CentOS

Hello. Could somebody help me.
I'm using centos 7, firewalld, and fail2ban
/etc/fail2ban/jail.conf

[asterisk]
enabled  = true
filter   = asterisk
action = firewallcmd-ipset
#banaction = firewallcmd-ipset
#action   = iptables-allports[name=ASTERISK, protocol=all] 
#      sendmail[name=ASTERISK, dest=ivanv@domain, sender=fail2ban@local.local]

logpath  = /var/log/asterisk/full
maxretry = 2 
bantime = 259200
findtime = 21600

/etc/fail2ban/filter.d/asterisk.conf:

Code: Select all

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = asterisk
__pid_re = (?:\[\d+\])

iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4}

# All Asterisk log messages begin like this:
log_prefix= (?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])? \S+:\d*( in \w+:)?

failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension not found in context 'default'\.$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s hacking attempt detected '<HOST>'$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="(\d*|<unknown>)",SessionID=".+",LocalAddress="IPV[46]/(UDP|TCP|WS)/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UDP|TCP|WS)/<HOST>/\d+"(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",ExpectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$
            ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )Ext\. s: "Rejecting unknown SIP connection from <HOST>"$

ignoreregex =

Tested and looks like filter is work correct:
fail2ban-regex /var/log/asterisk/full /etc/fail2ban/filter.d/asterisk.conf

Code: Select all

Results
=======
Failregex: 14 total

fail2ban bans ssh failed attempt, but when I try to connect to asterisk with wrong password, fail2ban doen't ban
and there is nothing interesting at the /var/log/fail2ban.log

Code: Select all

2016-02-03 15:08:44,606 fail2ban.filtersystemd  [2917]: NOTICE  Jail started without 'journalmatch' set. Jail regexs will be checked against all journal entries, which is not advised for performance reasons.
2016-02-03 15:08:44,608 fail2ban.jail           [2917]: INFO    Jail 'asterisk' started

I'm no expert, but is fail2ban "looking at" the actual asterisk log? Is "full" the actual name of the log file? From your description it sounds like fail2ban isn't seeing the login failures.

- just a shot in the dark -

lightman47 wrote:I'm no expert, but is fail2ban "looking at" the actual asterisk log? Is "full" the actual name of the log file? From your description it sounds like fail2ban isn't seeing the login failures.

- just a shot in the dark -

Yes it's freePBX log, but I'm checking using fail2ban-regex /var/log/asterisk/full /etc/fail2ban/filter.d/asterisk.conf
and that file contains all logs records with unauthorized attempts of connect to asterisk

CentOS

fail2ban doen't ban

fail2ban doen't ban

Re: fail2ban doen't ban

Re: fail2ban doen't ban