[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com]
logpath = /var/log/secure
maxretry = 5
bantime = 86000
[asterisk-iptables]
# if more than 4 attempts are made within 6 hours, ban for 24 hours
enabled = true
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
sendmail[name=ASTERISK, dest=you@yourmail.co.uk, sender=fail2ban@local.local]
logpath = /var/log/asterisk/messages
maxretry = 4
findtime = 21600
bantime = 86400
FILTRO ASTERISK
^%(log_prefix)s Registration from ‘[^’]*’ failed for ‘<HOST>(:\d+)?’ – Wrong password$
^%(log_prefix)s Registration from ‘[^’]*’ failed for ‘<HOST>(:\d+)?’ – No matching peer found$
^%(log_prefix)s Registration from ‘[^’]*’ failed for ‘<HOST>(:\d+)?’ – Username/auth name mismatch$
^%(log_prefix)s Registration from ‘[^’]*’ failed for ‘<HOST>(:\d+)?’ – Device does not match ACL$
^%(log_prefix)s Registration from ‘[^’]*’ failed for ‘<HOST>(:\d+)?’ – Peer is not supposed to register$
^%(log_prefix)s Registration from ‘[^’]*’ failed for ‘<HOST>(:\d+)?’ – ACL error \(permit/deny\)$
^%(log_prefix)s Registration from ‘[^’]*’ failed for ‘<HOST>(:\d+)?’ – Not a local domain$
^%(log_prefix)s Call from ‘[^’]*’ \(<HOST>:\d+\) to extension ‘\d+’ rejected because extension not found in context ‘default’\.$
^%(log_prefix)s Host <HOST> failed to authenticate as ‘[^’]*’$
^%(log_prefix)s No registration for peer ‘[^’]*’ \(from <HOST>\)$
^%(log_prefix)s Host <HOST> failed MD5 authentication for ‘[^’]*’ \([^)]+\)$
^%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$
^%(log_prefix)s (?:handle_request_subscribe: )?Sending fake auth rejection for (device|user) \d*<sip:[^@]+@<HOST>>;tag=\w+\S*$
^%(log_prefix)s SecurityEvent=”(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)”,EventTV=”[\d-]+”,Severity=”[\w]+”,Service=”[\w]+”,EventVersion=”\d+”,AccountID=”\d+”,SessionID=”0x[\da-f]+”,LocalAddress=”IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+”,RemoteAddress=”IPV[46]/(UD|TC)P/<HOST>/\d+”(,Challenge=”\w+”,ReceivedChallenge=”\w+”)?(,ReceivedHash=”[\da-f]+”)?$
NOTICE[20093][C-000028bb]: chan_sip.c:25809 handle_request_invite: Failed to authenticate device <sip:1213@167.99.230.15>;tag=1414167029
