Here is the latest asterisk.conf filter for fail2ban
failregex = ^(%(__prefix_line)s|\s*)%(log_prefix)s Registration from ‘[^’]’ failed for ‘(:\d+)?’ - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error (permit/deny)|Not a local domain)$
^(%(__prefix_line)s|[]\s)%(log_prefix)s Call from ‘[^’]’ (:\d+) to extension ‘[^’]’ rejected because extension not found in context
^(%(__prefix_line)s|\s*)%(log_prefix)s Host failed to authenticate as ‘[^’]'$
^(%(__prefix_line)s|[]\s)%(log_prefix)s No registration for peer ‘[^’]’ (from )$
^(%(__prefix_line)s|[]\s)%(log_prefix)s Host failed MD5 authentication for ‘[^’]’ ([^)]+)$
^(%(__prefix_line)s|[]\s)%(log_prefix)s Failed to authenticate (user|device) [^@]+@\S*$
^(%(__prefix_line)s|\s*)%(log_prefix)s hacking attempt detected ‘’$
^(%(__prefix_line)s|\s*)%(log_prefix)s tried to authenticate with nonexistent user.+$
^(%(__prefix_line)s|\s*)%(log_prefix)s failed to authenticate as.+$
^(%(__prefix_line)s|\s*)%(log_prefix)s Request from ‘[^’]’ failed for ‘:\d+’ .+ No matching endpoint found$
^(%(__prefix_line)s|[]\s)%(log_prefix)s SecurityEvent=“(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)”,EventTV=“([\d-]+|%(iso8601)s)”,Severity=“[\w]+”,Service=“[\w]+”,EventVersion=“\d+”,AccountID=“(\d*|)”,SessionID=“.+”,LocalAddress=“IPV[46]/(UDP|TCP|WS|WSS)/[\da-fA-F:.]+/\d+”,RemoteAddress=“IPV[46]/(UDP|TCP|WS|WSS)//\d+”(,Challenge=“[\w/]+”)?(,ReceivedChallenge=“\w+”)?(,Response=“\w+”,ExpectedResponse=“\w*”)?(,ReceivedHash=“[\da-f]+”)?(,ACLName=“\w+”)?$
These WARNINGS do not have a file attribute, as they’re generated dynamicly
^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )[^:]+: Friendly Scanner from <HOST>$
^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )Ext\. s: "Rejecting unknown SIP connection from <HOST>"$
I notice it does not contain an issue me, and I am sure others are facing. I am getting slammed with the following
NOTICE[787]: res_pjsip/pjsip_distributor.c:666 log_failed_request: Request ‘REGISTER’ from ‘“503” sip:503@xxx,xx,xx.xxx’ failed for ‘208.115.215.190:5545’ (callid: 1561966880) - Failed to authenticate
NOTICE[1151]: res_pjsip/pjsip_distributor.c:666 log_failed_request: Request ‘INVITE’ from ‘sip:201@xxx,xx,xx.xxx’ failed for ‘156.96.128.152:57514’ (callid: 516245299-300992231-417930326) - No matching endpoint found
While there is a “Failed to authenticate” in the filter, it does not seem to be applicable to the log snip I pasted here.
# Fail2Ban filter for asterisk authentication failures
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = asterisk
__pid_re = (?:\s*\[\d+\])
iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4}
# All Asterisk log messages begin like this:
log_prefix= (?:NOTICE|SECURITY|WARNING)%(__pid_re)s:?(?:\[C-[\da-f]*\])?:? [^:]+:\d*(?:(?: in)? [^:]+:)?
prefregex = ^%(__prefix_line)s%(log_prefix)s <F-CONTENT>.+</F-CONTENT>$
failregex = ^Registration from '[^']*' failed for '<HOST>(:\d+)?' - (?:Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
^Call from '[^']*' \(<HOST>:\d+\) to extension '[^']*' rejected because extension not found in context
^(?:Host )?<HOST> (?:failed (?:to authenticate\b|MD5 authentication\b)|tried to authenticate with nonexistent user\b)
^No registration for peer '[^']*' \(from <HOST>\)$
^hacking attempt detected '<HOST>'$
^SecurityEvent="(?:FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)"(?:(?:,(?!RemoteAddress=)\w+="[^"]*")*|.*?),RemoteAddress="IPV[46]/[^/"]+/<HOST>/\d+"(?:,(?!RemoteAddress=)\w+="[^"]*")*$
^"Rejecting unknown SIP connection from <HOST>(?::\d+)?"$
^Request (?:'[^']*' )?from '(?:[^']*|.*?)' failed for '<HOST>(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching endpoint found|Not match Endpoint(?: Contact)? ACL|(?:Failed|Error) to authenticate)\s*$
# FreePBX (todo: make optional in v.0.10):
# ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )[^:]+: Friendly Scanner from <HOST>$
ignoreregex =
datepattern = {^LN-BEG}
# Author: Xavier Devlamynck / Daniel Black
#
# General log format - main/logger.c:ast_log
# Address format - ast_sockaddr_stringify
#
# First regex: channels/chan_sip.c
#
# main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in syslog
journalmatch = _SYSTEMD_UNIT=asterisk.service
This is the latest from fail2ban. (ref https://github.com/fail2ban/fail2ban/archive/0.10.tar.gz)
[lt_journal]
# asterisk can log timestamp if logs into systemd-journal (optional part matching this timestamp, gh-2383):
__extra_timestamp = (?:\[[^\]]+\]\s+)?
__prefix_line = %(known/__prefix_line)s%(__extra_timestamp)s
Given the startling improvements in performance and effectiveness they have achieved in the last 6 years So do many others (adding pyinotify to your system is just one tiny action that comes to mind that will benefit every user, even if stuck on 0.8x )
I may have been banned, but looking at the Asterisk CLI, it is not working.
This particular line what I was interested in
^Request (?:'[^']*' )?from '(?:[^']*|.*?)' failed for '<HOST>(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching endpoint found|Not match Endpoint(?: Contact)? ACL|(?:Failed|Error) to authenticate)\s*$
I tried appending that to the bottom. Then I tried prefixing like the others have:
^(%(__prefix_line)s|\s*)%(log_prefix)s
Still getting slammed by
[2020-07-03 22:31:04] NOTICE[5260]: res_pjsip/pjsip_distributor.c:666 log_failed_request: Request ‘INVITE’ from ‘sip:1790111613523819:[email protected]’ failed for ‘45.56.172.232:60600’ (callid: 311480078-943215159-882817374) - No matching endpoint found
where is the “extracted pattern to ban” so replace it with 45.56.172.232, otherwise the regex is good but your posts show ` (backticks) not ’ (single quotes) which wont match, might be the forum software but might either way you need to be careful when copy-pasting
Are you saying, using the supplied regex in the fail2ban version 10 we have been discussing is being pasted the that site, and logs tested for matches, are working for you?
Well, I don’t get any log lines to test against any more (cos they have been banned but yes the one you posted massaged back to ascii and replacing '<HOST>' with '[0-9\.]*' would have been caught on regex101 and also by fail2ban 0.10 as I have the regexes from.
fail2ban-regex Geek.file /etc/fail2ban/filter.d/asterisk.conf
Running tests
=============
Use failregex filter file : asterisk, basedir: /etc/fail2ban
Use datepattern : Default Detectors
Use log file : Geek.file
Use encoding : UTF-8
Results
=======
Failregex: 2 total
|- #) [# of hits] regular expression
| 8) [2] ^Request (?:'[^']*' )?from '(?:[^']*|.*?)' failed for '<HOST>(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching endpoint found|Not match Endpoint(?: Contact)? ACL|(?:Failed|Error) to authenticate)\s*$
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [2] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T| ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
`-
Lines: 2 lines, 0 ignored, 2 matched, 0 missed
[processed in 0.00 sec]
(adding pyinotify to your system is just one tiny action that comes to mind that will benefit every user, even if stuck on 0.8x )
