[INCLUDES] before = common.conf [Definition] _daemon = asterisk # These are the regular expressions that will trigger fail2ban into blocking an # IP address for an asterisk 1.8 installation. The first regular expression # should match against the following line taken directly from a misconfigured # client: # # Nov 9 18:47:21 pbx asterisk[3432]: NOTICE[3445]: chan_sip.c:24331 in handle_request_register: Registration from 'INCOMING CALL ' failed for '10.13.37.101:5061' - No matching peer found failregex = ^%(__prefix_line)s?NOTICE\[[0-9]+\]: chan_sip.c:[0-9]+ in handle_request_register: Registration from '.*' failed for '(:[0-9]+)?' - No matching peer found\s*$ # # The following should match against the following line log taken directly from # an attack: # Nov 14 06:32:16 pbx asterisk: NOTICE[1640]: chan_sip.c:21975 in handle_request_invite: Sending fake auth rejection for device "sip" ;tag=L7922NDHSn ^%(__prefix_line)s?NOTICE\[[0-9]+\]: chan_sip.c:[0-9]+ in handle_request_invite: Sending fake auth rejection for device ".*" >;tag=[a-zA-Z0-9]+\s*$ # # The following regexes were provided through an asterisk forum, they are a bit # sloppy and might be outdated. I've already updated one (the first one above) # to reflect what I actually see in my logs. The rest will be updated as # I see the attacks # # ^%(__prefix_line)s?NOTICE.*: Registration from '.*' failed for '(:[0-9]+)?' - Wrong Password\s*$ # ^%(__prefix_line)s?NOTICE.*: Registration from '.*' failed for '(:[0-9]+)?' - Username/auth name mismatch\s*$ # ^%(__prefix_line)s?NOTICE.*: Registration from '.*' failed for '(:[0-9]+)?' - Device does not match ACL\s*$ # ^%(__prefix_line)s?NOTICE.* (:[0-9]+)? failed to authenticate as '.*'\s*$ # ^%(__prefix_line)s?NOTICE.*: No registration for peer '.*' \(from (:[0-9]+)?\)\s*$ # ^%(__prefix_line)s?NOTICE.*: Host (:[0-9]+)? failed MD5 authentication for '.*' (.*)\s*$ # ^%(__prefix_line)s?NOTICE.*: Failed to authenticate user .*@(:[0-9]+)?.*\s*$ ignoreregex =