Fail2ban (again !) not catching some asterisk log strings

Hi,

That rule in /etc/fail2ban/filter.d/asterisk.conf is supposed to catch anonymous calls that tries to call you from nowhere :

^%(__prefix_line)s%(log_prefix)s "Rejecting unknown SIP connection from <HOST>"$

But it doesn’t work. I’ve tons of such messages in my logs that don’t trigger the filter :

"Rejecting unknown SIP connection from 158.69.55.234:52420"

I guess that the port mentioned after the IP that keeps the regex matching the string. Fixing it will probably be a piece of cake for @stephdl ?

Txs

The answer is probably the following. At least preliminary tests shows that it works :

^%(__prefix_line)s%(log_prefix)s "Rejecting unknown SIP connection from <HOST>:.*"$

Note the :.* string at the end.

we have made a custom filter file for that case we have to add it

@Stll0 what do you think … Could please check an asterisk server (with fail2ban) and check which IP has filled your log with login attempts

We could add more filter lines

PR done: https://github.com/NethServer/nethserver-fail2ban/pull/68
Waiting more filters if exist

Actually that’s an existing filter which don’t work. I believe that the logs have evolved and that asterisk added the port later, breaking that fail2ban rule.

Would it be possible you double check inside the log and watch about attempts that we are missing ?

Sure. For what I can see there is no other missed string. The existing regexes are quite exhaustive.

@pagaille could you please valid the new regex, we could release it to everybody

Not working. The conf file doesn’t get updated ??

Downloading packages:
nethserver-fail2ban-1.1.10-1.ns7.noarch.rpm                                                                                                                                          | 912 kB  00:00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : nethserver-fail2ban-1.1.10-1.ns7.noarch                                                                                                                                                  1/1 
  Verifying  : nethserver-fail2ban-1.1.10-1.ns7.noarch                                                                                                                                                  1/1 

Installed:
  nethserver-fail2ban.noarch 0:1.1.10-1.ns7                                                                                                                                                                 

Complete!
[root@mattlabs ~]# cat /etc/fail2ban/filter.d/asterisk_nethserver.conf 
# Fail2Ban filter for asterisk authentication failures
# stephane de Labrusse <stephdl@de-labrusse.fr>

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = asterisk

__pid_re = (?:\[\d+\])

iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4}

# All Asterisk log messages begin like this:
log_prefix= (?:NOTICE|SECURITY|WARNING)%(__pid_re)s:?(?:\[C-[\da-f]*\])? [^:]+:\d*(?:(?: in)? \w+:)?

failregex =  ^%(__prefix_line)s%(log_prefix)s <HOST> failed to authenticate as '.*'$
         ^%(__prefix_line)s%(log_prefix)s <HOST> tried to authenticate with nonexistent user '.*'$
         ^%(__prefix_line)s%(log_prefix)s <HOST> failed to pass IP ACL as '.*'$

ignoreregex =
[root@mattlabs ~]#

please install directly the testing package from GH, you can pick up the link from X86_64

yum install http://packages.nethserver.org/nethserver/7.7.1908/testing/x86_64/Packages/nethserver-fail2ban-1.1.10-1.6.g7771945.ns7.noarch.rpm

Yep, working !

[2019-09-19 09:40:53] WARNING[31782][C-000003bc] Ext. s: "Rejecting unknown SIP connection from 198.23.151.90:5085"

Txs mate