Home » Asterisk Users » SEMI OFF-TOPIC – Fail2ban
Asterisk Users 6 Comments

Hi list , someone on the list has seen this type of connection attempts in asterisk, fail2ban does not stop

2015-01-08 14:59:47] SECURITY[21515] res_security_log.c:
[2015-01-08 15:20:20] SECURITY[21515] res_security_log.c:

I modified the fail2ban with the filter, but still not detected


log_prefix= \[\]\s*(?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[\S+\d*\])? \S+:\d*

failregex = ^%(log_prefix)s Registration from ‘[^’]*’ failed for
(:\d+)?’ – Wrong password$
^%(log_prefix)s Registration from ‘[^’]*’ failed for
(:\d+)?’ – No matching peer found$
^%(log_prefix)s Registration from ‘[^’]*’ failed for
(:\d+)?’ – Username/auth name mismatch$
^%(log_prefix)s Registration from ‘[^’]*’ failed for
(:\d+)?’ – Device does not match ACL$
^%(log_prefix)s Registration from ‘[^’]*’ failed for
(:\d+)?’ – Peer is not supposed to register$
^%(log_prefix)s Registration from ‘[^’]*’ failed for
(:\d+)?’ – ACL error \(permit/deny\)$
^%(log_prefix)s Registration from ‘[^’]*’ failed for
(:\d+)?’ – Not a local domain$
^%(log_prefix)s Call from ‘[^’]*’ \(:\d+\) to extension ‘\d+’ rejected because extension not found in context
^%(log_prefix)s Host failed to authenticate as ‘[^’]*’$
^%(log_prefix)s No registration for peer ‘[^’]*’ \(from \)$
^%(log_prefix)s Host failed MD5 authentication for
‘[^’]*’ \([^)]+\)$
^%(log_prefix)s Failed to authenticate (user|device)
^%(log_prefix)s (?:handle_request_subscribe: )?Sending fake auth rejection for (device|user) \d*>;tag=\w+\S*
^%(log_prefix)s SecurityEvent=”(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)”,EventTV=”[\d-]+”,Severit y=”[\w]+”,Service=”[\w]+”,EventVersion=”\d+”,AccountID=”\d+”,SessionID=”0x[\da-f]+”,LocalAddress=”IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+”,Rem oteAddress=”IPV[46]/(UD|TC)P//\d+”(,Challenge=”\w+”,ReceivedChallenge=”\w+”)?(,ReceivedHash=”[\da-f]+”)?$


6 thoughts on - SEMI OFF-TOPIC – Fail2ban

  • Do you really want to detect “ChallengeSent”? That should occur also on legitimate login processes…


  • Hello;
    Did you remember to uncomment the dateformat in
    /etc/asterisk/logger.conf? That’s necessary for fail2ban to work.

    dateformat=%F %T


    —–Original Message—

  • 2015-01-09 9:05 GMT-06:00 Tech Support :

    Hi , I’ll show my logger

    dateformat=%F %T ; ISO 8601 date format use_callids= yes appendhostname= no

    security=> security,notice


  • 2015-01-09 3:53 GMT-06:00 Stefan Gofferje :

    Hi , strange thing is that I still have not this asterisk in production and I see many attempts Connection.

    Now keep in mind that when a connection of authentication is successful the message changes and is not exactly what you mention:

    ## SecurityEvent=”SuccessfulAuth”,EventTV=”1420832883-140932″,####

    I think this type of connection attempts messages with my asterisk that fail2ban not detected.

    I’m no expert, but the log not lie 😉


  • I’d suggest taking a look at the free edition of SecAst ( It handles these messages perfectly (and can also use AMI security events) – so you don’t need to constantly be updating fail2ban rules. It’s a drop in replacement for fail2ban.


    P.S. My opinions are my own and do not necessarily represent those of my employer. As an employee of Generation D System you can bet my opinions are biased though!