@GeekBoy wrote:
Here is the latest asterisk.conf filter for fail2ban
failregex = ^(%(__prefix_line)s|[]\s*)%(log_prefix)s Registration from ‘[^’]’ failed for ‘(:\d+)?’ - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error (permit/deny)|Not a local domain)$
^(%(__prefix_line)s|[]\s)%(log_prefix)s Call from ‘[^’]’ (:\d+) to extension ‘[^’]’ rejected because extension not found in context
^(%(__prefix_line)s|[]\s*)%(log_prefix)s Host failed to authenticate as ‘[^’]’$
^(%(__prefix_line)s|[]\s)%(log_prefix)s No registration for peer ‘[^’]’ (from )$
^(%(__prefix_line)s|[]\s)%(log_prefix)s Host failed MD5 authentication for ‘[^’]’ ([^)]+)$
^(%(__prefix_line)s|[]\s)%(log_prefix)s Failed to authenticate (user|device) [^@]+@\S*$
^(%(__prefix_line)s|[]\s*)%(log_prefix)s hacking attempt detected ‘’$
^(%(__prefix_line)s|[]\s*)%(log_prefix)s tried to authenticate with nonexistent user.+$
^(%(__prefix_line)s|[]\s*)%(log_prefix)s failed to authenticate as.+$
^(%(__prefix_line)s|[]\s*)%(log_prefix)s Request from ‘[^’]’ failed for ‘:\d+’ .+ No matching endpoint found$
^(%(__prefix_line)s|[]\s)%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="(\d*|)",SessionID=".+",LocalAddress=“IPV[46]/(UDP|TCP|WS|WSS)/[\da-fA-F:.]+/\d+”,RemoteAddress=“IPV[46]/(UDP|TCP|WS|WSS)//\d+”(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",ExpectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$These WARNINGS do not have a file attribute, as they’re generated dynamicly
^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )[^:]+: Friendly Scanner from <HOST>$ ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )Ext\. s: "Rejecting unknown SIP connection from <HOST>"$I notice it does not contain an issue me, and I am sure others are facing. I am getting slammed with the following
NOTICE[787]: res_pjsip/pjsip_distributor.c:666 log_failed_request: Request ‘REGISTER’ from ‘“503” sip:503@xxx,xx,xx.xxx’ failed for ‘208.115.215.190:5545’ (callid: 1561966880) - Failed to authenticate
NOTICE[1151]: res_pjsip/pjsip_distributor.c:666 log_failed_request: Request ‘INVITE’ from ‘sip:201@xxx,xx,xx.xxx’ failed for ‘156.96.128.152:57514’ (callid: 516245299-300992231-417930326) - No matching endpoint found
While there is a “Failed to authenticate” in the filter, it does not seem to be applicable to the log snip I pasted here.
Posts: 6
Participants: 2