Fail2Ban.log Entries

david_heck · May 26, 2015, 9:49pm

I’m running Freepbx 6.12.65-27 w/ asterisk 13.3.2 on a vps that’s exposed. Haven’t changed any iptables or fail2ban settings from the ones that shipped with the Freepbx Distro. I’ve noticed hundreds of entries like this in the logs. Here’s just a snippet… [2015-05-26 14:39:03] NOTICE[8354] res_pjsip/pjsip_distributor.c: Request from '"as100" <sip:[email protected]>' failed for '23.92.80.29:5088' (callid: 444f16085473bd7ca24a1852aab2fdba) - No matching endpoint found [2015-05-26 14:39:25] NOTICE[8354] res_pjsip/pjsip_distributor.c: Request from '"2020" <sip:[email protected]>' failed for '23.239.65.10:5073' (callid: f7122a466c047d6a17e6f34f7a17f425) - No matching endpoint found [2015-05-26 14:48:23] NOTICE[8354] res_pjsip/pjsip_distributor.c: Request from '"as100" <sip:[email protected]>' failed for '23.92.80.29:5071' (callid: ca26458a3198450f8c14823c0e450e4c) - No matching endpoint found [2015-05-26 14:52:32] NOTICE[8354] res_pjsip/pjsip_distributor.c: Request from '"2020" <sip:[email protected]>' failed for '23.239.65.10:5096' (callid: efdbe08ec28f57ed5ab72775feb5e6ff) - No matching endpoint found [2015-05-26 14:55:36] NOTICE[8354] res_pjsip/pjsip_distributor.c: Request from '"888" <sip:[email protected]>' failed for '195.154.133.168:5071' (callid: 85daf15fe6020b960f8e66c0e8d107fd) - No matching endpoint found [2015-05-26 14:57:42] NOTICE[8354] res_pjsip/pjsip_distributor.c: Request from '"as100" <sip:[email protected]>' failed for '23.92.80.29:5076' (callid: c369002b1311573528ba025fd93d0485) - No matching endpoint found [2015-05-26 15:05:36] NOTICE[8354] res_pjsip/pjsip_distributor.c: Request from '"2020" <sip:[email protected]>' failed for '23.239.65.10:5074' (callid: 3b47e1d73c8dfdb5dfce0c09be45e7e6) - No matching endpoint found [2015-05-26 15:06:58] NOTICE[8354] res_pjsip/pjsip_distributor.c: Request from '"as100" <sip:[email protected]>' failed for '23.92.80.29:5076' (callid: 9ab8c05bc090f4d65cb24ffdbb764a8b) - No matching endpoint found [2015-05-26 15:16:13] NOTICE[8354] res_pjsip/pjsip_distributor.c: Request from '"as100" <sip:[email protected]>' failed for '23.92.80.29:5076' (callid: cba0e898700a55edbc31756a37241cf6) - No matching endpoint found [2015-05-26 15:18:45] NOTICE[8354] res_pjsip/pjsip_distributor.c: Request from '"2020" <sip:[email protected]>' failed for '23.239.65.10:5071' (callid: 1b301d8b189c056a938a635c26f43b22) - No matching endpoint found [2015-05-26 15:24:02] NOTICE[8354] res_pjsip/pjsip_distributor.c: Request from '"sipvicious" <sip:[email protected]>' failed for '62.210.209.158:5093' (callid: 436601293901662377524677) - No matching endpoint found [2015-05-26 15:25:31] NOTICE[8354] res_pjsip/pjsip_distributor.c: Request from '"as100" <sip:[email protected]>' failed for '23.92.80.29:5070' (callid: 2596799fdc3646d3757734fd5e403fac) - No matching endpoint found [2015-05-26 15:31:44] NOTICE[8354] res_pjsip/pjsip_distributor.c: Request from '"2020" <sip:[email protected]>' failed for '23.239.65.10:5079' (callid: 538fded5d0f37777eab4e4306223fd60) - No matching endpoint found [2015-05-26 15:34:50] NOTICE[8354] res_pjsip/pjsip_distributor.c: Request from '"as100" <sip:[email protected]>' failed for '23.92.80.29:5080' (callid: 9f8d9604d2d6e7eb473ba46e7ae9e941) - No matching endpoint found [2015-05-26 15:44:13] NOTICE[15129] res_pjsip/pjsip_distributor.c: Request from '"as100" <sip:[email protected]>' failed for '23.92.80.29:5070' (callid: 7dc59225d1d128d47beaa92da8865c97) - No matching endpoint found [2015-05-26 15:44:36] NOTICE[15129] res_pjsip/pjsip_distributor.c: Request from '"2020" <sip:[email protected]>' failed for '23.239.65.10:5071' (callid: 34c74157dc6f2d27235191c8f77ae94c) - No matching endpoint found [2015-05-26 15:53:34] NOTICE[15129] res_pjsip/pjsip_distributor.c: Request from '"as100" <sip:[email protected]>' failed for '23.92.80.29:5071' (callid: 5144d19624ed98629e07f6118671bf00) - No matching endpoint found [2015-05-26 15:57:45] NOTICE[15129] res_pjsip/pjsip_distributor.c: Request from '"2020" <sip:[email protected]>' failed for '23.239.65.10:5077' (callid: 2bbf5e39181418679f7fbf362924d6e4) - No matching endpoint found [2015-05-26 16:02:52] NOTICE[15129] res_pjsip/pjsip_distributor.c: Request from '"as100" <sip:[email protected]>' failed for '23.92.80.29:5076' (callid: aaf0810f8c9f1202cdd0aa1304249b47) - No matching endpoint found [2015-05-26 16:10:42] NOTICE[15129] res_pjsip/pjsip_distributor.c: Request from '"2020" <sip:[email protected]>' failed for '23.239.65.10:5073' (callid: bcf826577d1e728ee69f8f352f77632e) - No matching endpoint found [2015-05-26 16:12:16] NOTICE[15129] res_pjsip/pjsip_distributor.c: Request from '"as100" <sip:[email protected]>' failed for '23.92.80.29:5079' (callid: dd28c310064917ac352938ac7e624a13) - No matching endpoint found [2015-05-26 16:21:39] NOTICE[15129] res_pjsip/pjsip_distributor.c: Request from '"as100" <sip:[email protected]>' failed for '23.92.80.29:5071' (callid: f5eeb95e8bd12dd738c92da4a865c1b7) - No matching endpoint found [2015-05-26 16:23:44] NOTICE[15129] res_pjsip/pjsip_distributor.c: Request from '"2020" <sip:[email protected]>' failed for '23.239.65.10:5070' (callid: fab3f4aa2d91aeeed92b9f1a35e297ab) - No matching endpoint found
Just curious what those entries meant and if I should be concerned? Thanks for your help.

dicko · May 26, 2015, 10:03pm

Your fail2ban setup for the asterisk jail needs to have a regex that covers those log lines. You are under attack from servers in

23.92.80.0/20 # ARIN US NODESDIRECT Nodes Direct
195.154.128.0/17 # RIPE FR FR-ILIAD-ENTREPRISES-CUSTOMERS Iliad Entreprises Customers

to name just two, add a restrictive firewall to your system,

http://community.freepbx.org/t/so-many-hackers/?source_topic_id=29401

david_heck · May 26, 2015, 10:40pm

Thanks Dicko for the prompt reply. The asterisk.conf filter that shipped with the distro has… NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found Would it be as easy as copying that regex line and replacing “Registration from” with “Request from”. Side question is there a difference between such language as Registration and Request?

dicko · May 26, 2015, 11:24pm

You posted in General Help, you should perhaps post in Commercial Modules as disturbing anything within that closed system (sysadmin) will likely cause bad “signature things” to happen to your system, if it doesn’t, then by my understanding it should

But to experiment fail2ban has

fail2ban-regex

to parse and prove your regexes are working.

dicko · May 27, 2015, 12:50am

NOTICE.* .*: Re[gq].* from '.*' failed for '<HOST>:.*' - No * found

might be a better one to catch both SIP and PJSIP type log lines, remember PJSIP is still in very formative stages yet.