necessary for fail2ban to work. Logger.conf [general] dateformat=%F %T Regards; John -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of ricky gutierrez Sent: Thursday, January 08, 2015 4:38 PM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: [asterisk-users] SEMI OFF-TOPIC - Fail2ban Hi list , someone on the list has seen this type of connection attempts in asterisk, fail2ban does not stop 2015-01-08 14:59:47] SECURITY[21515] res_security_log.c: SecurityEvent=ChallengeSent,EventTV=1420750787-386840,Severity=Informat ional,Service=SIP,EventVersion=1,AccountID=sip:100@173.230.133.20,Ses sionID=0x169f528,LocalAddress=IPV4/UDP/173.230.133.20/5060,RemoteAddress =IPV4/UDP/63.141.229.58/5078,Challenge=770e84a3 [2015-01-08 15:20:20] SECURITY[21515] res_security_log.c: SecurityEvent=ChallengeSent,EventTV=1420752020-854997,Severity=Informat ional,Service=SIP,EventVersion=1,AccountID=sip:102@173.230.133.20,Ses sionID=0x169f528,LocalAddress=IPV4/UDP/173.230.133.20/5060,RemoteAddress =IPV4/UDP/198.204.241.58/5074,Challenge=23965594 I modified the fail2ban with the filter, but still not detected asterisk.conf log_prefix= \[\]\s*(?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[\S+\d*\])? \S+:\d* failregex = ^%(log_prefix)s Registration from '[^']*' failed for 'HOST(:\d+)?' - Wrong password$ ^%(log_prefix)s Registration from '[^']*' failed for 'HOST(:\d+)?' - No matching peer found$ ^%(log_prefix)s Registration from '[^']*' failed for 'HOST(:\d+)?' - Username/auth name mismatch$ ^%(log_prefix)s Registration from '[^']*' failed for 'HOST(:\d+)?' - Device does not match ACL$ ^%(log_prefix)s Registration from '[^']*' failed for 'HOST(:\d+)?' - Peer is not supposed to register$ ^%(log_prefix)s Registration from '[^']*' failed for 'HOST(:\d+)?' - ACL error \(permit/deny\)$ ^%(log_prefix)s Registration from '[^']*' failed for 'HOST(:\d+)?' - Not a local domain$ ^%(log_prefix)s Call from '[^']*' \(HOST:\d+\) to extension '\d+' rejected because extension not found in context 'default' \.$ ^%(log_prefix)s Host HOST failed to authenticate as '[^']*'$ ^%(log_prefix)s No registration for peer '[^']*' \(from HOST\)$ ^%(log_prefix)s Host HOST failed MD5 authentication for '[^']*' \([^)]+\)$ ^%(log_prefix)s Failed to authenticate (user|device) [^@]+@HOST\S*$ ^%(log_prefix)s (?:handle_request_subscribe: )?Sending fake auth rejection for (device|user) \d*sip:[^@]+@HOST;tag=\w+\S* $ ^%(log_prefix)s SecurityEvent=(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPa ssword),EventTV=[\d-]+,Severit y=[\w]+,Service=[\w]+,EventVersion=\d+,AccountID=\d+,SessionID=0x[\ da-f]+,LocalAddress=IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+,Rem oteAddress=IPV[46]/(UD|TC)P/HOST/\d+(,Challenge=\w+,ReceivedChallenge= \w+)?(,ReceivedHash=[\da-f]+)?$ ignoreregex = -- rickygm http://gnuforever.homelinux.com -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users