Fail2ban

To: debian-user@lists.debian.org
Subject: Fail2ban
From: Gokan Atmaca <linux.gokan@gmail.com>
Date: Sun, 13 Sep 2015 18:08:16 +0300
Message-id: <[🔎] CAHg8tEBVNsxSWV+Rk2s88Jr+z8pLbxwc4edYBi3TiKZSj561bg@mail.gmail.com>

Hello

I'm using the Fail2ban.  I configuration below. I want to try to
prevent the continuous password. Fail2ban password that does not
prevent this form.

What could be the problem ?

Asterisk log;
"Registration from '<sip:3060@sip.x.eu;transport=UDP>' failed for
'x.x.x.x:32956' - Wrong password"


Fail2ban asterisk filter;

# Fail2Ban filter for asterisk authentication failures
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf


[Definition]

_daemon = asterisk

__pid_re = (?:\[\d+\])

# All Asterisk log messages begin like this:
log_prefix= (?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])?
\S+:\d*( in \w+:)?

failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration
from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong
password|Username/auth name mismatch|No m$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from
'[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension
not found in context 'de$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST>
failed to authenticate as '[^']*'$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration
for peer '[^']*' \(from <HOST>\)$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST>
failed MD5 authentication for '[^']*' \([^)]+\)$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to
authenticate (user|device) [^@]+@<HOST>\S*$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s
(?:handle_request_subscribe: )?Sending fake auth rejection for
(device|user) \d*<sip:[^@]+@<HOST>>;tag=$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s
SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",S$
            ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])?
)Ext\. s: "Rejecting unknown SIP connection from <HOST>"$

ignoreregex =


# Author: Xavier Devlamynck / Daniel Black
#
# General log format - main/logger.c:ast_log
# Address format - ast_sockaddr_stringify
#
# First regex: channels/chan_sip.c
#
# main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in s

Reply to:

Follow-Ups:
- Re: Fail2ban
  - From: Nemeth Gyorgy <friczy@freemail.hu>

Prev by Date: Re: Upgrading Debian
Next by Date: Re: Upgrading Debian
Previous by thread: Re: Kernel crash message help
Next by thread: Re: Fail2ban
Index(es):
- Date
- Thread