Fail2ban (again !) not catching some asterisk log strings


That rule in /etc/fail2ban/filter.d/asterisk.conf is supposed to catch anonymous calls that tries to call you from nowhere :

^%(__prefix_line)s%(log_prefix)s "Rejecting unknown SIP connection from <HOST>"$

But it doesn’t work. I’ve tons of such messages in my logs that don’t trigger the filter :

"Rejecting unknown SIP connection from"

I guess that the port mentioned after the IP that keeps the regex matching the string. Fixing it will probably be a piece of cake for @stephdl ? :slight_smile:


The answer is probably the following. At least preliminary tests shows that it works :

^%(__prefix_line)s%(log_prefix)s "Rejecting unknown SIP connection from <HOST>:.*"$

Note the :.* string at the end.

we have made a custom filter file for that case we have to add it

@Stll0 what do you think … Could please check an asterisk server (with fail2ban) and check which IP has filled your log with login attempts

We could add more filter lines

PR done:
Waiting more filters if exist

1 Like

Actually that’s an existing filter which don’t work. I believe that the logs have evolved and that asterisk added the port later, breaking that fail2ban rule.

1 Like

Would it be possible you double check inside the log and watch about attempts that we are missing ?

Sure. For what I can see there is no other missed string. The existing regexes are quite exhaustive.

1 Like

@pagaille could you please valid the new regex, we could release it to everybody


Not working. The conf file doesn’t get updated ??

Downloading packages:
nethserver-fail2ban-1.1.10-1.ns7.noarch.rpm                                                                                                                                          | 912 kB  00:00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : nethserver-fail2ban-1.1.10-1.ns7.noarch                                                                                                                                                  1/1 
  Verifying  : nethserver-fail2ban-1.1.10-1.ns7.noarch                                                                                                                                                  1/1 

  nethserver-fail2ban.noarch 0:1.1.10-1.ns7                                                                                                                                                                 

[root@mattlabs ~]# cat /etc/fail2ban/filter.d/asterisk_nethserver.conf 
# Fail2Ban filter for asterisk authentication failures
# stephane de Labrusse <>


# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf


_daemon = asterisk

__pid_re = (?:\[\d+\])

iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4}

# All Asterisk log messages begin like this:
log_prefix= (?:NOTICE|SECURITY|WARNING)%(__pid_re)s:?(?:\[C-[\da-f]*\])? [^:]+:\d*(?:(?: in)? \w+:)?

failregex =  ^%(__prefix_line)s%(log_prefix)s <HOST> failed to authenticate as '.*'$
         ^%(__prefix_line)s%(log_prefix)s <HOST> tried to authenticate with nonexistent user '.*'$
         ^%(__prefix_line)s%(log_prefix)s <HOST> failed to pass IP ACL as '.*'$

ignoreregex =
[root@mattlabs ~]#

please install directly the testing package from GH, you can pick up the link from X86_64

yum install

Yep, working ! :clap::clap:

[2019-09-19 09:40:53] WARNING[31782][C-000003bc] Ext. s: "Rejecting unknown SIP connection from"

Txs mate :slight_smile: