Fail2Ban not detecting PJSIP TLS Brute Force attempts

Fraser · January 27, 2021, 12:11pm

Hello,

My fail2ban is working and blocks PJSIP attempts however we are testing out PJSIP TLS and it seems these slip through fail2ban.

On testing: I see lots of the following lines in the full log file.

[2021-01-27 12:05:18] NOTICE[10481]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request ‘OPTIONS’ from ‘sip:[email protected]’ failed for ‘xx.xx.xx.xx:28743’ (callid: 187541_mobile-rel120ZTk5NmI5ZjZkNDJjOTJhZmFkMmM4MDFkOWQ3ODNiZDI) - Failed to authenticate

[2021-01-27 12:05:20] NOTICE[10481]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request ‘REGISTER’ from ‘sip:[email protected]’ failed for ‘xx.xx.xx.xx:28743’ (callid: 187541_mobile-rel120NWEwOGVjZDdlY2I2MWNmMzEzNzVmYjEwZDc2M2UwMWU) - Failed to authenticate

I have changed my PJSIP TLS port from the default however I wouldn’t have thought that would have prevented fail2ban working.

It’s my understanding that I may need to add an entry to /etc/fail2ban/filter.d/asterisk.conf however A) Im unsure what to enter, and B) shouldnt this be added by default ?

Any assistance would be appreciated.

Fraser.

GeekBoy · January 28, 2021, 6:10pm

Ports really don’t matter. It is reading the corresponding log, then it has a match in the log to what the filter has, it will block.

^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$

Maybe you need to turn down the attempts allowed, turn up the find and ban times.

dicko · January 28, 2021, 6:41pm

system · June 3, 2021, 11:02pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.