From 5c8fb68a2cd803a820bc624ac47bf8462fb5cd4d Mon Sep 17 00:00:00 2001 From: silviogarbes Date: Tue, 14 May 2013 08:04:11 -0300 Subject: [PATCH 1/8] Update asterisk.conf MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Para ficar compatível com asterisk 11 --- config/filter.d/asterisk.conf | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/config/filter.d/asterisk.conf b/config/filter.d/asterisk.conf index 9ed69804..8ae67ff8 100644 --- a/config/filter.d/asterisk.conf +++ b/config/filter.d/asterisk.conf @@ -20,19 +20,23 @@ before = common.conf # (?:::f{4,6}:)?(?P\S+) # Values: TEXT # -failregex = NOTICE%(__pid_re)s .*: Registration from '.*' failed for '' - Wrong password$ - NOTICE%(__pid_re)s .*: Registration from '.*' failed for '' - No matching peer found$ - NOTICE%(__pid_re)s .*: Registration from '.*' failed for '' - Username/auth name mismatch$ - NOTICE%(__pid_re)s .*: Registration from '.*' failed for '' - Device does not match ACL$ - NOTICE%(__pid_re)s .*: Registration from '.*' failed for '' - Peer is not supposed to register$ - NOTICE%(__pid_re)s .*: Registration from '.*' failed for '' - ACL error (permit/deny)$ +failregex = NOTICE%(__pid_re)s .*: Registration from '.*' failed for ':.*' - Wrong password$ + NOTICE%(__pid_re)s .*: Registration from '.*' failed for ':.*' - No matching peer found$ + NOTICE%(__pid_re)s .*: Registration from '.*' failed for ':.*' - Username/auth name mismatch$ + NOTICE%(__pid_re)s .*: Registration from '.*' failed for ':.*' - Device does not match ACL$ + NOTICE%(__pid_re)s .*: Registration from '.*' failed for ':.*' - Peer is not supposed to register$ + NOTICE%(__pid_re)s .*: Registration from '.*' failed for ':.*' - ACL error (permit/deny)$ + NOTICE%(__pid_re)s.* .*: Call from '.*' \(:.*\) to extension '.*' rejected because extension not found in context 'default'.$ NOTICE%(__pid_re)s failed to authenticate as '.*'$ NOTICE%(__pid_re)s .*: No registration for peer '.*' \(from \)$ NOTICE%(__pid_re)s .*: Host failed MD5 authentication for '.*' (.*)$ NOTICE%(__pid_re)s .*: Failed to authenticate user .*@.*$ + SECURITY%(__pid_re)s .*: SecurityEvent="InvalidAccountID",EventTV=".*",Severity=".*",Service=".*",EventVersion=".*",AccountID=".*",SessionID=".*",LocalAddress=".*",RemoteAddress=".*/.*//.*"$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = + + From 52fa5f19b0d82bd0614db49460496bf7aa949371 Mon Sep 17 00:00:00 2001 From: silviogarbes Date: Tue, 14 May 2013 12:58:43 -0300 Subject: [PATCH 2/8] Update asterisk --- testcases/files/logs/asterisk | 3 +++ 1 file changed, 3 insertions(+) diff --git a/testcases/files/logs/asterisk b/testcases/files/logs/asterisk index 4715f608..21cc8826 100644 --- a/testcases/files/logs/asterisk +++ b/testcases/files/logs/asterisk @@ -9,3 +9,6 @@ [2012-02-13 17:39:20] NOTICE[1638] chan_iax2.c: No registration for peer 'Fail2ban' (from 1.2.3.4) [2012-02-13 17:44:26] NOTICE[1638] chan_iax2.c: Host 1.2.3.4 failed MD5 authentication for 'Fail2ban' (e7df7cd2ca07f4f1ab415d457a6e1c13 != 53ac4bc41ee4ec77888ed4aa50677247) [2012-02-13 17:37:07] NOTICE[1638] chan_sip.c: Failed to authenticate user "Fail2ban" ;tag=1r698745234 +[2013-02-05 23:44:42] NOTICE[436][C-00000fa9] chan_sip.c: Call from '' (176.58.76.57:10836) to extension '0972598285108' rejected because extension not found in context 'default'. +[2013-03-26 15:47:54] NOTICE[1237] chan_sip.c: Registration from '"100"sip:100@200.251.240.30' failed for '193.238.16.99:23930' - No matching peer found +[2013-05-13 07:10:53] SECURITY[1204] res_security_log.c: SecurityEvent="InvalidAccountID",EventTV="1368439853-500975",Severity="Error",Service="SIP",EventVersion="1",AccountID="00972599580679",SessionID="0x7f8ecc0421f8",LocalAddress="IPV4/UDP/200.251.240.30/5060",RemoteAddress="IPV4/UDP/82.205.8.77/5070" From 0f7b6093365e2f5dc8f2cf5e18660ea218358087 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Thu, 30 May 2013 09:43:39 +1000 Subject: [PATCH 3/8] ENH: port optional --- config/filter.d/asterisk.conf | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/config/filter.d/asterisk.conf b/config/filter.d/asterisk.conf index 8ae67ff8..8ff1dbbf 100644 --- a/config/filter.d/asterisk.conf +++ b/config/filter.d/asterisk.conf @@ -20,12 +20,12 @@ before = common.conf # (?:::f{4,6}:)?(?P\S+) # Values: TEXT # -failregex = NOTICE%(__pid_re)s .*: Registration from '.*' failed for ':.*' - Wrong password$ - NOTICE%(__pid_re)s .*: Registration from '.*' failed for ':.*' - No matching peer found$ - NOTICE%(__pid_re)s .*: Registration from '.*' failed for ':.*' - Username/auth name mismatch$ - NOTICE%(__pid_re)s .*: Registration from '.*' failed for ':.*' - Device does not match ACL$ - NOTICE%(__pid_re)s .*: Registration from '.*' failed for ':.*' - Peer is not supposed to register$ - NOTICE%(__pid_re)s .*: Registration from '.*' failed for ':.*' - ACL error (permit/deny)$ +failregex = NOTICE%(__pid_re)s .*: Registration from '.*' failed for '(:[0-9]+)?' - Wrong password$ + NOTICE%(__pid_re)s .*: Registration from '.*' failed for '(:[0-9]+)?' - No matching peer found$ + NOTICE%(__pid_re)s .*: Registration from '.*' failed for '(:[0-9]+)?' - Username/auth name mismatch$ + NOTICE%(__pid_re)s .*: Registration from '.*' failed for '(:[0-9]+)?' - Device does not match ACL$ + NOTICE%(__pid_re)s .*: Registration from '.*' failed for '(:[0-9]+)?' - Peer is not supposed to register$ + NOTICE%(__pid_re)s .*: Registration from '.*' failed for '(:[0-9]+)?' - ACL error (permit/deny)$ NOTICE%(__pid_re)s.* .*: Call from '.*' \(:.*\) to extension '.*' rejected because extension not found in context 'default'.$ NOTICE%(__pid_re)s failed to authenticate as '.*'$ NOTICE%(__pid_re)s .*: No registration for peer '.*' \(from \)$ From 4cf402d60e42003d7bb1c10e22eb99ebb57d0f71 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Thu, 30 May 2013 10:15:58 +1000 Subject: [PATCH 4/8] ENH/BF: constrain regex. Fix ACL error regex --- config/filter.d/asterisk.conf | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/config/filter.d/asterisk.conf b/config/filter.d/asterisk.conf index 8ff1dbbf..f177f53c 100644 --- a/config/filter.d/asterisk.conf +++ b/config/filter.d/asterisk.conf @@ -20,18 +20,18 @@ before = common.conf # (?:::f{4,6}:)?(?P\S+) # Values: TEXT # -failregex = NOTICE%(__pid_re)s .*: Registration from '.*' failed for '(:[0-9]+)?' - Wrong password$ - NOTICE%(__pid_re)s .*: Registration from '.*' failed for '(:[0-9]+)?' - No matching peer found$ - NOTICE%(__pid_re)s .*: Registration from '.*' failed for '(:[0-9]+)?' - Username/auth name mismatch$ - NOTICE%(__pid_re)s .*: Registration from '.*' failed for '(:[0-9]+)?' - Device does not match ACL$ - NOTICE%(__pid_re)s .*: Registration from '.*' failed for '(:[0-9]+)?' - Peer is not supposed to register$ - NOTICE%(__pid_re)s .*: Registration from '.*' failed for '(:[0-9]+)?' - ACL error (permit/deny)$ - NOTICE%(__pid_re)s.* .*: Call from '.*' \(:.*\) to extension '.*' rejected because extension not found in context 'default'.$ - NOTICE%(__pid_re)s failed to authenticate as '.*'$ - NOTICE%(__pid_re)s .*: No registration for peer '.*' \(from \)$ - NOTICE%(__pid_re)s .*: Host failed MD5 authentication for '.*' (.*)$ - NOTICE%(__pid_re)s .*: Failed to authenticate user .*@.*$ - SECURITY%(__pid_re)s .*: SecurityEvent="InvalidAccountID",EventTV=".*",Severity=".*",Service=".*",EventVersion=".*",AccountID=".*",SessionID=".*",LocalAddress=".*",RemoteAddress=".*/.*//.*"$ +failregex = NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '(:[0-9]+)?' - Wrong password$ + NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '(:[0-9]+)?' - No matching peer found$ + NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '(:[0-9]+)?' - Username/auth name mismatch$ + NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '(:[0-9]+)?' - Device does not match ACL$ + NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '(:[0-9]+)?' - Peer is not supposed to register$ + NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '(:[0-9]+)?' - ACL error \(permit/deny\)$ + NOTICE%(__pid_re)s\[[^:]+\] [^:]+: Call from '[^']*' \(:.*\) to extension '[0-9]+' rejected because extension not found in context 'default'.$ + NOTICE%(__pid_re)s [^:]+: Host failed to authenticate as '[^']*'$ + NOTICE%(__pid_re)s [^:]+: No registration for peer '[^']*' \(from \)$ + NOTICE%(__pid_re)s [^:]+: Host failed MD5 authentication for '[^']*' \([^)]+\)$ + NOTICE%(__pid_re)s [^:]+: Failed to authenticate user [^@]+@.*$ + SECURITY%(__pid_re)s [^:]+: SecurityEvent="InvalidAccountID",EventTV="[0-9-]+",Severity="[a-zA-Z]+",Service="[a-zA-Z]+",EventVersion="[0-9]+",AccountID="[0-9]+",SessionID="0x[0-9a-f]+",LocalAddress="IPV[46]/(UD|TC)P/[0-9a-fA-F:.]+/[0-9]+",RemoteAddress="IPV[46]/(UD|TC)P//[0-9]+"$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. From 916b5a7c234abe70599ddb889055ccc7c97c3c16 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Thu, 30 May 2013 10:24:48 +1000 Subject: [PATCH 5/8] TST: normalize logs to use example.com and 1.2.3.4 as IP --- testcases/files/logs/asterisk | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/testcases/files/logs/asterisk b/testcases/files/logs/asterisk index 21cc8826..667eee02 100644 --- a/testcases/files/logs/asterisk +++ b/testcases/files/logs/asterisk @@ -1,14 +1,14 @@ # Sample log files for asterisk -[2012-02-13 17:21:54] NOTICE[1638] chan_sip.c: Registration from '' failed for '1.2.3.4' - Wrong password -[2012-02-13 17:18:22] NOTICE[1638] chan_sip.c: Registration from '' failed for '1.2.3.4' - No matching peer found -[2012-02-13 17:21:21] NOTICE[1638] chan_sip.c: Registration from '' failed for '1.2.3.4' - Username/auth name mismatch -[2012-02-13 17:32:01] NOTICE[1638] chan_sip.c: Registration from '' failed for '1.2.3.4' - Device does not match ACL -[2012-02-13 17:34:10] NOTICE[1638] chan_sip.c: Registration from '' failed for '1.2.3.4' - Peer is not supposed to register -[2012-02-13 17:36:23] NOTICE[1638] chan_sip.c: Registration from '' failed for '1.2.3.4' - ACL error (permit/deny) +[2012-02-13 17:21:54] NOTICE[1638] chan_sip.c: Registration from '' failed for '1.2.3.4' - Wrong password +[2012-02-13 17:18:22] NOTICE[1638] chan_sip.c: Registration from '' failed for '1.2.3.4' - No matching peer found +[2012-02-13 17:21:21] NOTICE[1638] chan_sip.c: Registration from '' failed for '1.2.3.4' - Username/auth name mismatch +[2012-02-13 17:32:01] NOTICE[1638] chan_sip.c: Registration from '' failed for '1.2.3.4' - Device does not match ACL +[2012-02-13 17:34:10] NOTICE[1638] chan_sip.c: Registration from '' failed for '1.2.3.4' - Peer is not supposed to register +[2012-02-13 17:36:23] NOTICE[1638] chan_sip.c: Registration from '' failed for '1.2.3.4' - ACL error (permit/deny) [2012-02-13 17:53:59] NOTICE[1638] chan_iax2.c: Host 1.2.3.4 failed to authenticate as 'Fail2ban' [2012-02-13 17:39:20] NOTICE[1638] chan_iax2.c: No registration for peer 'Fail2ban' (from 1.2.3.4) [2012-02-13 17:44:26] NOTICE[1638] chan_iax2.c: Host 1.2.3.4 failed MD5 authentication for 'Fail2ban' (e7df7cd2ca07f4f1ab415d457a6e1c13 != 53ac4bc41ee4ec77888ed4aa50677247) [2012-02-13 17:37:07] NOTICE[1638] chan_sip.c: Failed to authenticate user "Fail2ban" ;tag=1r698745234 -[2013-02-05 23:44:42] NOTICE[436][C-00000fa9] chan_sip.c: Call from '' (176.58.76.57:10836) to extension '0972598285108' rejected because extension not found in context 'default'. -[2013-03-26 15:47:54] NOTICE[1237] chan_sip.c: Registration from '"100"sip:100@200.251.240.30' failed for '193.238.16.99:23930' - No matching peer found -[2013-05-13 07:10:53] SECURITY[1204] res_security_log.c: SecurityEvent="InvalidAccountID",EventTV="1368439853-500975",Severity="Error",Service="SIP",EventVersion="1",AccountID="00972599580679",SessionID="0x7f8ecc0421f8",LocalAddress="IPV4/UDP/200.251.240.30/5060",RemoteAddress="IPV4/UDP/82.205.8.77/5070" +[2013-02-05 23:44:42] NOTICE[436][C-00000fa9] chan_sip.c: Call from '' (1.2.3.4:10836) to extension '0972598285108' rejected because extension not found in context 'default'. +[2013-03-26 15:47:54] NOTICE[1237] chan_sip.c: Registration from '"100"sip:100@1.2.3.4' failed for '1.2.3.4:23930' - No matching peer found +[2013-05-13 07:10:53] SECURITY[1204] res_security_log.c: SecurityEvent="InvalidAccountID",EventTV="1368439853-500975",Severity="Error",Service="SIP",EventVersion="1",AccountID="00972599580679",SessionID="0x7f8ecc0421f8",LocalAddress="IPV4/UDP/1.2.3.4/5060",RemoteAddress="IPV4/UDP/1.2.3.4/5070" From e54498f6fe15e0016cbc6c195817e6cc817e7147 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Thu, 30 May 2013 10:25:03 +1000 Subject: [PATCH 6/8] DOC: how to do filter enhancements --- DEVELOP | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/DEVELOP b/DEVELOP index f067a865..00b7d6d5 100644 --- a/DEVELOP +++ b/DEVELOP @@ -34,9 +34,19 @@ When submitting pull requests on GitHub we ask you to: * Include a change to the relevant section of the ChangeLog; and * Include yourself in THANKS if not already there. -Testing +Filters ======= +* Include sample logs with 1.2.3.4 used for IP addresses and + example.com/example.org used for DNS names +* Ensure ./fail2ban-regex testcases/files/logs/{samplelog} config/filter.d/{filter}.conf + has matches for EVERY regex +* Ensure regexs end with a $ and are restrictive as possible. E.g. not .* if + [0-9]+ is sufficient + +Code Testing +============ + Existing tests can be run by executing `fail2ban-testcases`. This has options like --log-level that will probably be useful. `fail2ban-testcases --help` for full options. From 28fc14d01080a2cd86baf6d9479fc5e4e7ce7585 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Thu, 30 May 2013 10:27:30 +1000 Subject: [PATCH 7/8] DOC: credits --- ChangeLog | 2 ++ THANKS | 1 + 2 files changed, 3 insertions(+) diff --git a/ChangeLog b/ChangeLog index 69b87b06..5366135c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -23,6 +23,8 @@ ver. 0.8.10 (2013/XX/XXX) - NOT-YET-RELEASED * config/filter.d/roundcube-auth.conf -- support roundcube 0.9+ Daniel Black * files/suse-initd -- update to the copy from stock SUSE + silviogarbes + * Updates to asterisk filter closes gh-227/gh-230. ver. 0.8.9 (2013/05/13) - wanna-be-stable ---------- diff --git a/THANKS b/THANKS index 9545d43a..0b74ba81 100644 --- a/THANKS +++ b/THANKS @@ -39,6 +39,7 @@ René Berber Robert Edeker Russell Odom Sireyessire +silviogarbes Stephen Gildea Steven Hiscocks Tom Pike From 05c88bd85d73ab15997dcd119bfc30c5f4a26065 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Thu, 30 May 2013 11:34:04 +1000 Subject: [PATCH 8/8] ENH: purge a few more .* --- config/filter.d/asterisk.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/filter.d/asterisk.conf b/config/filter.d/asterisk.conf index f177f53c..589a188c 100644 --- a/config/filter.d/asterisk.conf +++ b/config/filter.d/asterisk.conf @@ -26,11 +26,11 @@ failregex = NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '(:[0-9]+)?' - Device does not match ACL$ NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '(:[0-9]+)?' - Peer is not supposed to register$ NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '(:[0-9]+)?' - ACL error \(permit/deny\)$ - NOTICE%(__pid_re)s\[[^:]+\] [^:]+: Call from '[^']*' \(:.*\) to extension '[0-9]+' rejected because extension not found in context 'default'.$ + NOTICE%(__pid_re)s\[[^:]+\] [^:]+: Call from '[^']*' \(:[0-9]+\) to extension '[0-9]+' rejected because extension not found in context 'default'.$ NOTICE%(__pid_re)s [^:]+: Host failed to authenticate as '[^']*'$ NOTICE%(__pid_re)s [^:]+: No registration for peer '[^']*' \(from \)$ NOTICE%(__pid_re)s [^:]+: Host failed MD5 authentication for '[^']*' \([^)]+\)$ - NOTICE%(__pid_re)s [^:]+: Failed to authenticate user [^@]+@.*$ + NOTICE%(__pid_re)s [^:]+: Failed to authenticate user [^@]+@\S*$ SECURITY%(__pid_re)s [^:]+: SecurityEvent="InvalidAccountID",EventTV="[0-9-]+",Severity="[a-zA-Z]+",Service="[a-zA-Z]+",EventVersion="[0-9]+",AccountID="[0-9]+",SessionID="0x[0-9a-f]+",LocalAddress="IPV[46]/(UD|TC)P/[0-9a-fA-F:.]+/[0-9]+",RemoteAddress="IPV[46]/(UD|TC)P//[0-9]+"$ # Option: ignoreregex