pagaille
(Matthieu Gaillet)
September 18, 2019, 10:34am
1
Hi,
That rule in /etc/fail2ban/filter.d/asterisk.conf
is supposed to catch anonymous calls that tries to call you from nowhere :
^%(__prefix_line)s%(log_prefix)s "Rejecting unknown SIP connection from <HOST>"$
But it doesn’t work. I’ve tons of such messages in my logs that don’t trigger the filter :
"Rejecting unknown SIP connection from 158.69.55.234:52420"
I guess that the port mentioned after the IP that keeps the regex matching the string. Fixing it will probably be a piece of cake for @stephdl ?
Txs
pagaille
(Matthieu Gaillet)
September 18, 2019, 1:35pm
2
The answer is probably the following. At least preliminary tests shows that it works :
^%(__prefix_line)s%(log_prefix)s "Rejecting unknown SIP connection from <HOST>:.*"$
Note the :.*
string at the end.
stephdl
(Stéphane de Labrusse)
September 18, 2019, 5:02pm
3
we have made a custom filter file for that case we have to add it
stephdl
(Stéphane de Labrusse)
September 18, 2019, 5:25pm
4
@Stll0 what do you think … Could please check an asterisk server (with fail2ban) and check which IP has filled your log with login attempts
We could add more filter lines
stephdl
(Stéphane de Labrusse)
September 18, 2019, 6:06pm
5
1 Like
pagaille
(Matthieu Gaillet)
September 19, 2019, 6:46am
6
Actually that’s an existing filter which don’t work. I believe that the logs have evolved and that asterisk added the port later, breaking that fail2ban rule.
1 Like
stephdl
(Stéphane de Labrusse)
September 19, 2019, 3:06pm
7
Would it be possible you double check inside the log and watch about attempts that we are missing ?
pagaille
(Matthieu Gaillet)
September 19, 2019, 5:12pm
8
Sure. For what I can see there is no other missed string. The existing regexes are quite exhaustive.
1 Like
stephdl
(Stéphane de Labrusse)
September 25, 2019, 1:18pm
9
@pagaille could you please valid the new regex, we could release it to everybody
opened 12:53PM - 25 Sep 19 UTC
closed 07:00AM - 01 Oct 19 UTC
bug
verified
**Steps to reproduce**
run an asterisk server
some attempt to unknow sip log… in are not banned
`Rejecting unknown SIP connection from 158.69.55.234:52420`
**Expected behavior**
I expect that the attempts are banned
**Actual behavior**
the attempts are not banned because fail2ban regex doesn't expect a port number ends the line in logs
**Components**
nethserver-fail2ban-1.1.7-1.ns7.noarch
**See also**
https://community.nethserver.org/t/fail2ban-again-not-catching-some-asterisk-log-strings/13411/1
----
thank @matthieu
pagaille
(Matthieu Gaillet)
September 25, 2019, 2:00pm
10
Not working. The conf file doesn’t get updated ??
Downloading packages:
nethserver-fail2ban-1.1.10-1.ns7.noarch.rpm | 912 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : nethserver-fail2ban-1.1.10-1.ns7.noarch 1/1
Verifying : nethserver-fail2ban-1.1.10-1.ns7.noarch 1/1
Installed:
nethserver-fail2ban.noarch 0:1.1.10-1.ns7
Complete!
[root@mattlabs ~]# cat /etc/fail2ban/filter.d/asterisk_nethserver.conf
# Fail2Ban filter for asterisk authentication failures
# stephane de Labrusse <stephdl@de-labrusse.fr>
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = asterisk
__pid_re = (?:\[\d+\])
iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4}
# All Asterisk log messages begin like this:
log_prefix= (?:NOTICE|SECURITY|WARNING)%(__pid_re)s:?(?:\[C-[\da-f]*\])? [^:]+:\d*(?:(?: in)? \w+:)?
failregex = ^%(__prefix_line)s%(log_prefix)s <HOST> failed to authenticate as '.*'$
^%(__prefix_line)s%(log_prefix)s <HOST> tried to authenticate with nonexistent user '.*'$
^%(__prefix_line)s%(log_prefix)s <HOST> failed to pass IP ACL as '.*'$
ignoreregex =
[root@mattlabs ~]#
stephdl
(Stéphane de Labrusse)
September 25, 2019, 8:03pm
11
please install directly the testing package from GH, you can pick up the link from X86_64
yum install http://packages.nethserver.org/nethserver/7.7.1908/testing/x86_64/Packages/nethserver-fail2ban-1.1.10-1.6.g7771945.ns7.noarch.rpm
pagaille
(Matthieu Gaillet)
September 26, 2019, 7:36am
12
Yep, working !
[2019-09-19 09:40:53] WARNING[31782][C-000003bc] Ext. s: "Rejecting unknown SIP connection from 198.23.151.90:5085"
Txs mate
2 Likes