Fabianus
Reputation: 723
fail2ban regular expression for asterisk 19
I have an asterisk server that is attacked. There is a fail2ban jail for the asterisk logs but the configuration does not pick up the this situation:
[2023-07-27 11:25:57] NOTICE[152571] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"213" <sip:[email protected]>' failed for '185.210.157.40:5977' (callid: 1048704493) - Failed to authenticate
[2023-07-27 11:25:57] NOTICE[152571] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"322" <sip:[email protected]>' failed for '185.210.157.40:5803' (callid: 522785130) - No matching endpoint found after 35 tries in 0.182 ms
[2023-07-27 11:25:57] NOTICE[152571] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"322" <sip:[email protected]>' failed for '185.210.157.40:5803' (callid: 522785130) - Failed to authenticate
[2023-07-27 11:25:57] NOTICE[152570] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"322" <sip:[email protected]>' failed for '185.210.157.40:5803' (callid: 1616436563) - No matching endpoint found after 36 tries in 0.187 ms
[2023-07-27 11:25:57] NOTICE[152570] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"322" <sip:[email protected]>' failed for '185.210.157.40:5803' (callid: 1616436563) - Failed to authenticate
[2023-07-27 11:25:57] NOTICE[152570] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"213" <sip:[email protected]>' failed for '185.210.157.40:5977' (callid: 2926631629) - No matching endpoint found after 37 tries in 0.199 ms
[2023-07-27 11:25:57] NOTICE[152570] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"213" <sip:[email protected]>' failed for '185.210.157.40:5977' (callid: 2926631629) - Failed to authenticate
[2023-07-27 11:25:57] NOTICE[152571] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"212" <sip:[email protected]>' failed for '185.210.157.40:5677' (callid: 2397138656) - No matching endpoint found after 38 tries in 0.200 ms
[2023-07-27 11:25:57] NOTICE[152571] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"212" <sip:[email protected]>' failed for '185.210.157.40:5677' (callid: 2397138656) - Failed to authenticate
/etc/fail2ban/asterisk-security.conf :
[INCLUDES]
[Definition]
failregex = SECURITY.* SecurityEvent="FailedACL".*RemoteAddress="[^"]*/[^"]*/(<HOST>)/[^"]*".*
SECURITY.* SecurityEvent="InvalidAccountID".*RemoteAddress="[^"]*/[^"]*/(<HOST>)/[^"]*".*
SECURITY.* SecurityEvent="ChallengeResponseFailed".*RemoteAddress="[^"]*/[^"]*/(<HOST>)/[^"]*".*
SECURITY.* SecurityEvent="InvalidPassword".*RemoteAddress="[^"]*/[^"]*/(<HOST>)/[^"]*".*
ignoreregex =
My understanding of regular expression is poor and I would be very thankful if someone could help with the failregex definition in order to detect this attack!
Upvotes: -1
Views: 125
Answers (1)
Fabianus
Reputation: 723
Finally found out that fail2ban is delivered with an asterisk filter that does all I need. (/etc/fail2ban/filter.d/asterisk.conf) So I just had to use this one.
Upvotes: 1
Related Questions
- What is the best regular expression to check if a string is a valid URL?
- How do you access the matched groups in a JavaScript regular expression?
- How can I validate an email address using a regular expression?
- What is a non-capturing group in regular expressions?
- Regular expression to stop at first match
- How do you use a variable in a regular expression?
- Regular expression to match a line that doesn't contain a word
- Is there a regular expression to detect a valid regular expression?
- Regular expression for alphanumeric and underscores
- How can I match "anything up until this sequence of characters" in a regular expression?