Identified - Fail2ban on disto missing Wrong Password pattern

These lines are getting banned -

[2015-03-04 04:30:14] WARNING[25780][C-00002fc8] Ext. s: "Rejecting unknown SIP connection from"

But these are not -

[2015-03-04 10:08:52] NOTICE[16282] chan_sip.c: Registration from '"6001" <sip:[email protected]:5060>' failed for '' - Wrong password
[2015-03-04 10:11:17] NOTICE[16282] chan_sip.c: Registration from '"7001" <sip:[email protected]:5060>' failed for '' - Wrong password

I think the asterisk.conf file in the fail2ban.d directory looks correct?

failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Wrong password
        NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Username/auth name mismatch
        NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
        NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Not a local domain
        NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Peer is not supposed to register
        NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
        NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device not configured to use this transport type
        NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
        NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' \(.*\)
        WARNING.* Ext. s: Friendly Scanner from <HOST>
        WARNING.* .*: .*Rejecting unknown SIP connection from <HOST>.*

I see this in the fail2ban.log

2015-03-04 10:11:19,788 fail2ban.filter : ERROR  No 'host' found in '[] SECURITY[16252] res_security_log.c: SecurityEvent="InvalidPassword",EventTV="1425485477-779144",Severity="Error",Service="SIP",EventVersion="2",AccountID="7001",SessionID="0x9a80b14",LocalAddress="IPV4/UDP/162.217.xx.xx/5060",RemoteAddress="IPV4/UDP/",Challenge="54d5b555",ReceivedChallenge="54d5b555",ReceivedHash="ee9f53c75d1e225fbd76214abb012913"

Looking more, didn’t realize the fail2ban changed files it was searching…

Here is the /var/log/asterisk/fail2ban file

[[email protected] asterisk]# pwd ; grep InvalidPassword fail2ban | tail -1
[2015-03-04 10:11:17] SECURITY[16252] res_security_log.c: SecurityEvent="InvalidPassword",EventTV="1425485477-779144",Severity="Error",Service="SIP",EventVersion="2",AccountID="7001",SessionID="0x9a80b14",LocalAddress="IPV4/UDP/162.217.xx.xx/5060",RemoteAddress="IPV4/UDP/",Challenge="54d5b555",ReceivedChallenge="54d5b555",ReceivedHash="ee9f53c75d1e225fbd76214abb012913"

And here is where I find the rule -

[[email protected] asterisk]# grep InvalidPassword /etc/fail2ban/*/*
/etc/fail2ban/filter.d/asterisk-security.conf:	SECURITY.* .*: SecurityEvent="InvalidPassword".*,Severity="Error",Service="SIP|AMI".*,RemoteAddress="IPV[46]\/(UDP|TCP|TLS)\/<HOST>\/[0-9]+"

Probably needs parens around SIP|AMI? But I looked at my other box and the rule is fixed.

/etc/fail2ban/filter.d/asterisk-security.conf:	SECURITY.* .*: SecurityEvent="InvalidPassword",.*,Severity="Error",Service="[a-zA-Z]+",.*,RemoteAddress="IPV[46]/(UDP|TCP|TLS)/<HOST>/[0-9]+"

Darn - looks like something didn’t get updated on one of my boxes along the way.

Is this assumption correct?

System admin version -
Asterisk 11.14.1
Distro: 5.11.65-20

It is showing no newer system admin module. I will update to 5.11.65-21, but looks like I need to move past 5.11.65?

Yes you need to get on 6.12.65 track

Thanks Tony.

I’m using one of your hosting partners. Is the best way to run the upgrade script on?

Or do I use the 2.11 to 12 upgrade tool in the menu first?

I did edit the file manually to add the parens and it is catching them now. Going to have to schedule the update.


Use the Distro Upgrade script in the wiki link you posted