diff --git a/ChangeLog b/ChangeLog index fce432ed..f3868e4b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -26,7 +26,10 @@ releases. - Fixes resources greedy expression (see gh-1790); - Rewritten without end-anchor ($), because of potential vulnerability on very long URLs. * filter.d/apache-badbots.conf - extended to recognize Jorgee Vulnerability Scanner (gh-1882) -* filter.d/asterisk.conf - fixed failregex AMI Asterisk authentification failed (see gh-1302) +* filter.d/asterisk.conf + - fixed failregex AMI Asterisk authentification failed (see gh-1302) + - removed invalid (vulnerable) regex blocking IPs using forign data (from header "from") + thus not the IP-address that really originates the request (see gh-1927) * filter.d/dovecot.conf: - fixed failregex, see gh-1879 (partially cherry-picked from gh-1880) - extended to match pam_authenticate failures with "Permission denied" (gh-1897) diff --git a/config/filter.d/asterisk.conf b/config/filter.d/asterisk.conf index cd3ea150..e94754c0 100644 --- a/config/filter.d/asterisk.conf +++ b/config/filter.d/asterisk.conf @@ -22,7 +22,6 @@ failregex = ^%(__prefix_line)s%(log_prefix)s Registration from '[^']*' failed fo ^%(__prefix_line)s%(log_prefix)s Call from '[^']*' \(:\d+\) to extension '[^']*' rejected because extension not found in context ^%(__prefix_line)s%(log_prefix)s (?:Host )? (?:failed (?:to authenticate\b|MD5 authentication\b)|tried to authenticate with nonexistent user\b) ^%(__prefix_line)s%(log_prefix)s No registration for peer '[^']*' \(from \)$ - ^%(__prefix_line)s%(log_prefix)s Failed to authenticate (?:user|device) [^@]+@\S*$ ^%(__prefix_line)s%(log_prefix)s hacking attempt detected ''$ ^%(__prefix_line)s%(log_prefix)s SecurityEvent="(?:FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)"(?:(?:,(?!RemoteAddress=)\w+="[^"]*")*|.*?),RemoteAddress="IPV[46]/(UDP|TCP|WS)//\d+"(?:,(?!RemoteAddress=)\w+="[^"]*")*$ ^%(__prefix_line)s%(log_prefix)s "Rejecting unknown SIP connection from "$ diff --git a/fail2ban/tests/files/logs/asterisk b/fail2ban/tests/files/logs/asterisk index 5e846111..837011e0 100644 --- a/fail2ban/tests/files/logs/asterisk +++ b/fail2ban/tests/files/logs/asterisk @@ -1,6 +1,4 @@ # Sample log files for asterisk -# failJSON: { "time": "2013-07-25T07:26:43", "match": true , "host": "1.2.3.4" } -[2013-07-25 07:26:43] NOTICE[26015][C-000006b2] chan_sip.c: Failed to authenticate device 101;tag=deadbeef # failJSON: { "time": "2012-02-13T17:21:54", "match": true , "host": "1.2.3.4" } [2012-02-13 17:21:54] NOTICE[1638] chan_sip.c: Registration from '' failed for '1.2.3.4' - Wrong password # failJSON: { "time": "2012-02-13T17:18:22", "match": true , "host": "1.2.3.4" } @@ -19,8 +17,6 @@ [2012-02-13 17:39:20] NOTICE[1638] chan_iax2.c: No registration for peer 'Fail2ban' (from 1.2.3.4) # failJSON: { "time": "2012-02-13T17:44:26", "match": true , "host": "1.2.3.4" } [2012-02-13 17:44:26] NOTICE[1638] chan_iax2.c: Host 1.2.3.4 failed MD5 authentication for 'Fail2ban' (e7df7cd2ca07f4f1ab415d457a6e1c13 != 53ac4bc41ee4ec77888ed4aa50677247) -# failJSON: { "time": "2012-02-13T17:37:07", "match": true , "host": "1.2.3.4" } -[2012-02-13 17:37:07] NOTICE[1638] chan_sip.c: Failed to authenticate user "Fail2ban" ;tag=1r698745234 # failJSON: { "time": "2013-02-05T23:44:42", "match": true , "host": "1.2.3.4" } [2013-02-05 23:44:42] NOTICE[436][C-00000fa9] chan_sip.c: Call from '' (1.2.3.4:10836) to extension '0972598285108' rejected because extension not found in context 'default'. # failJSON: { "time": "2013-03-26T15:47:54", "match": true , "host": "1.2.3.4" }