I had to upgrade my dev asterisk server to version 1.8.x because that is what we are using at Mojo Lingo, the next day, I started to see tons of connection attempts to my box, and I think to myself, shouldnt Fail2Ban be taking care of this?
I checked iptables with iptables -L -v and found nothing, then checked the /var/log/asterisk/messages logs and there were a lot more attempts that my fail2ban max of 5. Is fail2ban running? Yes it is….
What is happening?
I begin to analize the logs and see that the attack attempts couldnt possibly be catched by the regex that the current fail2ban-asterisk filter configuration had. Strangely the Asterisk logs were including the remote host port number, and weretherefore been ignored by fail2ban.
after a quick search in google i found the following regex lines at the Fail2Ban asterisk page
1 2 3 4 5
I added those RegEx to my /etc/fail2ban/filter.d/asterisk.conf file and restarted fail2ban, after a bit, the offender was blackliste in my iptables firewall. Bless