I have an asterisk server that is attacked. There is a fail2ban jail for the asterisk logs but the configuration does not pick up the this situation:
[2023-07-27 11:25:57] NOTICE[152571] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"213" <sip:[email protected]>' failed for '185.210.157.40:5977' (callid: 1048704493) - Failed to authenticate
[2023-07-27 11:25:57] NOTICE[152571] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"322" <sip:[email protected]>' failed for '185.210.157.40:5803' (callid: 522785130) - No matching endpoint found after 35 tries in 0.182 ms
[2023-07-27 11:25:57] NOTICE[152571] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"322" <sip:[email protected]>' failed for '185.210.157.40:5803' (callid: 522785130) - Failed to authenticate
[2023-07-27 11:25:57] NOTICE[152570] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"322" <sip:[email protected]>' failed for '185.210.157.40:5803' (callid: 1616436563) - No matching endpoint found after 36 tries in 0.187 ms
[2023-07-27 11:25:57] NOTICE[152570] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"322" <sip:[email protected]>' failed for '185.210.157.40:5803' (callid: 1616436563) - Failed to authenticate
[2023-07-27 11:25:57] NOTICE[152570] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"213" <sip:[email protected]>' failed for '185.210.157.40:5977' (callid: 2926631629) - No matching endpoint found after 37 tries in 0.199 ms
[2023-07-27 11:25:57] NOTICE[152570] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"213" <sip:[email protected]>' failed for '185.210.157.40:5977' (callid: 2926631629) - Failed to authenticate
[2023-07-27 11:25:57] NOTICE[152571] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"212" <sip:[email protected]>' failed for '185.210.157.40:5677' (callid: 2397138656) - No matching endpoint found after 38 tries in 0.200 ms
[2023-07-27 11:25:57] NOTICE[152571] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"212" <sip:[email protected]>' failed for '185.210.157.40:5677' (callid: 2397138656) - Failed to authenticate
/etc/fail2ban/asterisk-security.conf :
[INCLUDES]
[Definition]
failregex = SECURITY.* SecurityEvent="FailedACL".*RemoteAddress="[^"]*/[^"]*/(<HOST>)/[^"]*".*
SECURITY.* SecurityEvent="InvalidAccountID".*RemoteAddress="[^"]*/[^"]*/(<HOST>)/[^"]*".*
SECURITY.* SecurityEvent="ChallengeResponseFailed".*RemoteAddress="[^"]*/[^"]*/(<HOST>)/[^"]*".*
SECURITY.* SecurityEvent="InvalidPassword".*RemoteAddress="[^"]*/[^"]*/(<HOST>)/[^"]*".*
ignoreregex =
My understanding of regular expression is poor and I would be very thankful if someone could help with the failregex definition in order to detect this attack!
Finally found out that fail2ban is delivered with an asterisk filter that does all I need. (/etc/fail2ban/filter.d/asterisk.conf) So I just had to use this one.