Fail2ban asterisk filter really needs an update

Here is the latest asterisk.conf filter for fail2ban

failregex = ^(%(__prefix_line)s|[]\s*)%(log_prefix)s Registration from ‘[^’]’ failed for ‘(:\d+)?’ - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error (permit/deny)|Not a local domain)$
^(%(__prefix_line)s|[]\s
)%(log_prefix)s Call from ‘[^’]’ (:\d+) to extension ‘[^’]’ rejected because extension not found in context
^(%(__prefix_line)s|[]\s*)%(log_prefix)s Host failed to authenticate as ‘[^’]’$
^(%(__prefix_line)s|[]\s
)%(log_prefix)s No registration for peer ‘[^’]’ (from )$
^(%(__prefix_line)s|[]\s
)%(log_prefix)s Host failed MD5 authentication for ‘[^’]’ ([^)]+)$
^(%(__prefix_line)s|[]\s
)%(log_prefix)s Failed to authenticate (user|device) [^@][email protected]\S*$
^(%(__prefix_line)s|[]\s*)%(log_prefix)s hacking attempt detected ‘’$
^(%(__prefix_line)s|[]\s*)%(log_prefix)s tried to authenticate with nonexistent user.+$
^(%(__prefix_line)s|[]\s*)%(log_prefix)s failed to authenticate as.+$
^(%(__prefix_line)s|[]\s*)%(log_prefix)s Request from ‘[^’]’ failed for ‘:\d+’ .+ No matching endpoint found$
^(%(__prefix_line)s|[]\s
)%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="(\d*|)",SessionID=".+",LocalAddress=“IPV[46]/(UDP|TCP|WS|WSS)/[\da-fA-F:.]+/\d+”,RemoteAddress=“IPV[46]/(UDP|TCP|WS|WSS)//\d+”(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",ExpectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$

These WARNINGS do not have a file attribute, as they’re generated dynamicly

        ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )[^:]+: Friendly Scanner from <HOST>$
        ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )Ext\. s: "Rejecting unknown SIP connection from <HOST>"$

I notice it does not contain an issue me, and I am sure others are facing. I am getting slammed with the following

NOTICE[787]: res_pjsip/pjsip_distributor.c:666 log_failed_request: Request ‘REGISTER’ from ‘“503” sip:[email protected],xx,xx.xxx’ failed for ‘208.115.215.190:5545’ (callid: 1561966880) - Failed to authenticate

NOTICE[1151]: res_pjsip/pjsip_distributor.c:666 log_failed_request: Request ‘INVITE’ from ‘sip:[email protected],xx,xx.xxx’ failed for ‘156.96.128.152:57514’ (callid: 516245299-300992231-417930326) - No matching endpoint found

While there is a “Failed to authenticate” in the filter, it does not seem to be applicable to the log snip I pasted here.

Ref https://github.com/fail2ban/fail2ban/archive/0.10.tar.gz

# Fail2Ban filter for asterisk authentication failures
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = asterisk

__pid_re = (?:\s*\[\d+\])

iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4}

# All Asterisk log messages begin like this:
log_prefix= (?:NOTICE|SECURITY|WARNING)%(__pid_re)s:?(?:\[C-[\da-f]*\])?:? [^:]+:\d*(?:(?: in)? [^:]+:)?

prefregex = ^%(__prefix_line)s%(log_prefix)s <F-CONTENT>.+</F-CONTENT>$

failregex = ^Registration from '[^']*' failed for '<HOST>(:\d+)?' - (?:Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
            ^Call from '[^']*' \(<HOST>:\d+\) to extension '[^']*' rejected because extension not found in context
            ^(?:Host )?<HOST> (?:failed (?:to authenticate\b|MD5 authentication\b)|tried to authenticate with nonexistent user\b)
            ^No registration for peer '[^']*' \(from <HOST>\)$
            ^hacking attempt detected '<HOST>'$
            ^SecurityEvent="(?:FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)"(?:(?:,(?!RemoteAddress=)\w+="[^"]*")*|.*?),RemoteAddress="IPV[46]/[^/"]+/<HOST>/\d+"(?:,(?!RemoteAddress=)\w+="[^"]*")*$
            ^"Rejecting unknown SIP connection from <HOST>(?::\d+)?"$
            ^Request (?:'[^']*' )?from '(?:[^']*|.*?)' failed for '<HOST>(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching endpoint found|Not match Endpoint(?: Contact)? ACL|(?:Failed|Error) to authenticate)\s*$

# FreePBX (todo: make optional in v.0.10):
#            ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )[^:]+: Friendly Scanner from <HOST>$

ignoreregex =

datepattern = {^LN-BEG}

# Author: Xavier Devlamynck / Daniel Black
#
# General log format - main/logger.c:ast_log
# Address format - ast_sockaddr_stringify
#
# First regex: channels/chan_sip.c
#
# main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in syslog

journalmatch = _SYSTEMD_UNIT=asterisk.service
This is the latest from fail2ban. (ref https://github.com/fail2ban/fail2ban/archive/0.10.tar.gz)

[lt_journal]

# asterisk can log timestamp if logs into systemd-journal (optional part matching this timestamp, gh-2383):
__extra_timestamp = (?:\[[^\]]+\]\s+)?
__prefix_line = %(known/__prefix_line)s%(__extra_timestamp)s

Looks like you would be covered.

1 Like

That really helped @dicko

Even I was banned after restarting fail2ban.

I do wonder why in not the current version of the Sangoma distro.

Given the startling improvements in performance and effectiveness they have achieved in the last 6 years So do many others :slight_smile: (adding pyinotify to your system is just one tiny action that comes to mind that will benefit every user, even if stuck on 0.8x )

I may have been banned, but looking at the Asterisk CLI, it is not working.
This particular line what I was interested in

 ^Request (?:'[^']*' )?from '(?:[^']*|.*?)' failed for '<HOST>(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching endpoint found|Not match Endpoint(?: Contact)? ACL|(?:Failed|Error) to authenticate)\s*$

I tried appending that to the bottom. Then I tried prefixing like the others have:

^(%(__prefix_line)s|[]\s*)%(log_prefix)s

Still getting slammed by

[2020-07-03 22:31:04] NOTICE[5260]: res_pjsip/pjsip_distributor.c:666 log_failed_request: Request ‘INVITE’ from ‘sip:1790111613523819:[email protected]’ failed for ‘45.56.172.232:60600’ (callid: 311480078-943215159-882817374) - No matching endpoint found

All versions of fail2ban have a diagnostic

fail2ban-regex

whereby you can point your logs (or even your individual log line) at your regexes and see what is working/failing

That was usefull, @dicko

According to fail2ban-regex there is a syntax error in that line.

-bash: syntax error near unexpected token `(’

Looking with my text editor, I see this part has no matching left parentheses.

(callid: [^)]*)

I am completely clueless on where to put it.

Try

(callid: [^\)]*)

No change.

Thanks for trying. I guess I will look at newer releases.

Edit:

Maybe I am running the command incorrectly

fail2ban-regex -v --print-all-missed /var/log/fail2ban.log ^Request (?:’[^’]’ ?)from ‘(?:[^’]|.?)’ failed for ‘(?::\d+)?’\s(callid: [^)]) - (?:No matching endpoint found|Not match Endpoint(?: Contact)? ACL|(?:Failed|Error) to authenticate)\s*$

Check against

where is the “extracted pattern to ban” so replace it with 45.56.172.232, otherwise the regex is good but your posts show ` (backticks) not ’ (single quotes) which wont match, might be the forum software but might either way you need to be careful when copy-pasting

Here is a screen shot from the useful site you linked

I even cut the text down:

If you look closely you have ‘unicode left single’ and ‘unicode right single’ where you should have just ascii single quote

are you using utf-8 coding in your logs ? if you are then fail2ban has support for ‘logencoding=utf-8’ in it’s individual filters

(or possible are you using some strange windoze based and prettified ssh session)

I was using a Windows machine, then jumped on my Debian one.

Not getting a different result

Sorry, works for me, and screenshots can’t be copy-pasted

I pasted a couple of examples from the logs

https://pastebin.com/tXFXPRRE

Are you saying, using the supplied regex in the fail2ban version 10 we have been discussing is being pasted the that site, and logs tested for matches, are working for you?

Well, I don’t get any log lines to test against any more (cos they have been banned but yes the one you posted massaged back to ascii and replacing '<HOST>' with '[0-9\.]*' would have been caught on regex101 and also by fail2ban 0.10 as I have the regexes from.

fail2ban-regex Geek.file  /etc/fail2ban/filter.d/asterisk.conf

Running tests
=============

Use   failregex filter file : asterisk, basedir: /etc/fail2ban
Use      datepattern : Default Detectors
Use         log file : Geek.file
Use         encoding : UTF-8


Results
=======

Failregex: 2 total
|-  #) [# of hits] regular expression
|   8) [2] ^Request (?:'[^']*' )?from '(?:[^']*|.*?)' failed for '<HOST>(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching endpoint found|Not match Endpoint(?: Contact)? ACL|(?:Failed|Error) to authenticate)\s*$                              
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [2] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T|  ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?                                                                                                                   
`-

Lines: 2 lines, 0 ignored, 2 matched, 0 missed
[processed in 0.00 sec]

I went ahead and just copied the whole asterisk.conf file over (backing up old one) then restarted.

Now trying to copy what you did here using a line from the log, and I am getting the exact same result as I was first getting.

-bash: syntax error near unexpected token `(’

This is version 10.5.

I think they have moved on to version 11 and won’t be fixing the old versions

Update: I tested doing exactly what you did. I put the log bits into a file, and got a good response.

Maybe I am using wrong log.

As stated, I don’t find fail2ban broken and I can’t repeat your problem have you tried contacting ail2ban directly?

Okay, I think I got it now. I also changed the jail to use the full log, and now seeing results of fails in the jail.

Thanks @dicko

Still leaves the question of why does not SangomaOS have this?

Truly a rhetorical question.

1 Like