On Fri, 15 Jan 2021, James Moe via Fail2ban-users wrote:
On 1/14/21 8:12 AM, Dan Mahoney (Gushi) wrote:
We have a regex that "matches" but I watch fail2ban.log with "tail
-F" and I watch match and match and match
and not ban.
Show your jail and filter conf.
Fail2ban 0.9.6-2 under debian 9.13
Config bits relevant to asterisk:
jail.conf:
[asterisk]
port = 5060,5061
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s",
protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(port)s",
protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
logpath = /var/log/asterisk/messages
maxretry = 10
filters.d/asterisk.conf:
# Fail2Ban filter for asterisk authentication failures
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
logencoding=utf-8
_daemon = asterisk
__pid_re = (?:\[\d+\])
iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4}
# __prefix_line =
# %(__date_ambit)s?\s*(?:%(__bsd_syslog_verbose)s\s+)?(?:%(__hostname)s\s+)?(?:%(__kernel_prefix)s\s+)?(?:%(__vserver)s\s+)?(?:%(__daemon_combs_re)s\s+)?(?:%(__daemon_extra_re)s\s+)?
#[2019-06-07 22:31:48] NOTICE[1065] chan_sip.c: Registration from '"9007"
<sip:[email protected]>' failed for '77.247.110.35:6121' - Wrong password
#[2019-06-07 22:31:48] NOTICE[1065] chan_sip.c: Registration from '"9007"
<sip:[email protected]>' failed for '77.247.110.35:6121' - Wrong password
#[2019-06-07 22:31:48] NOTICE[1065] chan_sip.c: Registration from '"9007"
<sip:[email protected]>' failed for '77.247.110.35:6121' - Wrong password
__prefix_line = (.*)
# All Asterisk log messages begin like this:
log_prefix= (?:NOTICE|SECURITY|WARNING)%(__pid_re)s:?(?:\[C-[\da-f]*\])?
[^:]+:\d*(?:(?: in)? \w+:)?
failregex = ^%(__prefix_line)s%(log_prefix)s Registration from '[^']*' failed for
'<HOST>(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer
found|Not a local domain|Device does not match ACL|Peer is not supposed to
register|ACL error \(permit/deny\)|Not a local domain)$
^%(__prefix_line)s%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\)
to extension '[^']*' rejected because extension not found in context
^%(__prefix_line)s%(log_prefix)s Host <HOST> failed to authenticate
as '[^']*'$
^%(__prefix_line)s%(log_prefix)s No registration for peer '[^']*' \(from
<HOST>\)$
^%(__prefix_line)s%(log_prefix)s Host <HOST> failed MD5
authentication for '[^']*' \([^)]+\)$
^%(__prefix_line)s%(log_prefix)s Failed to authenticate (user|device)
[^@]+@<HOST>\S*$
^%(__prefix_line)s%(log_prefix)s hacking attempt detected '<HOST>'$
^%(__prefix_line)s%(log_prefix)s
SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="(\d*|<unknown>)",SessionID=".+",LocalAddress="IPV[46]/(UDP|TCP|WS)/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UDP|TCP|WS)/<HOST>/\d+"(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",ExpectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$
^%(__prefix_line)s%(log_prefix)s "Rejecting unknown SIP connection from
<HOST>"$
^%(__prefix_line)s%(log_prefix)s Request (?:'[^']*' )?from '[^']*' failed
for '<HOST>(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching endpoint found|Not
match Endpoint(?: Contact)? ACL|(?:Failed|Error) to authenticate)\s*$
ignoreregex =
# Author: Xavier Devlamynck / Daniel Black
#
# General log format - main/logger.c:ast_log
# Address format - ast_sockaddr_stringify
#
# First regex: channels/chan_sip.c
#
# main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in syslog
jail.local:
[asterisk]
enabled = true
findtime = 600
maxretry = 1
bantime = 3600
Anything obvious here? Again, fail2ban-regex finds the line, and we can
see fail2ban finding them too. Just sometimes...doing nothing.
--
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
FB: fb.com/DanielMahoneyIV
LI: linkedin.com/in/gushi
Site: http://www.gushi.org
---------------------------
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
