i have fail2ban 0.9.1 asterisk 11 on fedora 21 using iptables.
the ip addresses attack server not getting written ip tables automatically (see below them working when manually running banip). see errors causing this?
i messages in /var/log/asterisk/messages log miscreants trying erroneous extensions.
my regex works because when run
fail2ban-regex /var/log/asterisk/messages /etc/fail2ban/filter.d/asterisk.conf i get
lines: 2985 lines, 0 ignored, 597 matched, 2388 missed [processed in 0.66 sec] this means 597 lines matched regular expression. right? there way show lines matched? , variables were?
i can do:
fail2ban-client set asterisk banip 107.150.44.222 and iptables updated , ip banned. (yes, know used real ip address -- , far concerned welcome ban ba$%*$#rd)
jail.local [asterisk] enabled=yes filter=asterisk protocol=all logpath = /var/log/asterisk/messages banaction=iptables-multiport port = 5060,5061 action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] maxretry = 3 bantime=432000 findtime =86400 i removed reference asterisk in jail.conf avoid conflicts
filter.d/asterisk.conf [includes] # read common prefixes. if customizations available -- read them # common.local before = common.conf [definition] # option: failregex # notes.: regex match password failures messages in logfile. # values: text # log_prefix= \[\]\s*(?:notice|security)%(__pid_re)s:?(?:\[\s+\d*\])? \s+:\d* failregex = ^%(log_prefix)s registration '[^']*' failed '<host>(:\d+)?' - wrong password$ ^%(log_prefix)s registration '[^']*' failed '<host>(:\d+)?' - no matching peer found$ ^%(log_prefix)s registration '[^']*' failed '<host>(:\d+)?' - username/auth name mismatch$ ^%(log_prefix)s registration '[^']*' failed '<host>(:\d+)?' - device not match acl$ ^%(log_prefix)s registration '[^']*' failed '<host>(:\d+)?' - peer not supposed register$ ^%(log_prefix)s registration '[^']*' failed '<host>(:\d+)?' - acl error \(permit/deny\)$ ^%(log_prefix)s registration '[^']*' failed '<host>(:\d+)?' - not local domain$ ^%(log_prefix)s call '[^']*' \(<host>:\d+\) extension '\d+' rejected because extension not found in context 'default'\.$ ^%(log_prefix)s host <host> failed authenticate '[^']*'$ ^%(log_prefix)s no registration peer '[^']*' \(from <host>\)$ ^%(log_prefix)s host <host> failed md5 authentication '[^']*' \([^)]+\)$ ^%(log_prefix)s failed authenticate (user|device) [^@]+@<host>\s*$ ^%(log_prefix)s (?:handle_request_subscribe: )?sending fake auth rejection (device|user) \d*<sip:[^@]+@<host>>;tag=\w+\s*$ ^%(log_prefix)s securityevent="(failedacl|invalidaccountid|challengeresponsefailed|invalidpassword)",eventtv="[\d-]+",severity="[\w]+",service="[\w]+",eventversion="\d+",accountid="\d+",sessionid="0x[\da-f]+",localaddress="ipv[46]/(ud|tc)p/[\da-fa-f:.]+/\d+",remoteaddress="ipv[46]/(ud|tc)p/(<host>)/[0-9]{4}"(,challenge="\w+",receivedchallenge="\w+")?(,receivedhash="[\da-f]+")?$ # option: ignoreregex # notes.: regex ignore. if regex matches, line ignored. # values: text # ignoreregex =
your asterisk.conf , jail.local entry fine, though typically add jail name after banaction. example: banaction=iptables-multiport[name=asterisk]
restart fail2ban service , check fail2ban log errors. common 1 didn't fixed until v0.9.2 is:
error in filterpyinotify callback: 'module' object has no attribute '_strptime_time'
to fix it, update fail2ban v0.9.2 or edit file: /usr/share/fail2ban/common/__init__.py
and add following text end of file:
from time import strptime # strptime thread safety hack-around - http://bugs.python.org/issue7980 strptime("2012", "%y") is there way show lines matched? , variables were?
you'll want use -v option fail2ban-regex. won't give matched variables, list each ip address associated matched line. can examine details ip in asterisk logs.
fail2ban-regex -v /var/log/asterisk/messages /etc/fail2ban/filter.d/asterisk.conf
Comments
Post a Comment