My asterisk version 1.8 (ruining freepbx) seems to reject the scan but my filter the common fial2ban filter for asterisk is old and needs to add in a bit more. here is what the latest I am getting looks like
Code:
Oct 17 23:20:41 pbx asterisk[13144]: WARNING[26189]: Ext. s:6 in @ from-sip-external: "Rejecting unknown SIP connection from 192.254.79.34"
Oct 17 23:27:32 pbx asterisk[13144]: WARNING[26261]: Ext. s:6 in @ from-sip-external: "Rejecting unknown SIP connection from 192.254.79.34"
Oct 17 23:28:53 pbx asterisk[13144]: WARNING[26280]: Ext. s:6 in @ from-sip-external: "Rejecting unknown SIP connection from 192.111.154.38"
Oct 17 23:29:06 pbx asterisk[13144]: WARNING[26281]: Ext. s:6 in @ from-sip-external: "Rejecting unknown SIP connection from 192.254.79.34"
Oct 17 23:36:11 pbx asterisk[13144]: WARNING[26368]: Ext. s:6 in @ from-sip-external: "Rejecting unknown SIP connection from 192.254.79.34"
Oct 17 23:37:24 pbx asterisk[13144]: WARNING[26384]: Ext. s:6 in @ from-sip-external: "Rejecting unknown SIP connection from 192.254.79.34"
Oct 17 23:39:45 pbx asterisk[13144]: WARNING[26423]: Ext. s:6 in @ from-sip-external: "Rejecting unknown SIP connection from 192.111.154.38"
Oct 17 23:44:51 pbx asterisk[13144]: WARNING[26479]: Ext. s:6 in @ from-sip-external: "Rejecting unknown SIP connection from 192.254.79.34"
Oct 17 23:45:43 pbx asterisk[13144]: WARNING[26489]: Ext. s:6 in @ from-sip-external: "Rejecting unknown SIP connection from 192.254.79.34"
Oct 17 23:51:53 pbx asterisk[13144]: WARNING[26602]: Ext. s:6 in @ from-sip-external: "Rejecting unknown SIP connection from 192.111.154.38"
Oct 17 23:53:26 pbx asterisk[13144]: WARNING[26623]: Ext. s:6 in @ from-sip-external: "Rejecting unknown SIP connection from 192.254.79.34"
Oct 17 23:54:02 pbx asterisk[13144]: WARNING[26628]: Ext. s:6 in @ from-sip-external: "Rejecting unknown SIP connection from 192.254.79.34"
asterisks Rejecting unknown SIP connection from tells me nothing is getting through but its annoying and filling up my reports with random numbers
i have some external connections that change ips alot and they are not locked to just one provider with a set of ip ranges so I need to keep it open.
here is the old with a crapy attempt to make a filter that does not work
/etc/fail2ban/filter.d/asterisk.conf
Code:
[INCLUDES]
[Definition]
failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Wrong password
NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Username/auth name mismatch
NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Peer is not supposed to register
NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - ACL error (permit/deny)
NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
NOTICE.* <HOST> failed to authenticate as '.*'$
NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
NOTICE.* .*: Sending fake auth rejection for device .*\<sip:.*\@<HOST>\>;tag=.*
WARNING.* .*: Rejecting unknown SIP connection from '<HOST>"$
ignoreregex =
I am sure more then myself would find this very useful
I have played so much with my settings in fail2ban I am woundering if my logs are generating the proper date. if someone knows from what you see here.
my settings are
/etc/fail2ban/jail.local
Code:
[asterisk-iptables]
enabled = true
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
sendmail-whois[name=ASTERISK, dest=root, sender=fail2ban@mydomain.com]
logpath = logpath = /var/log/asterisk/messages
maxretry = 1
bantime = 259200
intrestingly enough I found this on the net but it does not seem to work
Code:
[INCLUDES]
before = common.conf
[Definition]
_daemon = asterisk
__pid_re = (?:\[\d+\])
log_prefix= (?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])? \S+:\d*( in \w+:)?
failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension not found in context '.*'\.$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s (?:handle_request_subscribe: )?Sending fake auth rejection for (device|user) \d*<sip:[^@]+@<HOST>>;tag=\w+\S*$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d*",SessionID="0x[\da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UD|TC)P/<HOST>/\d+"(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$
^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )Ext\. s: "Rejecting unknown SIP connection from <HOST>"$
ignoreregex =
I did this to try this out using fail2ban-regex command
Code:
cat /etc/asterisk/logger_logfiles_custom.conf
messages => security, notice,warning
# nano /etc/fail2ban/filter.d/asterisk.conf
# /etc/init.d/fail2ban stop
[ ok ] Stopping authentication failure monitor: fail2ban.
# /etc/init.d/fail2ban start
[ ok ] Starting authentication failure monitor: fail2ban.
fail2ban-regex /var/log/asterisk/messages /etc/fail2ban/filter.d/asterisk.conf
Running tests
=============
Use regex file : /etc/fail2ban/filter.d/asterisk.conf
Use log file : /var/log/asterisk/messages
Results
=======
Failregex
|- Regular expressions:
| [1] ^(\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?asterisk(?:\(\S+\))?[\]\)]?:?|[\[\(]?asterisk(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*|\[\]\s*)(?:NOTICE|SECURITY)(?:\[\d+\]):?(?:\[C-[\da-f]*\])? \S+:\d*( in \w+:)? Registration from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
| [2] ^(\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?asterisk(?:\(\S+\))?[\]\)]?:?|[\[\(]?asterisk(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*|\[\]\s*)(?:NOTICE|SECURITY)(?:\[\d+\]):?(?:\[C-[\da-f]*\])? \S+:\d*( in \w+:)? Call from '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension not found in context '.*'\.$
| [3] ^(\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?asterisk(?:\(\S+\))?[\]\)]?:?|[\[\(]?asterisk(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*|\[\]\s*)(?:NOTICE|SECURITY)(?:\[\d+\]):?(?:\[C-[\da-f]*\])? \S+:\d*( in \w+:)? Host <HOST> failed to authenticate as '[^']*'$
| [4] ^(\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?asterisk(?:\(\S+\))?[\]\)]?:?|[\[\(]?asterisk(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*|\[\]\s*)(?:NOTICE|SECURITY)(?:\[\d+\]):?(?:\[C-[\da-f]*\])? \S+:\d*( in \w+:)? No registration for peer '[^']*' \(from <HOST>\)$
| [5] ^(\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?asterisk(?:\(\S+\))?[\]\)]?:?|[\[\(]?asterisk(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*|\[\]\s*)(?:NOTICE|SECURITY)(?:\[\d+\]):?(?:\[C-[\da-f]*\])? \S+:\d*( in \w+:)? Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
| [6] ^(\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?asterisk(?:\(\S+\))?[\]\)]?:?|[\[\(]?asterisk(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*|\[\]\s*)(?:NOTICE|SECURITY)(?:\[\d+\]):?(?:\[C-[\da-f]*\])? \S+:\d*( in \w+:)? Failed to authenticate (user|device) [^@]+@<HOST>\S*$
| [7] ^(\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?asterisk(?:\(\S+\))?[\]\)]?:?|[\[\(]?asterisk(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*|\[\]\s*)(?:NOTICE|SECURITY)(?:\[\d+\]):?(?:\[C-[\da-f]*\])? \S+:\d*( in \w+:)? (?:handle_request_subscribe: )?Sending fake auth rejection for (device|user) \d*<sip:[^@]+@<HOST>>;tag=\w+\S*$
| [8] ^(\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?asterisk(?:\(\S+\))?[\]\)]?:?|[\[\(]?asterisk(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*|\[\]\s*)(?:NOTICE|SECURITY)(?:\[\d+\]):?(?:\[C-[\da-f]*\])? \S+:\d*( in \w+:)? SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d*",SessionID="0x[\da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UD|TC)P/<HOST>/\d+"(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$
| [9] ^(\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?asterisk(?:\(\S+\))?[\]\)]?:?|[\[\(]?asterisk(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*|\[\]\s*WARNING(?:\[\d+\]):?(?:\[C-[\da-f]*\])? )Ext\. s: "Rejecting unknown SIP connection from <HOST>"$
|
`- Number of matches:
[1] 0 match(es)
[2] 0 match(es)
[3] 0 match(es)
[4] 0 match(es)
[5] 0 match(es)
[6] 0 match(es)
[7] 0 match(es)
[8] 0 match(es)
[9] 3 match(es)
Ignoreregex
|- Regular expressions:
|
`- Number of matches:
Summary
=======
Addresses found:
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
192.254.79.34 (Sat Oct 18 00:44:05 2014)
192.254.79.34 (Sat Oct 18 00:44:44 2014)
192.111.154.38 (Sat Oct 18 00:48:15 2014)
Date template hits:
0 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
30 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Year.Month.Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): <Month/Day/Year@Hour:Minute:Second>
Success, the total number of match is 3
However, look at the above section 'Running tests' which could contain important
information.
the hits are coming in non stop so I have plenty to test with.
it picks up in the test but not at all. its not doing nothing what the heck am I doing wrong? you can see from above that the test works but the actually hits that are happening as I type this are ignored. i must be missing something