SEMI OFF-TOPIC – Fail2ban

Home » Asterisk Users » SEMI OFF-TOPIC – Fail2ban
Asterisk Users 6 Comments

Hi list , someone on the list has seen this type of connection attempts in asterisk, fail2ban does not stop

2015-01-08 14:59:47] SECURITY[21515] res_security_log.c:
SecurityEvent=”ChallengeSent”,EventTV=”1420750787-386840″,Severity=”Informational”,Service=”SIP”,EventVersion=”1″,AccountID=”sip:100@173.230.133.20″,SessionID=”0x169f528″,LocalAddress=”IPV4/UDP/173.230.133.20/5060″,RemoteAddress=”IPV4/UDP/63.141.229.58/5078″,Challenge=”770e84a3″
[2015-01-08 15:20:20] SECURITY[21515] res_security_log.c:
SecurityEvent=”ChallengeSent”,EventTV=”1420752020-854997″,Severity=”Informational”,Service=”SIP”,EventVersion=”1″,AccountID=”sip:102@173.230.133.20″,SessionID=”0x169f528″,LocalAddress=”IPV4/UDP/173.230.133.20/5060″,RemoteAddress=”IPV4/UDP/198.204.241.58/5074″,Challenge=”23965594″

I modified the fail2ban with the filter, but still not detected

asterisk.conf

log_prefix= \[\]\s*(?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[\S+\d*\])? \S+:\d*

failregex = ^%(log_prefix)s Registration from ‘[^’]*’ failed for
(:\d+)?’ – Wrong password$
^%(log_prefix)s Registration from ‘[^’]*’ failed for
(:\d+)?’ – No matching peer found$
^%(log_prefix)s Registration from ‘[^’]*’ failed for
(:\d+)?’ – Username/auth name mismatch$
^%(log_prefix)s Registration from ‘[^’]*’ failed for
(:\d+)?’ – Device does not match ACL$
^%(log_prefix)s Registration from ‘[^’]*’ failed for
(:\d+)?’ – Peer is not supposed to register$
^%(log_prefix)s Registration from ‘[^’]*’ failed for
(:\d+)?’ – ACL error \(permit/deny\)$
^%(log_prefix)s Registration from ‘[^’]*’ failed for
(:\d+)?’ – Not a local domain$
^%(log_prefix)s Call from ‘[^’]*’ \(:\d+\) to extension ‘\d+’ rejected because extension not found in context
‘default’
\.$
^%(log_prefix)s Host failed to authenticate as ‘[^’]*’$
^%(log_prefix)s No registration for peer ‘[^’]*’ \(from \)$
^%(log_prefix)s Host failed MD5 authentication for
‘[^’]*’ \([^)]+\)$
^%(log_prefix)s Failed to authenticate (user|device)
[^@]+@\S*$
^%(log_prefix)s (?:handle_request_subscribe: )?Sending fake auth rejection for (device|user) \d*>;tag=\w+\S*
$
^%(log_prefix)s SecurityEvent=”(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)”,EventTV=”[\d-]+”,Severit y=”[\w]+”,Service=”[\w]+”,EventVersion=”\d+”,AccountID=”\d+”,SessionID=”0x[\da-f]+”,LocalAddress=”IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+”,Rem oteAddress=”IPV[46]/(UD|TC)P//\d+”(,Challenge=”\w+”,ReceivedChallenge=”\w+”)?(,ReceivedHash=”[\da-f]+”)?$

ignoreregex

6 thoughts on - SEMI OFF-TOPIC – Fail2ban

  • Do you really want to detect “ChallengeSent”? That should occur also on legitimate login processes…

    -S

  • Hello;
    Did you remember to uncomment the dateformat in
    /etc/asterisk/logger.conf? That’s necessary for fail2ban to work.

    Logger.conf
    [general]
    dateformat=%F %T

    Regards;
    John

    —–Original Message—

  • 2015-01-09 9:05 GMT-06:00 Tech Support :

    Hi , I’ll show my logger

    dateformat=%F %T ; ISO 8601 date format use_callids= yes appendhostname= no

    security=> security,notice

    regardss

  • 2015-01-09 3:53 GMT-06:00 Stefan Gofferje :

    Hi , strange thing is that I still have not this asterisk in production and I see many attempts Connection.

    Now keep in mind that when a connection of authentication is successful the message changes and is not exactly what you mention:

    ## SecurityEvent=”SuccessfulAuth”,EventTV=”1420832883-140932″,####

    I think this type of connection attempts messages with my asterisk that fail2ban not detected.

    I’m no expert, but the log not lie 😉

    regardss

  • I’d suggest taking a look at the free edition of SecAst (www.generationd.com). It handles these messages perfectly (and can also use AMI security events) – so you don’t need to constantly be updating fail2ban rules. It’s a drop in replacement for fail2ban.

    -M-

    P.S. My opinions are my own and do not necessarily represent those of my employer. As an employee of Generation D System you can bet my opinions are biased though!