VoIP Mailing List Archives
Mailing list archives for the VoIP community |
|
| View previous topic :: View next topic |
| Author |
Message |
rainer.piper at soho-p...
Guest
|
 Posted: Mon Sep 15, 2014 2:08 am Post subject: [asterisk-users] fail2ban and pjsip in asterisk 12 and 13 |
 |
|
Hi,
Info !!! not a question !!!
the pjsip logger is different:
[Sep 15 07:33:27] NOTICE[65267] res_pjsip/pjsip_distributor.c: Request from '"1001" [url=sip:1001@81.20.137.222]<sip:1001@81.20.137.222>[/url]' failed for '85.25.197.23:5071' (callid: 1bfa1fcfee1e20dbe9bbbcac5d7bdffc) - No matching endpoint found
and here the RegEx for fail2ban to catch this log:
NOTICE.* .*: Request from '.*' failed for '<HOST>(:[0-9]{1,5})?' (.*) - No matching endpoint found
Regards
--
Rainer Piper
Integration engineer
Koeslinstr. 56
53123 BONN
GERMANY
Phone: [url=callto:004922897167161]+49 228 97167161[/url]
P2P: [url=sip:rainer@sip.soho-piper.de:5072]sip:rainer@sip.soho-piper.de:5072[/url] (pjsip-test)
XMPP: rainer@xmpp.soho-piper.de (rainer@xmpp.soho-piper.de) |
|
| Back to top |
|
 |
patrick at laimbock.com
Guest
|
| Posted: Mon Sep 15, 2014 6:22 am Post subject: [asterisk-users] fail2ban and pjsip in asterisk 12 and 13 |
|
|
Hi Rainer,
On 15-09-14 09:07, Rainer Piper wrote:
| Quote: | Hi,
Info !!! not a question !!!
the pjsip logger is different:
[Sep 15 07:33:27] NOTICE[65267] res_pjsip/pjsip_distributor.c: Request
from '"1001" <sip:1001@81.20.137.222>' failed for '85.25.197.23:5071'
(callid: 1bfa1fcfee1e20dbe9bbbcac5d7bdffc) - No matching endpoint found
and here the RegEx for fail2ban to catch this log:
|NOTICE.* .*: Request from '.*' failed for '<HOST>(:[0-9]{1,5})?' (.*) -
No matching endpoint found
|
Thanks for sharing. If you use github it would be nice if you could
submit a pull request so that it becomes part of the Asterisk rules in
the next Fail2ban version (0.9.1).
https://github.com/fail2ban/fail2ban/pulls
HTH,
Patrick
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users |
|
| Back to top |
|
|
mjordan at digium.com
Guest
|
| Posted: Mon Sep 15, 2014 8:27 am Post subject: [asterisk-users] fail2ban and pjsip in asterisk 12 and 13 |
|
|
On Mon, Sep 15, 2014 at 6:21 AM, Patrick Laimbock <patrick@laimbock.com (patrick@laimbock.com)> wrote:
| Quote: | Hi Rainer,
On 15-09-14 09:07, Rainer Piper wrote:
| Quote: | Hi,
Info !!! not a question !!!
the pjsip logger is different:
[Sep 15 07:33:27] NOTICE[65267] res_pjsip/pjsip_distributor.c: Request
from '"1001" <sip:1001@81.20.137.222 ([email]sip%3A1001@81.20.137.222[/email])>' failed for '85.25.197.23:5071'
(callid: 1bfa1fcfee1e20dbe9bbbcac5d7bdffc) - No matching endpoint found
and here the RegEx for fail2ban to catch this log:
|NOTICE.* .*: Request from '.*' failed for '<HOST>(:[0-9]{1,5})?' (.*) -
No matching endpoint found
|
Thanks for sharing. If you use github it would be nice if you could submit a pull request so that it becomes part of the Asterisk rules in the next Fail2ban version (0.9.1).
https://github.com/fail2ban/fail2ban/pulls
HTH,
Patrick
|
Why would you not use the SECURITY log format, which have the exact same format between chan_sip and chan_pjsip, and have a consistent format from Asterisk 10+?
https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Event+Logger
--
Matthew Jordan
Digium, Inc. | Engineering Manager
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
Check us out at: http://digium.com & http://asterisk.org |
|
| Back to top |
|
|
rainer.piper at soho-p...
Guest
|
| Posted: Mon Sep 15, 2014 9:01 am Post subject: [asterisk-users] fail2ban and pjsip in asterisk 12 and 13 |
|
|
Am 15.09.2014 um 15:26 schrieb Matthew Jordan:
| Quote: |
On Mon, Sep 15, 2014 at 6:21 AM, Patrick Laimbock <patrick@laimbock.com (patrick@laimbock.com)> wrote:
| Quote: | Hi Rainer,
On 15-09-14 09:07, Rainer Piper wrote:
| Quote: | Hi,
Info !!! not a question !!!
the pjsip logger is different:
[Sep 15 07:33:27] NOTICE[65267] res_pjsip/pjsip_distributor.c: Request
from '"1001" <sip:1001@81.20.137.222 ([email]sip%3A1001@81.20.137.222[/email])>' failed for '85.25.197.23:5071'
(callid: 1bfa1fcfee1e20dbe9bbbcac5d7bdffc) - No matching endpoint found
and here the RegEx for fail2ban to catch this log:
|NOTICE.* .*: Request from '.*' failed for '<HOST>(:[0-9]{1,5})?' (.*) -
No matching endpoint found
|
Thanks for sharing. If you use github it would be nice if you could submit a pull request so that it becomes part of the Asterisk rules in the next Fail2ban version (0.9.1).
https://github.com/fail2ban/fail2ban/pulls
HTH,
Patrick
|
Why would you not use the SECURITY log format, which have the exact same format between chan_sip and chan_pjsip, and have a consistent format from Asterisk 10+?
https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Event+Logger
--
Matthew Jordan
Digium, Inc. | Engineering Manager
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
Check us out at: http://digium.com & http://asterisk.org
|
Thanks for security_log => security
Ok ... I switched the
security_log => security
in logger.conf on and I'm going to write a RegEx for Fail2ban.
log sample - security log of wrong password:
[Sep 15 15:51:26] SECURITY[17378] res_security_log.c: SecurityEvent="ChallengeResponseFailed",EventTV="2014-09-15T15:51:26.126+0200",Severity="Error",Service="PJSIP",EventVersion="1",AccountID="7002",SessionID="80DFFBE5-4C3B-E411-8429-AD5D2362CB3E@192.168.8.10" (80DFFBE5-4C3B-E411-8429-AD5D2362CB3E@192.168.8.10),LocalAddress="IPV4/UDP/178.5.154.91/5072",RemoteAddress="IPV4/UDP/192.168.8.10/6012",Challenge="1410789078/000dd605e4bd1b6dd7488afafafafafaf",Response="8fc17a017a3ac5eea21ca86c6c0f5ee8",ExpectedResponse=""
--
Rainer Piper
Integration engineer
Koeslinstr. 56
53123 BONN
GERMANY
Phone: [url=callto:004922897167161]+49 228 97167161[/url]
P2P: [url=sip:rainer@sip.soho-piper.de:5072]sip:rainer@sip.soho-piper.de:5072[/url] (pjsip-test)
XMPP: rainer@xmpp.soho-piper.de (rainer@xmpp.soho-piper.de) |
|
| Back to top |
|
|
rainer.piper at soho-p...
Guest
|
| Posted: Mon Sep 15, 2014 10:23 am Post subject: [asterisk-users] fail2ban and pjsip in asterisk 12 and 13 |
|
|
Hi Patrick,
github done 
what is HTH ???
Am 15.09.2014 um 13:21 schrieb Patrick Laimbock:
| Quote: | Hi Rainer,
On 15-09-14 09:07, Rainer Piper wrote:
| Quote: | Hi,
Info !!! not a question !!!
the pjsip logger is different:
[Sep 15 07:33:27] NOTICE[65267] res_pjsip/pjsip_distributor.c: Request
from '"1001" [url=sip:1001@81.20.137.222]<sip:1001@81.20.137.222>[/url]' failed for '85.25.197.23:5071'
(callid: 1bfa1fcfee1e20dbe9bbbcac5d7bdffc) - No matching endpoint found
and here the RegEx for fail2ban to catch this log:
|NOTICE.* .*: Request from '.*' failed for '<HOST>(:[0-9]{1,5})?' (.*) -
No matching endpoint found
|
Thanks for sharing. If you use github it would be nice if you could submit a pull request so that it becomes part of the Asterisk rules in the next Fail2ban version (0.9.1).
https://github.com/fail2ban/fail2ban/pulls
HTH,
Patrick
|
--
Rainer Piper
Integration engineer
Koeslinstr. 56
53123 BONN
GERMANY
Phone: +49 228 97167161
P2P: [url=sip:rainer@sip.soho-piper.de:5072]sip:rainer@sip.soho-piper.de:5072[/url] (pjsip-test)
XMPP: rainer@xmpp.soho-piper.de (rainer@xmpp.soho-piper.de) |
|
| Back to top |
|
|
asterisk_list at earth...
Guest
|
| Posted: Mon Sep 15, 2014 10:31 am Post subject: [asterisk-users] fail2ban and pjsip in asterisk 12 and 13 |
|
|
(this is not where your reply belongs)
On Monday 15 Sep 2014, Rainer Piper wrote:
| Quote: | Hi Patrick,
github done
what is HTH ???
|
HTH == Hope That Helps.
--
AJS
Note: Originating address only accepts e-mail from list! If replying off-
list, change address to asterisk1list at earthshod dot co dot uk .
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users |
|
| Back to top |
|
|
rainer.piper at soho-p...
Guest
|
| Posted: Mon Sep 15, 2014 10:33 am Post subject: [asterisk-users] fail2ban and pjsip in asterisk 12 and 13 |
|
|
oh ... thanks :-[
Am 15.09.2014 um 17:30 schrieb A J Stiles:
| Quote: | | Quote: | (this is not where your reply belongs)
On Monday 15 Sep 2014, Rainer Piper wrote:
| Quote: | Hi Patrick,
github done
what is HTH ???
|
HTH == Hope That Helps.
|
|
--
Rainer Piper
Integration engineer
Koeslinstr. 56
53123 BONN
GERMANY
Phone: +49 228 97167161
P2P: [url=sip:rainer@sip.soho-piper.de:5072]sip:rainer@sip.soho-piper.de:5072[/url] (pjsip-test)
XMPP: rainer@xmpp.soho-piper.de (rainer@xmpp.soho-piper.de) |
|
| Back to top |
|
|
patrick at laimbock.com
Guest
|
|
| Back to top |
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|
Search
