LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page [SOLVED] help on a fail2ban filter for sip attack
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-17-2014, 11:56 PM   #1
charly78
Member
 
Registered: Aug 2012
Location: Toronto,Canada
Posts: 73

Rep: Reputation: Disabled
help on a fail2ban filter for sip attack

My asterisk version 1.8 (ruining freepbx) seems to reject the scan but my filter the common fial2ban filter for asterisk is old and needs to add in a bit more. here is what the latest I am getting looks like

Code:
Oct 17 23:20:41 pbx asterisk[13144]: WARNING[26189]: Ext. s:6 in @ from-sip-external: "Rejecting unknown SIP connection from 192.254.79.34"
Oct 17 23:27:32 pbx asterisk[13144]: WARNING[26261]: Ext. s:6 in @ from-sip-external: "Rejecting unknown SIP connection from 192.254.79.34"
Oct 17 23:28:53 pbx asterisk[13144]: WARNING[26280]: Ext. s:6 in @ from-sip-external: "Rejecting unknown SIP connection from 192.111.154.38"
Oct 17 23:29:06 pbx asterisk[13144]: WARNING[26281]: Ext. s:6 in @ from-sip-external: "Rejecting unknown SIP connection from 192.254.79.34"
Oct 17 23:36:11 pbx asterisk[13144]: WARNING[26368]: Ext. s:6 in @ from-sip-external: "Rejecting unknown SIP connection from 192.254.79.34"
Oct 17 23:37:24 pbx asterisk[13144]: WARNING[26384]: Ext. s:6 in @ from-sip-external: "Rejecting unknown SIP connection from 192.254.79.34"
Oct 17 23:39:45 pbx asterisk[13144]: WARNING[26423]: Ext. s:6 in @ from-sip-external: "Rejecting unknown SIP connection from 192.111.154.38"
Oct 17 23:44:51 pbx asterisk[13144]: WARNING[26479]: Ext. s:6 in @ from-sip-external: "Rejecting unknown SIP connection from 192.254.79.34"
Oct 17 23:45:43 pbx asterisk[13144]: WARNING[26489]: Ext. s:6 in @ from-sip-external: "Rejecting unknown SIP connection from 192.254.79.34"
Oct 17 23:51:53 pbx asterisk[13144]: WARNING[26602]: Ext. s:6 in @ from-sip-external: "Rejecting unknown SIP connection from 192.111.154.38"
Oct 17 23:53:26 pbx asterisk[13144]: WARNING[26623]: Ext. s:6 in @ from-sip-external: "Rejecting unknown SIP connection from 192.254.79.34"
Oct 17 23:54:02 pbx asterisk[13144]: WARNING[26628]: Ext. s:6 in @ from-sip-external: "Rejecting unknown SIP connection from 192.254.79.34"

asterisks Rejecting unknown SIP connection from tells me nothing is getting through but its annoying and filling up my reports with random numbers

i have some external connections that change ips alot and they are not locked to just one provider with a set of ip ranges so I need to keep it open.

here is the old with a crapy attempt to make a filter that does not work
/etc/fail2ban/filter.d/asterisk.conf
Code:
[INCLUDES]



[Definition]

failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Wrong password
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Username/auth name mismatch
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Peer is not supposed to register
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - ACL error (permit/deny)
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
            NOTICE.* <HOST> failed to authenticate as '.*'$
            NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
            NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
            NOTICE.* .*: Sending fake auth rejection for device .*\<sip:.*\@<HOST>\>;tag=.*
            WARNING.* .*: Rejecting unknown SIP connection from '<HOST>"$

ignoreregex =
I am sure more then myself would find this very useful

I have played so much with my settings in fail2ban I am woundering if my logs are generating the proper date. if someone knows from what you see here.

my settings are

/etc/fail2ban/jail.local
Code:
[asterisk-iptables]

enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
           sendmail-whois[name=ASTERISK, dest=root, sender=fail2ban@mydomain.com]
logpath  = logpath = /var/log/asterisk/messages
maxretry = 1
bantime = 259200
intrestingly enough I found this on the net but it does not seem to work

Code:
[INCLUDES]
before = common.conf
[Definition]
_daemon = asterisk
__pid_re = (?:\[\d+\])
log_prefix= (?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])? \S+:\d*( in \w+:)?
failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension not found in context '.*'\.$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s (?:handle_request_subscribe: )?Sending fake auth rejection for (device|user) \d*<sip:[^@]+@<HOST>>;tag=\w+\S*$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d*",SessionID="0x[\da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UD|TC)P/<HOST>/\d+"(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$
            ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )Ext\. s: "Rejecting unknown SIP connection from <HOST>"$
ignoreregex =
I did this to try this out using fail2ban-regex command


Code:
cat /etc/asterisk/logger_logfiles_custom.conf
messages => security, notice,warning

# nano /etc/fail2ban/filter.d/asterisk.conf
# /etc/init.d/fail2ban stop
[ ok ] Stopping authentication failure monitor: fail2ban.
# /etc/init.d/fail2ban start
[ ok ] Starting authentication failure monitor: fail2ban.

fail2ban-regex /var/log/asterisk/messages /etc/fail2ban/filter.d/asterisk.conf

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/asterisk.conf
Use log file   : /var/log/asterisk/messages


Results
=======

Failregex
|- Regular expressions:
|  [1] ^(\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?asterisk(?:\(\S+\))?[\]\)]?:?|[\[\(]?asterisk(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*|\[\]\s*)(?:NOTICE|SECURITY)(?:\[\d+\]):?(?:\[C-[\da-f]*\])? \S+:\d*( in \w+:)? Registration from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
|  [2] ^(\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?asterisk(?:\(\S+\))?[\]\)]?:?|[\[\(]?asterisk(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*|\[\]\s*)(?:NOTICE|SECURITY)(?:\[\d+\]):?(?:\[C-[\da-f]*\])? \S+:\d*( in \w+:)? Call from '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension not found in context '.*'\.$
|  [3] ^(\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?asterisk(?:\(\S+\))?[\]\)]?:?|[\[\(]?asterisk(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*|\[\]\s*)(?:NOTICE|SECURITY)(?:\[\d+\]):?(?:\[C-[\da-f]*\])? \S+:\d*( in \w+:)? Host <HOST> failed to authenticate as '[^']*'$
|  [4] ^(\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?asterisk(?:\(\S+\))?[\]\)]?:?|[\[\(]?asterisk(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*|\[\]\s*)(?:NOTICE|SECURITY)(?:\[\d+\]):?(?:\[C-[\da-f]*\])? \S+:\d*( in \w+:)? No registration for peer '[^']*' \(from <HOST>\)$
|  [5] ^(\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?asterisk(?:\(\S+\))?[\]\)]?:?|[\[\(]?asterisk(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*|\[\]\s*)(?:NOTICE|SECURITY)(?:\[\d+\]):?(?:\[C-[\da-f]*\])? \S+:\d*( in \w+:)? Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
|  [6] ^(\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?asterisk(?:\(\S+\))?[\]\)]?:?|[\[\(]?asterisk(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*|\[\]\s*)(?:NOTICE|SECURITY)(?:\[\d+\]):?(?:\[C-[\da-f]*\])? \S+:\d*( in \w+:)? Failed to authenticate (user|device) [^@]+@<HOST>\S*$
|  [7] ^(\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?asterisk(?:\(\S+\))?[\]\)]?:?|[\[\(]?asterisk(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*|\[\]\s*)(?:NOTICE|SECURITY)(?:\[\d+\]):?(?:\[C-[\da-f]*\])? \S+:\d*( in \w+:)? (?:handle_request_subscribe: )?Sending fake auth rejection for (device|user) \d*<sip:[^@]+@<HOST>>;tag=\w+\S*$
|  [8] ^(\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?asterisk(?:\(\S+\))?[\]\)]?:?|[\[\(]?asterisk(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*|\[\]\s*)(?:NOTICE|SECURITY)(?:\[\d+\]):?(?:\[C-[\da-f]*\])? \S+:\d*( in \w+:)? SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d*",SessionID="0x[\da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UD|TC)P/<HOST>/\d+"(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$
|  [9] ^(\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?asterisk(?:\(\S+\))?[\]\)]?:?|[\[\(]?asterisk(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*|\[\]\s*WARNING(?:\[\d+\]):?(?:\[C-[\da-f]*\])? )Ext\. s: "Rejecting unknown SIP connection from <HOST>"$
|
`- Number of matches:
   [1] 0 match(es)
   [2] 0 match(es)
   [3] 0 match(es)
   [4] 0 match(es)
   [5] 0 match(es)
   [6] 0 match(es)
   [7] 0 match(es)
   [8] 0 match(es)
   [9] 3 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Addresses found:
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
    192.254.79.34 (Sat Oct 18 00:44:05 2014)
    192.254.79.34 (Sat Oct 18 00:44:44 2014)
    192.111.154.38 (Sat Oct 18 00:48:15 2014)

Date template hits:
0 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
30 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Year.Month.Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): <Month/Day/Year@Hour:Minute:Second>

Success, the total number of match is 3

However, look at the above section 'Running tests' which could contain important
information.
the hits are coming in non stop so I have plenty to test with.
it picks up in the test but not at all. its not doing nothing what the heck am I doing wrong? you can see from above that the test works but the actually hits that are happening as I type this are ignored. i must be missing something
Last edited by charly78; 10-17-2014 at 11:59 PM.
 
Old 10-19-2014, 05:22 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Dunno but with a simple conf like this I get a match on all 12 log entries:
Code:
[INCLUDES]
before = common.conf

[Definition]

_daemon = asterisk

failregex = WARNING.*Rejecting unknown SIP connection from <HOST>.*$

ignoreregex =
 
Old 10-19-2014, 09:33 PM   #3
charly78
Member
 
Registered: Aug 2012
Location: Toronto,Canada
Posts: 73

Original Poster
Rep: Reputation: Disabled
ugh
My cat /var/log/fail2ban.log shows no response still

here is my settings
/etc/fail2ban/jail.local part at the end.
Code:
[asterisk-iptables]

enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
           sendmail-whois[name=ASTERISK, dest=root, sender=fail2ban@mydomain]
logpath  = /var/log/asterisk/messages
maxretry = 1
bantime = 259200



/etc/fail2ban/filter.d/asterisk.conf
Code:
[INCLUDES]
before = common.conf


[Definition]
_daemon = asterisk


failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Wrong password
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Username/auth name mismatch
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Peer is not supposed to register
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - ACL error (permit/deny)
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
            NOTICE.* <HOST> failed to authenticate as '.*'$
            NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
            NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
            NOTICE.* .*: Sending fake auth rejection for device .*\<sip:.*\@<HOST>\>;tag=.*
            WARNING.*Rejecting unknown SIP connection from <HOST>.*$

ignoreregex =
cat /var/log/asterisk/messages|grep Rejecting

Code:
[2014-10-19 21:38:55] WARNING[12277] Ext. s: "Rejecting unknown SIP connection from 192.254.79.34"
[2014-10-19 21:41:16] WARNING[13030] Ext. s: "Rejecting unknown SIP connection from 192.254.79.34"
[2014-10-19 21:45:49] WARNING[14391] Ext. s: "Rejecting unknown SIP connection from 192.254.79.34"
[2014-10-19 21:48:10] WARNING[15089] Ext. s: "Rejecting unknown SIP connection from 192.254.79.34"
[2014-10-19 21:52:50] WARNING[16501] Ext. s: "Rejecting unknown SIP connection from 192.254.79.34"
[2014-10-19 21:55:10] WARNING[17207] Ext. s: "Rejecting unknown SIP connection from 192.254.79.34"
[2014-10-19 21:59:38] WARNING[18564] Ext. s: "Rejecting unknown SIP connection from 192.254.79.34"
[2014-10-19 22:01:58] WARNING[19273] Ext. s: "Rejecting unknown SIP connection from 192.254.79.34"
[2014-10-19 22:06:35] WARNING[20569] Ext. s: "Rejecting unknown SIP connection from 192.254.79.34"
[2014-10-19 22:08:49] WARNING[21281] Ext. s: "Rejecting unknown SIP connection from 192.254.79.34"
[2014-10-19 22:13:22] WARNING[22659] Ext. s: "Rejecting unknown SIP connection from 192.254.79.34"
[2014-10-19 22:15:38] WARNING[23341] Ext. s: "Rejecting unknown SIP connection from 192.254.79.34"
[2014-10-19 22:20:06] WARNING[24691] Ext. s: "Rejecting unknown SIP connection from 192.254.79.34"
[2014-10-19 22:22:23] WARNING[25375] Ext. s: "Rejecting unknown SIP connection from 192.254.79.34"
[2014-10-19 22:26:54] WARNING[26745] Ext. s: "Rejecting unknown SIP connection from 192.254.79.34"
it just goes on forever.

if there is something you want to know what am I missing.. cause when I run
fail2ban-regex /var/log/asterisk/messages /etc/fail2ban/filter.d/asterisk.conf
you code works good but it is ignoring?!
Code:
Running tests
=============

Use regex file : /etc/fail2ban/filter.d/asterisk.conf
Use log file   : /var/log/asterisk/messages


Results
=======

Failregex
|- Regular expressions:
|  [1] NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Wrong password
|  [2] NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
|  [3] NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
|  [4] NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Username/auth name mismatch
|  [5] NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
|  [6] NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Peer is not supposed to register
|  [7] NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - ACL error (permit/deny)
|  [8] NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
|  [9] NOTICE.* <HOST> failed to authenticate as '.*'$
|  [10] NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
|  [11] NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
|  [12] NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
|  [13] NOTICE.* .*: Sending fake auth rejection for device .*\<sip:.*\@<HOST>\>;tag=.*
|  [14] WARNING.*Rejecting unknown SIP connection from <HOST>.*$
|
`- Number of matches:
   [1] 0 match(es)
   [2] 0 match(es)
   [3] 0 match(es)
   [4] 0 match(es)
   [5] 0 match(es)
   [6] 0 match(es)
   [7] 0 match(es)
   [8] 0 match(es)
   [9] 0 match(es)
   [10] 0 match(es)
   [11] 0 match(es)
   [12] 0 match(es)
   [13] 0 match(es)
   [14] 33 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Addresses found:
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
    192.254.79.34 (Sat Oct 18 00:44:05 2014)
    192.254.79.34 (Sat Oct 18 00:44:44 2014)
    192.111.154.38 (Sat Oct 18 00:48:15 2014)
    192.254.79.34 (Sat Oct 18 00:52:31 2014)
    192.254.79.34 (Sat Oct 18 00:53:18 2014)
    192.111.154.38 (Sat Oct 18 00:59:44 2014)
    192.254.79.34 (Sat Oct 18 01:00:51 2014)
    192.254.79.34 (Sat Oct 18 01:01:55 2014)
    192.111.154.38 (Sat Oct 18 09:51:57 2014)
    192.111.154.38 (Sat Oct 18 10:04:04 2014)
    192.111.154.38 (Sat Oct 18 10:16:12 2014)
    192.111.154.38 (Sat Oct 18 10:28:36 2014)
    62.210.95.17 (Sat Oct 18 22:53:56 2014)
    62.210.95.17 (Sat Oct 18 22:53:56 2014)
    192.254.79.34 (Sun Oct 19 21:27:30 2014)
    192.254.79.34 (Sun Oct 19 21:31:59 2014)
    192.254.79.34 (Sun Oct 19 21:34:21 2014)
    192.254.79.34 (Sun Oct 19 21:38:55 2014)
    192.254.79.34 (Sun Oct 19 21:41:16 2014)
    192.254.79.34 (Sun Oct 19 21:45:49 2014)
    192.254.79.34 (Sun Oct 19 21:48:10 2014)
    192.254.79.34 (Sun Oct 19 21:52:50 2014)
    192.254.79.34 (Sun Oct 19 21:55:10 2014)
    192.254.79.34 (Sun Oct 19 21:59:38 2014)
    192.254.79.34 (Sun Oct 19 22:01:58 2014)
    192.254.79.34 (Sun Oct 19 22:06:35 2014)
    192.254.79.34 (Sun Oct 19 22:08:49 2014)
    192.254.79.34 (Sun Oct 19 22:13:22 2014)
    192.254.79.34 (Sun Oct 19 22:15:38 2014)
    192.254.79.34 (Sun Oct 19 22:20:06 2014)
    192.254.79.34 (Sun Oct 19 22:22:23 2014)
    192.254.79.34 (Sun Oct 19 22:26:54 2014)
    192.254.79.34 (Sun Oct 19 22:29:08 2014)

Date template hits:
0 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
355759 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Year.Month.Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): <Month/Day/Year@Hour:Minute:Second>

Success, the total number of match is 33

However, look at the above section 'Running tests' which could contain important
information.
What am I missing all i can find is something on how the timing on reading the log . i dunno anyone?
Last edited by charly78; 10-21-2014 at 06:34 PM. Reason: typo
 
Old 10-20-2014, 05:01 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by charly78 View Post
My cat /var/log/fail2ban.log shows no response still
Please ensure you don't have any active "logtarget = SYSLOG" line in your /etc/fail2ban/jail.conf or /etc/fail2ban/jail.local.

Do note you use the all-caps name "ASTERISK". I don't know if it matters but just to make certain change it to lower case.
Also I'd ditch the "sendmail-whois" line as it only serves to delay any actions plus you won't be doing anything with that information once you get the email.

Restart fail2ban and check your /var/log/fail2ban.log for any startup errors.
Please display output of
Code:
JAILLIST=($(fail2ban-client status | awk -F':' '/Jail list:/ {print $2}')); for (( n=0; n<${#JAILLIST[@]}; n++)); do fail2ban-client status ${JAILLIST[$n]//,/}; done

Quote:
Originally Posted by charly78 View Post
if there is something you want to know what am I missing.. cause when I run
fail2ban-regex /var/log/asterisk/messages /etc/fail2ban/filter.d/asterisk.conf
you code works good but it is ignoring?!
Please explain what you mean with "ignoring"? It has filtered 33 lines.
 
1 members found this post helpful.
Old 10-21-2014, 06:32 PM   #5
charly78
Member
 
Registered: Aug 2012
Location: Toronto,Canada
Posts: 73

Original Poster
Rep: Reputation: Disabled
i can run the fail2ban-regex but when it is running I can litterly watch events happen that fail2ban should pick up and it just does nothing. Its almost as if it is ignoring the logs

and no mention of syslog in the jail.conf or jail.local

Code:
/etc/fail2ban# JAILLIST=($(fail2ban-client status | awk -F':' '/Jail list:/ {print $2}')); for (( n=0; n<${#JAILLIST[@]}; n++)); do fail2ban-client status ${JAILLIST[$n]//,/}; done
Status for the jail: apache
|- filter
|  |- File list:        /var/log/apache2/error.log 
|  |- Currently failed: 0
|  `- Total failed:     0
`- action
   |- Currently banned: 0
   |  `- IP list:
   `- Total banned:     0
Status for the jail: asterisk-iptables
|- filter
|  |- File list:        /var/log/asterisk/messages 
|  |- Currently failed: 0
|  `- Total failed:     0
`- action
   |- Currently banned: 0
   |  `- IP list:
   `- Total banned:     0
Status for the jail: ssh
|- filter
|  |- File list:        /var/log/auth.log 
|  |- Currently failed: 0
|  `- Total failed:     48
`- action
   |- Currently banned: 3
   |  `- IP list:       122.225.97.92 122.225.97.71 23.234.224.74 
   `- Total banned:     9
Status for the jail: ssh-ddos
|- filter
|  |- File list:        /var/log/auth.log 
|  |- Currently failed: 0
|  `- Total failed:     23
`- action
   |- Currently banned: 0
   |  `- IP list:
   `- Total banned:     1
Last edited by charly78; 10-21-2014 at 06:36 PM.
 
Old 10-22-2014, 01:52 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by charly78 View Post
i can run the fail2ban-regex but when it is running I can litterly watch events happen that fail2ban should pick up and it just does nothing. Its almost as if it is ignoring the logs
Indeed your output shows nothing blocked from /var/log/asterisk/messages. Did you use
Code:
fail2ban-client reload asterisk-iptables
or restart fail2ban after changing rules?


Quote:
Originally Posted by charly78 View Post
and no mention of syslog in the jail.conf or jail.local
What does this return?:
Code:
fail2ban-client get logtarget
 
Old 10-25-2014, 11:01 AM   #7
charly78
Member
 
Registered: Aug 2012
Location: Toronto,Canada
Posts: 73

Original Poster
Rep: Reputation: Disabled
uptate
I tried all sorts but when we did a backup and restarted the hyper-v it just all started to work magically.

I am going to guess it had something to do with hyper-v?

I dunno but it works great now with the different filters


Thank you for your time. i learn alot more about fail2ban.
 
Old 10-26-2014, 04:08 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
You're welcome.
 
  


Reply

Tags
asterisk, fail2ban, sip



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Fail2Ban failed to ban Attack on Asterisk, Why ? MET Linux - Security 10 05-27-2010 04:08 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:49 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration