Hi You could do somethink like this in Perl:
#!/usr/bin/perl -w use strict; use warnings; my (@failhost); my %currblocked; my %addblocked; my $action; open (MYINPUTFILE, "/var/log/asterisk/messages") or die "\n", $!, "Does log file file exist\?\n\n"; while (<MYINPUTFILE>) { my ($line) = $_; chomp($line); if ($line =~ m/\' failed for \'(.*?):\d+\' - No matching peer found/) { push(@failhost,$1); } if ($line =~ m/\' failed for \'(.*?):\d+\' - Wrong password/) { push(@failhost,$1); } } my $blockedhosts = `/sbin/iptables -n -L asterisk`; while ($blockedhosts =~ /(.*)/g) { my ($line2) = $1; chomp($line2); if ($line2 =~ m/(\d+\.\d+\.\d+\.\d+)(\s+)/) { $currblocked{ $1 } = 'blocked'; } } if (@failhost) { &count_unique(@failhost); while (my ($ip, $count) = each(%addblocked)) { if (exists $currblocked{ $ip }) { } else { $action = `/sbin/iptables -I asterisk -s $ip -j REJECT`; print "$ip blocked. $count attempts.\n"; } } } else { # print "no failed registrations.\n"; } sub count_unique { my @array = @_; my %count; map { $count{$_}++ } @array; map {($addblocked{ $_ } = ${count{$_}})} sort keys(%count); } Mind, this would NOT block attempts via IPv6. So I have stopped using that script, also reading the file over and over again is not very performant. I have not opted to using my MirkroTik Firewall to block failed attempts, similar rules can also be make with iptables: In the Mangle Ruleset: 1 ;;; SIP Check Unauth chain=forward action=add-dst-to-address-list protocol=udp src-address-list=SIP-Servers address-list=sip-auth-fail address-list-timeout=10m out-interface=IMP-PPPOE src-port=5060 content=SIP/2.0 401 Unauthorized log=no log-prefix="" 2 ;;; tcp sip check auth fail chain=forward action=add-dst-to-address-list protocol=tcp src-address-list=SIP-Servers address-list=sip-auth-fail address-list-timeout=10m out-interface=IMP-PPPOE src-port=5060 content=SIP/2.0 401 Unauthorized log=no log-prefix="" And then you just block all source address from sip-auth-fail in your forwarding table. This works for IPv6 and IPv4. (Als yes, depending on the speed of your link, this also could be ressource intensive on your firewall, as it does full packet inspection. Mit freundlichen Grüssen -Benoît Panizzon- -- I m p r o W a r e A G - Leiter Commerce Kunden ______________________________________________________ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 Pratteln Fax +41 61 826 93 01 Schweiz Web http://www.imp.ch ______________________________________________________ -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users