jail.conf [asterisk-iptables] enabled = true filter = asterisk action = iptables-allports[name=ASTERISK, protocol=all] sendmail-whois[name=ASTERISK, dest=root, sender=fail2...@example.org] logpath = /var/log/asterisk/messages maxretry = 5 bantime = 259200
filter asterisk.conf [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local #before = common.conf [Definition] #_daemon = asterisk # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>\S+) # Values: TEXT # failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL NOTICE.* <HOST> failed to authenticate as '.*'$ NOTICE.* .*: No registration for peer '.*' \(from <HOST>\) NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*) NOTICE.* .*: Failed to authenticate user .*@<HOST>.* ignoreregex = logger.conf [general] ; ; Customize the display of debug message time stamps ; this example is the ISO 8601 date format (yyyy-mm-dd HH:MM:SS) ; ; see strftime(3) Linux manual for format specifiers. Note that there is also ; a fractional second parameter which may be used in this field. Use %1q ; for tenths, %2q for hundredths, etc. ; dateformat=%F %T ; ISO 8601 date format ;dateformat=%F %T.%3q ; with milliseconds Dave -----Original Message----- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Daniel Tryba Sent: Monday, December 27, 2010 5:16 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] sip attack.. fail2ban not stopping attack On Sat, Dec 25, 2010 at 04:04:59PM -0700, Dave George wrote: > My server is being attached all day and fail2ban is not stopping the > attack. I updated stamstamp to match fail2ban requirements. How about posting your fail2ban config? -- Daniel Tryba -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users