diff --git a/config/filter.d/asterisk.conf b/config/filter.d/asterisk.conf new file mode 100644 index 00000000..73947a67 --- /dev/null +++ b/config/filter.d/asterisk.conf @@ -0,0 +1,39 @@ +# Fail2Ban configuration file +# +# Author: Xavier Devlamynck +# +# $Revision$ +# + + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + +[Definition] + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P\S+) +# Values: TEXT +# +failregex = NOTICE%(__pid_re)s .*: Registration from '.*' failed for '' - Wrong password$ + NOTICE%(__pid_re)s .*: Registration from '.*' failed for '' - No matching peer found$ + NOTICE%(__pid_re)s .*: Registration from '.*' failed for '' - Username/auth name mismatch$ + NOTICE%(__pid_re)s .*: Registration from '.*' failed for '' - Device does not match ACL$ + NOTICE%(__pid_re)s .*: Registration from '.*' failed for '' - Peer is not supposed to register$ + NOTICE%(__pid_re)s .*: Registration from '.*' failed for '' - ACL error (permit/deny)$ + NOTICE%(__pid_re)s failed to authenticate as '.*'$ + NOTICE%(__pid_re)s .*: No registration for peer '.*' \(from \)$ + NOTICE%(__pid_re)s .*: Host failed MD5 authentication for '.*' (.*)$ + NOTICE%(__pid_re)s .*: Failed to authenticate user .*@.*$ + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = diff --git a/config/jail.conf b/config/jail.conf index b3012054..a0dc2369 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -264,6 +264,24 @@ action = iptables-multiport[name=Named, port="domain,953", protocol=tcp] logpath = /var/log/named/security.log ignoreip = 168.192.0.1 +[asterisk-tcp] + +enabled = false +filter = asterisk +action = iptables-multiport[name=asterisk-tcp, port="5060,5061", protocol=tcp] + sendmail-whois[name=Asterisk, dest=you@example.com, sender=fail2ban@example.com] +logpath = /var/log/asterisk/messages +maxretry = 10 + +[asterisk-udp] + +enabled = false +filter = asterisk +action = iptables-multiport[name=asterisk-udp, port="5060,5061", protocol=udp] + sendmail-whois[name=Asterisk, dest=you@example.com, sender=fail2ban@example.com] +logpath = /var/log/asterisk/messages +maxretry = 10 + # Jail for more extended banning of persistent abusers # !!! WARNING !!! # Make sure that your loglevel specified in fail2ban.conf/.local diff --git a/testcases/files/logs/asterisk b/testcases/files/logs/asterisk new file mode 100644 index 00000000..4715f608 --- /dev/null +++ b/testcases/files/logs/asterisk @@ -0,0 +1,11 @@ +# Sample log files for asterisk +[2012-02-13 17:21:54] NOTICE[1638] chan_sip.c: Registration from '' failed for '1.2.3.4' - Wrong password +[2012-02-13 17:18:22] NOTICE[1638] chan_sip.c: Registration from '' failed for '1.2.3.4' - No matching peer found +[2012-02-13 17:21:21] NOTICE[1638] chan_sip.c: Registration from '' failed for '1.2.3.4' - Username/auth name mismatch +[2012-02-13 17:32:01] NOTICE[1638] chan_sip.c: Registration from '' failed for '1.2.3.4' - Device does not match ACL +[2012-02-13 17:34:10] NOTICE[1638] chan_sip.c: Registration from '' failed for '1.2.3.4' - Peer is not supposed to register +[2012-02-13 17:36:23] NOTICE[1638] chan_sip.c: Registration from '' failed for '1.2.3.4' - ACL error (permit/deny) +[2012-02-13 17:53:59] NOTICE[1638] chan_iax2.c: Host 1.2.3.4 failed to authenticate as 'Fail2ban' +[2012-02-13 17:39:20] NOTICE[1638] chan_iax2.c: No registration for peer 'Fail2ban' (from 1.2.3.4) +[2012-02-13 17:44:26] NOTICE[1638] chan_iax2.c: Host 1.2.3.4 failed MD5 authentication for 'Fail2ban' (e7df7cd2ca07f4f1ab415d457a6e1c13 != 53ac4bc41ee4ec77888ed4aa50677247) +[2012-02-13 17:37:07] NOTICE[1638] chan_sip.c: Failed to authenticate user "Fail2ban" ;tag=1r698745234