These lines are getting banned -
[2015-03-04 04:30:14] WARNING[25780][C-00002fc8] Ext. s: "Rejecting unknown SIP connection from 155.94.65.90"
But these are not -
[2015-03-04 10:08:52] NOTICE[16282] chan_sip.c: Registration from '"6001" <sip:[email protected]:5060>' failed for '176.31.104.58:5074' - Wrong password
[2015-03-04 10:11:17] NOTICE[16282] chan_sip.c: Registration from '"7001" <sip:[email protected]:5060>' failed for '176.31.104.58:5075' - Wrong password
I think the asterisk.conf file in the fail2ban.d directory looks correct?
failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Wrong password
NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Username/auth name mismatch
NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Not a local domain
NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Peer is not supposed to register
NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device not configured to use this transport type
NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' \(.*\)
#
WARNING.* Ext. s: Friendly Scanner from <HOST>
WARNING.* .*: .*Rejecting unknown SIP connection from <HOST>.*
#
I see this in the fail2ban.log
2015-03-04 10:11:19,788 fail2ban.filter : ERROR No 'host' found in '[] SECURITY[16252] res_security_log.c: SecurityEvent="InvalidPassword",EventTV="1425485477-779144",Severity="Error",Service="SIP",EventVersion="2",AccountID="7001",SessionID="0x9a80b14",LocalAddress="IPV4/UDP/162.217.xx.xx/5060",RemoteAddress="IPV4/UDP/176.31.104.58/5075",Challenge="54d5b555",ReceivedChallenge="54d5b555",ReceivedHash="ee9f53c75d1e225fbd76214abb012913"