Fail2ban config help needed

[lowno]

I am running fail2 ban of course and am being hit with an attack that is not being jailed by fail2ban. I see the following line in my asterisk log:
[2010-12-13 08:52:10] NOTICE[3430] chan_sip.c: Registration from '"108" <sip:108@MYEXTIP>' failed for '118.123.205.180' - Device does not match ACL

This is not being jailed and the 6000 attempts at a time is killing the bandwidth. Unfortunately I need to have the ports open on my router for external extensions. Now after looking at the asterisk.conf file for fail2ban, I see:
failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch
NOTICE.* <HOST> failed to authenticate as '.*'$
NOTICE.* .*: No registration for peer '.*' (from )
NOTICE.* .*: Host failed MD5 authentication for '.*' (.*)

So I assume I need to add a line. Can anyone assist me with this? Also, Ward, shouldn't this be added to fail2ban for the future?

Thanks in advance.

 

[lowno]

Ok, now while I believe I have solved my problem with the help of google, lastly is, is it possible to have the fail2ban asterisk.conf file configured upon install or upon running update-fixes? I found the following link:
http://www.md3v.com/protect-your-asterisk-server-with-fail2ban

The poster has additional entries for fail2ban that would have jailed the attack. Here are his suggested entries:
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL
NOTICE.* <HOST> failed to authenticate as '.*'$
NOTICE.* .*: No registration for peer '.*' (from <HOST>)
NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
NOTICE.* .*: Failed to authenticate user .*@<HOST>.*

More specifically, NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL, should have jailed this attacker today if I had it in my fail2ban asterisk.conf file.

 

[randy7376]

Looks like you may be missing a line in /etc/fail2ban/filter.d/asterisk.conf. I have the following line, by default, in my test box:

NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL

Add it to the above file and restart fail2ban and it should start catching it.

 

[lowno]

Did you manually add that at some point? I just took a look at the latest purple install, and I know it is beta, but that extra line is not there.

 

[lowno]

Ahh, cool, so it is recent enough based on Ward's post. Thanks for that? I should set some reminder for myself to run update-fixes each month to stay on top of things like that.

Thanks all.

EDIT: just ran update-fixes and the new entries were not added. Just FYI.

 

[lowno]

Which brings be to another idea, should the PIAF community have some sort of email notification when there is changes to update-fixes, especial when security related? I do have nerdvittles in my rss reader and try to skim over posts in the forum consistently.

Is there another RSS feed that can push security info to the community?

 

[darmock]

what version of PIAF are you running? pre 1.7.5.5? post 1.7.5.5 should have the patches to asterisk.conf. Just checked and mine do.

Tom