Hello All,
I wanted to share this change which should be of value.
I noticed on a 6.12.65-32 box that someone was attempting to login to the box hundreds of times but was never blacklisted.
I did a little looking at the filter file for asterisk and found the following:
^(%(__prefix_line)s|[]\s*)%(log_prefix)s Host failed to authenticate as ‘[^’]*’$
In looking at the log file:
[2016-09-13 21:45:04] NOTICE[16280]: manager.c:2638 authenticate: 89.163.242.103 tried to authenticate with nonexistent user 'eLaStIx.asteriskuser.2oo7 '
[2016-09-13 21:45:04] NOTICE[16280]: manager.c:2675 authenticate: 89.163.242.103 failed to authenticate as 'eLaStIx.asteriskuser.2oo7 '
[2016-09-13 21:45:08] NOTICE[16291]: manager.c:2638 authenticate: 89.163.242.103 tried to authenticate with nonexistent user 'eLaStIx.asteriskuser.2oo7 '
[2016-09-13 21:45:08] NOTICE[16291]: manager.c:2675 authenticate: 89.163.242.103 failed to authenticate as 'eLaStIx.asteriskuser.2oo7 '
[2016-09-13 21:45:10] NOTICE[16298]: manager.c:2638 authenticate: 89.163.242.103 tried to authenticate with nonexistent user 'eLaStIx.asteriskuser.2oo7 '
[2016-09-13 21:45:10] NOTICE[16298]: manager.c:2675 authenticate: 89.163.242.103 failed to authenticate as 'eLaStIx.asteriskuser.2oo7 '
[2016-09-13 21:45:13] WARNING[1934]: chan_sip.c:4099 retrans_pkt: Timeout on 2f7a0cdaaa999061f415f138187b8d4c on non-critical invite transaction.
[2016-09-13 21:45:20] NOTICE[16325]: manager.c:2638 authenticate: 89.163.242.103 tried to authenticate with nonexistent user 'eLaStIx.asteriskuser.2oo7 '
[2016-09-13 21:45:20] NOTICE[16325]: manager.c:2675 authenticate: 89.163.242.103 failed to authenticate as 'eLaStIx.asteriskuser.2oo7 '
[2016-09-13 21:45:24] WARNING[1934]: chan_sip.c:4099 retrans_pkt: Timeout on 57676c4bedee44b3ea86be0e06e0ae57 on non-critical invite transaction.
[2016-09-13 21:45:24] NOTICE[16331]: manager.c:2638 authenticate: 89.163.242.103 tried to authenticate with nonexistent user 'eLaStIx.asteriskuser.2oo7 '
[2016-09-13 21:45:24] NOTICE[16331]: manager.c:2675 authenticate: 89.163.242.103 failed to authenticate as 'eLaStIx.asteriskuser.2oo7 '
[2016-09-13 21:45:30] NOTICE[16337]: manager.c:2638 authenticate: 89.163.242.103 tried to authenticate with nonexistent user 'eLaStIx.asteriskuser.2oo7 '
[2016-09-13 21:45:30] NOTICE[16337]: manager.c:2675 authenticate: 89.163.242.103 failed to authenticate as 'eLaStIx.asteriskuser.2oo7 ’
I saw that the actual word Host before the value may be incorrect.
I basically took it out resulting in the following config line:
^(%(__prefix_line)s|[]\s*)%(log_prefix)s failed to authenticate as ‘[^’]*’$
Within a few moments, the IP was blocked as expected ( Yes thats the real IP of the hackers and that same IP is attacking several servers on diverse networks )
Just to be thorough if you are using older FreePBX on centos 5, this below is the proper configuration line for the asterisk filter ( I know these are old but people are running them ).
NOTICE.* failed to authenticate as ‘.*’$