FreePBX 14 Asterisk 13 Fail2ban issue

Clean install of the recommended FreePBX 14 with Asterisk 13 from the freepbx download. Fail2ban seems to work fine for SSH but anything related to SIP doesn’t get caught. I played around with the regex a little and got it to ban for Rejecting unknown SIP connection from .

/etc/fail2ban/filter.d/asterisk.conf

# Fail2Ban filter for asterisk authentication failures
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = asterisk

__pid_re = (?:\[\d+\])

iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4}

# All Asterisk log messages begin like this:
log_prefix= (?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])? \S+:\d*( in \w+:)?

failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not su$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '[^']*' rejected because extension not found in context
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to authenticate (user|device) [^@][email protected]<HOST>\S*$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s hacking attempt detected '<HOST>'$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s <HOST> tried to authenticate with nonexistent user.+$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s <HOST> failed to authenticate as.+$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Request from '[^']*' failed for '<HOST>:\d+' .+ No matching endpoint found$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="(\$
# These WARNINGS do not have a file attribute, as they're generated dynamicly
            ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )[^:]+: Friendly Scanner from <HOST>$
            Ext\. s: "Rejecting unknown SIP connection from <HOST>:(.+)"$

ignoreregex =


# Author: Xavier Devlamynck / Daniel Black
#
# Update: 2016-05-10 by [email protected]
# - Detect PJSIP Scans
# - Detect AMI events that may be missed by having SecuritEvents disabled
# - Support WSS
#
# General log format - main/logger.c:ast_log
# Address format - ast_sockaddr_stringify
#
# First regex: channels/chan_sip.c
#
# main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in syslog

/etc/fail2ban/jail.local

[asterisk-iptables]
enabled = true
filter = asterisk
action = iptables-allports[name=SIP, protocol=all]
logpath = /var/log/asterisk/fail2ban

Everything is logging to /var/log/asterisk/fail2ban but the regex is not picking it up.

Does anyone have a regex file that works with FreePBX 14 and Asterisk 13?

Is there something I am missing here?

One example of it not blocking is this

DP/192.168.5.14/5060",RemoteAddress="IPV4/UDP/77.247.108.220/6011",ACLName="registrar_attempt_without_configured_aors"
[2019-10-04 09:53:55] WARNING[17436] res_pjsip_registrar.c: Endpoint 'anonymous' has no configured AORs
[2019-10-04 09:53:55] SECURITY[2415] res_security_log.c: SecurityEvent="FailedACL",EventTV="2019-10-04T09:53:55.938-0400",Severity="Error",Service="PJSIP",EventVersion="1",AccountID="anonymous",SessionID="4205803017",LocalAddress="IPV4/UDP/192.168.5.14/5060",RemoteAddress="IPV4/UDP/77.247.108.220/6011",ACLName="registrar_attempt_without_configured_aors"
[2019-10-04 09:53:55] WARNING[11664] res_pjsip_registrar.c: Endpoint 'anonymous' has no configured AORs
[2019-10-04 09:53:55] SECURITY[2415] res_security_log.c: SecurityEvent="FailedACL",EventTV="2019-10-04T09:53:55.956-0400",Severity="Error",Service="PJSIP",EventVersion="1",AccountID="anonymous",SessionID="1454978471",LocalAddress="IPV4/UDP/192.168.5.14/5060",RemoteAddress="IPV4/UDP/77.247.108.220/6011",ACLName="registrar_attempt_without_configured_aors"
[2019-10-04 09:53:55] WARNING[17436] res_pjsip_registrar.c: Endpoint 'anonymous' has no configured AORs
[2019-10-04 09:53:55] SECURITY[2415] res_security_log.c: SecurityEvent="FailedACL",EventTV="2019-10-04T09:53:55.967-0400",Severity="Error",Service="PJSIP",EventVersion="1",AccountID="anonymous",SessionID="1359014312",LocalAddress="IPV4/UDP/192.168.5.14/5060",RemoteAddress="IPV4/UDP/77.247.108.220/6011",ACLName="registrar_attempt_without_configured_aors"
[2019-10-04 09:53:55] WARNING[11664] res_pjsip_registrar.c: Endpoint 'anonymous' has no configured AORs
[2019-10-04 09:53:55] SECURITY[2415] res_security_log.c: SecurityEvent="FailedACL",EventTV="2019-10-04T09:53:55.977-0400",Severity="Error",Service="PJSIP",EventVersion="1",AccountID="anonymous",SessionID="3550642603",LocalAddress="IPV4/UDP/192.168.5.14/5060",RemoteAddress="IPV4/UDP/77.247.108.220/6011",ACLName="registrar_attempt_without_configured_aors"

It looks like you have anonymous access turned on. That won’t help.

1 Like

Should I also disable ‘Allow SIP Guests’?

Is there somewhere else I should be disabling it?

Yes, you should.

1 Like

That seems to have taken care of the log. Any ideas as to why the regex wasn’t picking up the entry in the log when it was present?

fail2ban-regex --help

Ya, I’m aware of that. I’m not the best with writing regex so I was hoping somebody had a working file for Asterisk 13. I tried a few online with no success.

The asterisk jail that comes with Fail2ban .10 works fine for me.

I am currently on Fail2Ban v0.8.14 that comes with the install and having no luck. Can you give me the full version you are running?

as I said , .10 :wink: You can get it yourself from

https://www.fail2ban.org/

1 Like

I see it now. 0.10. Thanks for the help. I’ll give it a shot.