2013-10-30 13:02:59 +00:00
# Fail2Ban filter for asterisk authentication failures
2012-01-11 15:35:40 +00:00
#
2012-02-28 16:28:06 +00:00
2012-01-11 15:35:40 +00:00
[Definition]
2013-10-30 13:02:59 +00:00
__pid_re = (?:\[\d+\])
# All Asterisk log messages begin like this:
2013-11-11 22:22:41 +00:00
log_prefix= \[\]\s*(?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])? \S+:\d*
2013-06-26 23:16:14 +00:00
2013-11-07 23:24:50 +00:00
failregex = ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong password|No matching peer found|Username/auth name mismatch|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
2013-06-26 23:16:14 +00:00
^%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension not found in context 'default'\.$
^%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$
^%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$
^%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
2013-07-25 12:36:10 +00:00
^%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$
2013-06-29 01:30:37 +00:00
^%(log_prefix)s (?:handle_request_subscribe: )?Sending fake auth rejection for (device|user) \d*<sip:[^@]+@<HOST>>;tag=\w+\S*$
2013-07-07 07:48:20 +00:00
^%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d+",SessionID="0x[\da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UD|TC)P/<HOST>/\d+"(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?$
2013-11-11 22:22:41 +00:00
^\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? Ext\. s: "Rejecting unknown SIP connection from <HOST>"$
2012-01-11 15:35:40 +00:00
ignoreregex =
2013-05-14 11:04:11 +00:00
2013-10-30 13:02:59 +00:00
# Author: Xavier Devlamynck
