VoIP Mailing List Archives

[xserverlinux at gmail.com]

Hi list , someone on the list has seen this type of connection
attempts in asterisk, fail2ban does not stop

2015-01-08 14:59:47] SECURITY[21515] res_security_log.c:
SecurityEvent="ChallengeSent",EventTV="1420750787-386840",Severity="Informational",Service="SIP",EventVersion="1",AccountID="sip:100@173.230.133.20",SessionID="0x169f528",LocalAddress="IPV4/UDP/173.230.133.20/5060",RemoteAddress="IPV4/UDP/63.141.229.58/5078",Challenge="770e84a3"
[2015-01-08 15:20:20] SECURITY[21515] res_security_log.c:
SecurityEvent="ChallengeSent",EventTV="1420752020-854997",Severity="Informational",Service="SIP",EventVersion="1",AccountID="sip:102@173.230.133.20",SessionID="0x169f528",LocalAddress="IPV4/UDP/173.230.133.20/5060",RemoteAddress="IPV4/UDP/198.204.241.58/5074",Challenge="23965594"


I modified the fail2ban with the filter, but still not detected


asterisk.conf

log_prefix= \[\]\s*(?:NOTICE|SECURITY)%(__pid_re)s(?:\[\S+\d*\])? \S+:\d*

failregex = ^%(log_prefix)s Registration from '[^']*' failed for
'<HOST>(:\d+)?' - Wrong password$
^%(log_prefix)s Registration from '[^']*' failed for
'<HOST>(:\d+)?' - No matching peer found$
^%(log_prefix)s Registration from '[^']*' failed for
'<HOST>(:\d+)?' - Username/auth name mismatch$
^%(log_prefix)s Registration from '[^']*' failed for
'<HOST>(:\d+)?' - Device does not match ACL$
^%(log_prefix)s Registration from '[^']*' failed for
'<HOST>(:\d+)?' - Peer is not supposed to register$
^%(log_prefix)s Registration from '[^']*' failed for
'<HOST>(:\d+)?' - ACL error \(permit/deny\)$
^%(log_prefix)s Registration from '[^']*' failed for
'<HOST>(:\d+)?' - Not a local domain$
^%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to
extension '\d+' rejected because extension not found in context
'default'
\.$
^%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$
^%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$
^%(log_prefix)s Host <HOST> failed MD5 authentication for
'[^']*' \([^)]+\)$
^%(log_prefix)s Failed to authenticate (user|device)
[^@]+@<HOST>\S*$
^%(log_prefix)s (?:handle_request_subscribe: )?Sending
fake auth rejection for (device|user) \d*<sip:[^@]+@<HOST>>;tag=\w+\S*
$
^%(log_prefix)s
SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severit
y="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d+",SessionID="0x[\da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",Rem
oteAddress="IPV[46]/(UD|TC)P/<HOST>/\d+"(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?$

ignoreregex =




--
rickygm

http://gnuforever.homelinux.com

--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users

[asterisk at voipbusine...]

Hello;
Did you remember to uncomment the dateformat in
/etc/asterisk/logger.conf? That's necessary for fail2ban to work.

Logger.conf
[general]
dateformat=%F %T


Regards;
John

-----Original Message-----
From: asterisk-users-bounces@lists.digium.com
[mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of ricky
gutierrez
Sent: Thursday, January 08, 2015 4:38 PM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: [asterisk-users] SEMI OFF-TOPIC - Fail2ban

Hi list , someone on the list has seen this type of connection attempts in
asterisk, fail2ban does not stop

2015-01-08 14:59:47] SECURITY[21515] res_security_log.c:
SecurityEvent="ChallengeSent",EventTV="1420750787-386840",Severity="Informat
ional",Service="SIP",EventVersion="1",AccountID="sip:100@173.230.133.20",Ses
sionID="0x169f528",LocalAddress="IPV4/UDP/173.230.133.20/5060",RemoteAddress
="IPV4/UDP/63.141.229.58/5078",Challenge="770e84a3"
[2015-01-08 15:20:20] SECURITY[21515] res_security_log.c:
SecurityEvent="ChallengeSent",EventTV="1420752020-854997",Severity="Informat
ional",Service="SIP",EventVersion="1",AccountID="sip:102@173.230.133.20",Ses
sionID="0x169f528",LocalAddress="IPV4/UDP/173.230.133.20/5060",RemoteAddress
="IPV4/UDP/198.204.241.58/5074",Challenge="23965594"


I modified the fail2ban with the filter, but still not detected


asterisk.conf

log_prefix= \[\]\s*(?:NOTICE|SECURITY)%(__pid_re)s(?:\[\S+\d*\])? \S+:\d*

failregex = ^%(log_prefix)s Registration from '[^']*' failed for
'<HOST>(:\d+)?' - Wrong password$
^%(log_prefix)s Registration from '[^']*' failed for
'<HOST>(:\d+)?' - No matching peer found$
^%(log_prefix)s Registration from '[^']*' failed for
'<HOST>(:\d+)?' - Username/auth name mismatch$
^%(log_prefix)s Registration from '[^']*' failed for
'<HOST>(:\d+)?' - Device does not match ACL$
^%(log_prefix)s Registration from '[^']*' failed for
'<HOST>(:\d+)?' - Peer is not supposed to register$
^%(log_prefix)s Registration from '[^']*' failed for
'<HOST>(:\d+)?' - ACL error \(permit/deny\)$
^%(log_prefix)s Registration from '[^']*' failed for
'<HOST>(:\d+)?' - Not a local domain$
^%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension
'\d+' rejected because extension not found in context 'default'
\.$
^%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$
^%(log_prefix)s No registration for peer '[^']*' \(from
<HOST>\)$
^%(log_prefix)s Host <HOST> failed MD5 authentication for
'[^']*' \([^)]+\)$
^%(log_prefix)s Failed to authenticate (user|device)
[^@]+@<HOST>\S*$
^%(log_prefix)s (?:handle_request_subscribe: )?Sending fake auth
rejection for (device|user) \d*<sip:[^@]+@<HOST>>;tag=\w+\S* $
^%(log_prefix)s
SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPa
ssword)",EventTV="[\d-]+",Severit
y="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d+",SessionID="0x[\
da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",Rem
oteAddress="IPV[46]/(UD|TC)P/<HOST>/\d+"(,Challenge="\w+",ReceivedChallenge=
"\w+")?(,ReceivedHash="[\da-f]+")?$

ignoreregex =




--
rickygm

http://gnuforever.homelinux.com

--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to
Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users


--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users

[xserverlinux at gmail.com]

2015-01-09 9:05 GMT-06:00 Tech Support <asterisk@voipbusiness.us>:

[xserverlinux at gmail.com]

2015-01-09 3:53 GMT-06:00 Stefan Gofferje <lists@home.gofferje.net>:

[mdupuis at ocg.ca]

I'd suggest taking a look at the free edition of SecAst (www.generationd.com). It handles these messages perfectly (and can also use AMI security events) - so you don't need to constantly be updating fail2ban rules. It's a drop in replacement for fail2ban.

-M-

P.S. My opinions are my own and do not necessarily represent those of my employer. As an employee of Generation D System you can bet my opinions are biased though!
________________________________________
From: asterisk-users-bounces@lists.digium.com <asterisk-users-bounces@lists.digium.com> on behalf of ricky gutierrez <xserverlinux@gmail.com>
Sent: Friday, January 9, 2015 3:02 PM
To: Asterisk Users List
Subject: Re: [asterisk-users] SEMI OFF-TOPIC - Fail2ban

2015-01-09 3:53 GMT-06:00 Stefan Gofferje <lists@home.gofferje.net>:

[mjordan at digium.com]

On Fri, Jan 9, 2015 at 5:24 PM, Michelle Dupuis <mdupuis@ocg.ca (mdupuis@ocg.ca)> wrote: