I solved the problem. "action.d/iptables-custom.conf" include only udp. service fail2ban restart
Thank you. On Sun, Sep 13, 2015 at 9:17 PM, Andres <and...@telesip.net> wrote: > On 9/13/15 11:16 AM, Gokan Atmaca wrote: >> >> Hello >> >> I'm using the Fail2ban. I configuration below. I want to try to >> prevent the continuous password. Fail2ban password that does not >> prevent this form. (Asterisk 1.8 / Elastix interface) >> >> What could be the problem ? >> >> Asterisk log; >> "Registration from '<sip:3...@sip.x.eu;transport=UDP>' failed for >> 'x.x.x.x:32956' - Wrong password" > > Sometimes minor tweaks to the file are in order. My suggestion is to use > the fail2ban-regex utility to test the log file entry until it is detected. > Just put the line generated by asterisk in a test file and then run the > regex. > > # /usr/bin/fail2ban-regex -? > Usage: /usr/bin/fail2ban-regex [OPTIONS] <LOG> <REGEX> [IGNOREREGEX] > > example: > > /usr/bin/fail2ban-regex testlogfile /etc/fail2ban/filter.d/asterisk.conf > > > > > >> >> >> Fail2ban asterisk filter; >> >> # Fail2Ban filter for asterisk authentication failures >> # >> >> [INCLUDES] >> >> # Read common prefixes. If any customizations available -- read them from >> >> # common.local >> before = common.conf >> >> >> [Definition] >> >> _daemon = asterisk >> >> __pid_re = (?:\[\d+\]) >> >> # All Asterisk log messages begin like this: >> log_prefix= (?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])? >> \S+:\d*( in \w+:)? >> >> failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration >> from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong >> password|Username/auth name mismatch|No m$ >> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from >> '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension >> not found in context 'de$ >> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> >> failed to authenticate as '[^']*'$ >> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration >> for peer '[^']*' \(from <HOST>\)$ >> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> >> failed MD5 authentication for '[^']*' \([^)]+\)$ >> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from >> '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension >> not found in context 'de$ >> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> >> failed to authenticate as '[^']*'$ >> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration >> for peer '[^']*' \(from <HOST>\)$ >> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> >> failed MD5 authentication for '[^']*' \([^)]+\)$ >> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to >> authenticate (user|device) [^@]+@<HOST>\S*$ >> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s >> (?:handle_request_subscribe: )?Sending fake auth rejection for >> (device|user) \d*<sip:[^@]+@<HOST>>;tag=$ >> ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s >> >> SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",S$ >> >> ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? >> )Ext\. s: "Rejecting unknown SIP connection from <HOST>"$ >> >> ignoreregex = >> >> >> # Author: Xavier Devlamynck / Daniel Black >> # >> # General log format - main/logger.c:ast_log >> # Address format - ast_sockaddr_stringify >> # >> # First regex: channels/chan_sip.c >> # >> # main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in s >> > > > -- > Technical Support > http://www.cellroute.net > > > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users