Fail2Ban not detecting PJSIP TLS Brute Force attempts

Hello,

My fail2ban is working and blocks PJSIP attempts however we are testing out PJSIP TLS and it seems these slip through fail2ban.

On testing: I see lots of the following lines in the full log file.

[2021-01-27 12:05:18] NOTICE[10481]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request ‘OPTIONS’ from ‘sip:[email protected]’ failed for ‘xx.xx.xx.xx:28743’ (callid: 187541_mobile-rel120ZTk5NmI5ZjZkNDJjOTJhZmFkMmM4MDFkOWQ3ODNiZDI) - Failed to authenticate

[2021-01-27 12:05:20] NOTICE[10481]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request ‘REGISTER’ from ‘sip:[email protected]’ failed for ‘xx.xx.xx.xx:28743’ (callid: 187541_mobile-rel120NWEwOGVjZDdlY2I2MWNmMzEzNzVmYjEwZDc2M2UwMWU) - Failed to authenticate

I have changed my PJSIP TLS port from the default however I wouldn’t have thought that would have prevented fail2ban working.

It’s my understanding that I may need to add an entry to /etc/fail2ban/filter.d/asterisk.conf however A) Im unsure what to enter, and B) shouldnt this be added by default ?

Any assistance would be appreciated.

Fraser.

Ports really don’t matter. It is reading the corresponding log, then it has a match in the log to what the filter has, it will block.

^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to authenticate (user|device) [^@][email protected]<HOST>\S*$

Maybe you need to turn down the attempts allowed, turn up the find and ban times.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.