Fail2Ban not detecting PJSIP TLS Brute Force attempts


#1

Hello,

My fail2ban is working and blocks PJSIP attempts however we are testing out PJSIP TLS and it seems these slip through fail2ban.

On testing: I see lots of the following lines in the full log file.

[2021-01-27 12:05:18] NOTICE[10481]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request ‘OPTIONS’ from ‘sip:3008@pbx.mydomain.com’ failed for ‘xx.xx.xx.xx:28743’ (callid: 187541_mobile-rel120ZTk5NmI5ZjZkNDJjOTJhZmFkMmM4MDFkOWQ3ODNiZDI) - Failed to authenticate

[2021-01-27 12:05:20] NOTICE[10481]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request ‘REGISTER’ from ‘sip:3008@pbx.mydomain.com’ failed for ‘xx.xx.xx.xx:28743’ (callid: 187541_mobile-rel120NWEwOGVjZDdlY2I2MWNmMzEzNzVmYjEwZDc2M2UwMWU) - Failed to authenticate

I have changed my PJSIP TLS port from the default however I wouldn’t have thought that would have prevented fail2ban working.

It’s my understanding that I may need to add an entry to /etc/fail2ban/filter.d/asterisk.conf however A) Im unsure what to enter, and B) shouldnt this be added by default ?

Any assistance would be appreciated.

Fraser.


Fail2ban on Freepbx 15 distro NOT WORK VS GUI ATTACK
#2

Ports really don’t matter. It is reading the corresponding log, then it has a match in the log to what the filter has, it will block.

^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$

Maybe you need to turn down the attempts allowed, turn up the find and ban times.


#3

https://community.freepbx.org/t/fail2ban-asterisk-filter-really-needs-an-update/68357/2