From a1d0633e69d13cd2beaac27f039d8bb9d0fdc47b Mon Sep 17 00:00:00 2001 From: sebres Date: Mon, 3 Jul 2017 12:57:28 +0200 Subject: [PATCH] filter.d/asterisk.conf - fixed failregex AMI Asterisk authentification failed (see gh-1302): - optional space between NOTICE and pid; - optional part "Host " before IP-address; --- ChangeLog | 1 + config/filter.d/asterisk.conf | 6 +++--- fail2ban/tests/files/logs/asterisk | 3 +++ 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3e9ef653..99bcb4b0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -23,6 +23,7 @@ releases. * filter.d/apache-overflows.conf: - Fixes resources greedy expression (see gh-1790); - Rewritten without end-anchor ($), because of potential vulnerability on very long URLs. +* filter.d/asterisk.conf - fixed failregex AMI Asterisk authentification failed (see gh-1302) ### New Features diff --git a/config/filter.d/asterisk.conf b/config/filter.d/asterisk.conf index 79bd1ff2..97178002 100644 --- a/config/filter.d/asterisk.conf +++ b/config/filter.d/asterisk.conf @@ -11,7 +11,7 @@ before = common.conf _daemon = asterisk -__pid_re = (?:\[\d+\]) +__pid_re = (?:\s*\[\d+\]) iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4} @@ -20,9 +20,9 @@ log_prefix= (?:NOTICE|SECURITY|WARNING)%(__pid_re)s:?(?:\[C-[\da-f]*\])? [^:]+:\ failregex = ^%(__prefix_line)s%(log_prefix)s Registration from '[^']*' failed for '(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$ ^%(__prefix_line)s%(log_prefix)s Call from '[^']*' \(:\d+\) to extension '[^']*' rejected because extension not found in context - ^%(__prefix_line)s%(log_prefix)s Host failed to authenticate as '[^']*'$ + ^%(__prefix_line)s%(log_prefix)s (?:Host )? failed to authenticate ^%(__prefix_line)s%(log_prefix)s No registration for peer '[^']*' \(from \)$ - ^%(__prefix_line)s%(log_prefix)s Host failed MD5 authentication for '[^']*' \([^)]+\)$ + ^%(__prefix_line)s%(log_prefix)s (?:Host )? failed MD5 authentication for '[^']*' \([^)]+\)$ ^%(__prefix_line)s%(log_prefix)s Failed to authenticate (user|device) [^@]+@\S*$ ^%(__prefix_line)s%(log_prefix)s hacking attempt detected ''$ ^%(__prefix_line)s%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="(\d*|)",SessionID=".+",LocalAddress="IPV[46]/(UDP|TCP|WS)/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UDP|TCP|WS)//\d+"(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",ExpectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$ diff --git a/fail2ban/tests/files/logs/asterisk b/fail2ban/tests/files/logs/asterisk index 13808592..f3ece02e 100644 --- a/fail2ban/tests/files/logs/asterisk +++ b/fail2ban/tests/files/logs/asterisk @@ -84,3 +84,6 @@ Nov 4 18:30:40 localhost asterisk[32229]: NOTICE[32257]: chan_sip.c:23417 in han # Failed authentication with pjsip on Asterisk 13+ # failJSON: { "time": "2016-06-08T23:40:26", "match": true , "host": "2.3.4.5" } [2016-06-08 23:40:26] NOTICE[32497] res_pjsip/pjsip_distributor.c: Request from '"317" ' failed for '2.3.4.5:5089' (callid: 206f178f-896564cb-57573f49@1.2.3.4) - No matching endpoint found + +# failJSON: { "time": "2016-06-09T00:01:02", "match": true , "host": "192.0.2.1" } +[2016-06-09 00:01:02] NOTICE [22382] manager.c: 192.0.2.1 failed to authenticate as 'admin' \ No newline at end of file