Asterisk 1.8 and Fail2Ban woes

July 14, 2011

I had to upgrade my dev asterisk server to version 1.8.x because that is what we are using at Mojo Lingo, the next day, I started to see tons of connection attempts to my box, and I think to myself, shouldnt Fail2Ban be taking care of this?

I checked iptables with iptables -L -v **and found nothing, then checked the **/var/log/asterisk/messages logs and there were a lot more attempts that my fail2ban max of 5. Is fail2ban running? Yes it is….

###What is happening?

I begin to analize the logs and see that the attack attempts couldnt possibly be catched by the regex that the current fail2ban-asterisk filter configuration had. Strangely the Asterisk logs were including the remote host port number, and weretherefore been ignored by fail2ban.

after a quick search in google i found the following regex lines at the Fail2Ban asterisk page

Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Wrong password
Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - No matching peer found
Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Username/auth name mismatch
Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Device does not match ACL
Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Peer is not supposed to register

I added those RegEx to my /etc/fail2ban/filter.d/asterisk.conf file and restarted fail2ban, after a bit, the offender was blackliste in my iptables firewall. Bless

Comments

comments powered by Disqus