fail2ban - asterisk not able to ban this string without an ip for registration attemps

Question

I have installed fail2ban and configured for asterisk, its working fine . But there is an registration attempt which is consistent and fail2ban is unable to ban it as it does not matches any regex statements I think .. the registration attempt string is

NOTICE[15055][C-00009bed]: chan_sip.c:25679 handle_request_invite: Failed to authenticate device 333sip:333@x.x.x.x;tag=3a726ea9

this registration statement is not giving any ip its coming from .. please advise .. I think we can add an regex statement for this statement... or any other solution to stop this attempt . This attempt frequency is like 5-10 attempts a day.. In my settings it bans on 3 time attempt.

score 0 · Answer 1 · answered May 07 '15 at 16:55

You should not care if you have less then 5 attempt/second. Since it is brute-force attack, it will take forever guess your password in current rate

You can stop such attempts by using iptables filters with LOG action. After that use firewall log file in fail2ban. But for low rate it will not work, except variant when you not use dynamic registrations at all.

score 0 · Answer 2 · answered Jul 14 '15 at 17:29

Asterisk logs the originating IP address in the security log. You can get security messages in your messages log by adding/editing the following line in /etc/asterisk/logger.conf

 messages => security,notice,warning,error

...and reloading the logger:

 logger reload

at the CLI.

fail2ban - asterisk not able to ban this string without an ip for registration attemps

2 Answers2