github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'master' into 0.10

pull/1824/head
sebres 2017-07-03 13:02:25 +02:00
parent 33fcf8d809 d05d9f4c28
commit 546cd55342
3 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
ChangeLog
View File

@ -331,6 +331,7 @@ releases.
* filter.d/apache-overflows.conf:
- Fixes resources greedy expression (see gh-1790);
- Rewritten without end-anchor ($), because of potential vulnerability on very long URLs.
* filter.d/asterisk.conf - fixed failregex AMI Asterisk authentification failed (see gh-1302)
### New Features

6
config/filter.d/asterisk.conf
View File

@ -11,7 +11,7 @@ before = common.conf
_daemon = asterisk
__pid_re = (?:\[\d+\])
__pid_re = (?:\s*\[\d+\])
iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4}
@ -22,9 +22,9 @@ prefregex = ^%(__prefix_line)s%(log_prefix)s <F-CONTENT>.+</F-CONTENT>$
failregex = ^Registration from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
^Call from '[^']*' \(<HOST>:\d+\) to extension '[^']*' rejected because extension not found in context
^Host <HOST> failed to authenticate as '[^']*'$
^(?:Host )?<HOST> failed to authenticate\b
^No registration for peer '[^']*' \(from <HOST>\)$
^Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
^(?:Host )?Host <HOST> failed MD5 authentication\b
^Failed to authenticate (user|device) [^@]+@<HOST>\S*$
^hacking attempt detected '<HOST>'$
^SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="(\d*|<unknown>)",SessionID=".+",LocalAddress="IPV[46]/(UDP|TCP|WS)/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UDP|TCP|WS)/<HOST>/\d+"(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",ExpectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$

3
fail2ban/tests/files/logs/asterisk
View File

@ -84,3 +84,6 @@ Nov 4 18:30:40 localhost asterisk[32229]: NOTICE[32257]: chan_sip.c:23417 in han
# Failed authentication with pjsip on Asterisk 13+
# failJSON: { "time": "2016-06-08T23:40:26", "match": true , "host": "2.3.4.5" }
[2016-06-08 23:40:26] NOTICE[32497] res_pjsip/pjsip_distributor.c: Request from '"317" <sip:317@1.2.3.4>' failed for '2.3.4.5:5089' (callid: 206f178f-896564cb-57573f49@1.2.3.4) - No matching endpoint found
# failJSON: { "time": "2016-06-09T00:01:02", "match": true , "host": "192.0.2.1" }
[2016-06-09 00:01:02] NOTICE [22382] manager.c: 192.0.2.1 failed to authenticate as 'admin'