| 4 |
- |
1 |
# Fail2Ban filter for asterisk authentication failures
|
|
|
2 |
#
|
|
|
3 |
|
| 5 |
- |
4 |
[INCLUDES]
|
|
|
5 |
|
|
|
6 |
# Read common prefixes. If any customizations available -- read them from
|
|
|
7 |
# common.local
|
|
|
8 |
before = common.conf
|
|
|
9 |
|
| 4 |
- |
10 |
[Definition]
|
|
|
11 |
|
| 5 |
- |
12 |
_daemon = asterisk
|
|
|
13 |
|
| 4 |
- |
14 |
__pid_re = (?:\[\d+\])
|
|
|
15 |
|
| 39 |
- |
16 |
iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4}
|
|
|
17 |
|
| 4 |
- |
18 |
# All Asterisk log messages begin like this:
|
| 87 |
- |
19 |
log_prefix= (?:NOTICE|SECURITY|WARNING)%(__pid_re)s:?(?:\[C-[\da-f]*\])? [^:]+:\d*(?:(?: in)? \w+:)?
|
| 4 |
- |
20 |
|
| 87 |
- |
21 |
failregex = ^%(__prefix_line)s%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
|
|
|
22 |
^%(__prefix_line)s%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '[^']*' rejected because extension not found in context
|
|
|
23 |
^%(__prefix_line)s%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$
|
|
|
24 |
^%(__prefix_line)s%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$
|
|
|
25 |
^%(__prefix_line)s%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
|
|
|
26 |
^%(__prefix_line)s%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$
|
|
|
27 |
^%(__prefix_line)s%(log_prefix)s hacking attempt detected '<HOST>'$
|
|
|
28 |
^%(__prefix_line)s%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="(\d*|<unknown>)",SessionID=".+",LocalAddress="IPV[46]/(UDP|TCP|WS)/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UDP|TCP|WS)/<HOST>/\d+"(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",ExpectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$
|
|
|
29 |
^%(__prefix_line)s%(log_prefix)s "Rejecting unknown SIP connection from <HOST>"$
|
|
|
30 |
^%(__prefix_line)s%(log_prefix)s Request (?:'[^']*' )?from '[^']*' failed for '<HOST>(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching endpoint found|Not match Endpoint(?: Contact)? ACL|(?:Failed|Error) to authenticate)\s*$
|
| 4 |
- |
31 |
|
|
|
32 |
ignoreregex =
|
|
|
33 |
|
|
|
34 |
|
| 5 |
- |
35 |
# Author: Xavier Devlamynck / Daniel Black
|
|
|
36 |
#
|
|
|
37 |
# General log format - main/logger.c:ast_log
|
|
|
38 |
# Address format - ast_sockaddr_stringify
|
|
|
39 |
#
|
|
|
40 |
# First regex: channels/chan_sip.c
|
|
|
41 |
#
|
|
|
42 |
# main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in syslog
|