Fail2Ban not catching No Registration

M

MikeS

Member
Joined
Jan 12, 2009
Messages
46
Reaction score
0
Hi all.

PIAF 1.7.7.5 with asterisk 1.4


I have query which may be easy for someone to answer.

I have log entries like this, IP information obscured:-

NOTICE[3174] chan_iax2.c: No registration for peer '2**' (from **.**.**.223)

/fail2ban/filter.d/asterisk.conf contains :-

NOTICE.* .*: No registration for peer '.*' (from <HOST>)

asterisk.conf is vanilla, all other entries work as intended.


Any clues ?


Regards,
 
Ward, thanks for the thought, but,

There is no real explanation of the regex for fail2ban, but, after digging into python regex (my head is still spinning :crazy:).

The correct line in filter.d/asterisk.conf should read:-

NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)


The () are meta characters within the regex and need to be escaped with \

There may be other conf's within filter.d affected, but that is the only one that affects me, at the moment.

I tested using:-

fail2ban-regex /var/log/asterisk/full /etc/fail2ban/filter.d/asterisk.conf

or substitute a sample log for /var/log/asterisk/full to check the filter against.

Many Thanks.
 
To follow up on this, I test my rules with fail2ban-regex, it catches 2 entries in the full log, so it should be banning in the real world. It never does. I'm testing from a seperate external IP, I see registration fail, it is never banned. It's not in the ignoreip list. I'm not sure what else to look for, everything in jail.conf appears to be correct.
Is there a way I can manually tell fail2ban to scan the log and ban?
 
My relevant jail.conf:

[asterisk-iptables]

enabled = true
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
sendmail-whois[name=ASTERISK, [email protected], [email protected]]
logpath = /var/log/asterisk/full
#logpath = /var/log/messages
maxretry = 2
bantime = 180000
 
And the regex test:

Code: 
root@sip:/etc/fail2ban/filter.d $ fail2ban-regex /var/log/asterisk/full /etc/fail2ban/filter.d/asterisk.conf

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/asterisk.conf
Use log file   : /var/log/asterisk/full


Results
=======

Failregex
|- Regular expressions:
|  [1] Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Wrong password
|  [2] Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - No matching peer found
|  [3] Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Device does not match ACL
|  [4] Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Username/auth name mismatch
|  [5] Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Peer is not supposed to register
|  [6] NOTICE.* <HOST> failed to authenticate as '.*'$
|  [7] NOTICE.* .*: No registration for peer '.*' (from <HOST>)
|  [8] NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
|  [9] VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing 'ss-noservice' (language '.*')
|
`- Number of matches:
   [1] 0 match(es)
   [2] 2 match(es)
   [3] 0 match(es)
   [4] 0 match(es)
   [5] 0 match(es)
   [6] 0 match(es)
   [7] 0 match(es)
   [8] 0 match(es)
   [9] 0 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Addresses found:
[1]
[2]
    70.25.26.119 (Fri Jan 13 13:21:58 2012)
    70.25.26.119 (Fri Jan 13 13:21:59 2012)
[3]
[4]
[5]
[6]
[7]
[8]
[9]

Date template hits:
0 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
62363 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): <Month/Day/Year@Hour:Minute:Second>

Success, the total number of match is 2

However, look at the above section 'Running tests' which could contain important
information.
 
Well crap. False alarm. 2 entries existed, I needed 3 to ban. As soon as I logged, or attempted at least, in, it banned me.

Hmmm, guess my pbx isn't getting hammered by the crackers then. I haven't had a ban in months!
 
You must log in or register to reply here.

Members online

No members online now.
Total: 70 (members: 0, guests: 70)

Latest Posts

Forum statistics

Threads
26,687
Messages
174,410
Members
20,257
Latest member
Dempan
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Verify your Email

Check your inbox!

We’ve sent you an email. Click on the button in the email body to verify your email address – (if you can not find it, check your spam folder).

Upon verification you will be directed to the 3CX setup wizard.

Back
Top