Asterisk 1.8.11.1 & fail2ban

cheissol · July 25, 2012, 8:26am

Hi,

how can i stop this attacks ?:

[2012-07-24 06:55:02] NOTICE[6509] chan_sip.c: Call from ‘’ (173.45.248.243:1028) to extension ‘900000972592577022’ rejected because extension not found in context ‘default’.
[2012-07-24 06:55:03] NOTICE[6509] chan_sip.c: Call from ‘’ (173.45.248.243:1034) to extension ‘1111100972592577022’ rejected because extension not found in context ‘default’.
[2012-07-24 06:55:05] NOTICE[6509] chan_sip.c: Call from ‘’ (173.45.248.243:1035) to extension ‘2222200972592577022’ rejected because extension not found in context ‘default’.
[2012-07-24 06:55:06] NOTICE[6509] chan_sip.c: Call from ‘’ (173.45.248.243:1045) to extension ‘3333300972592577022’ rejected because extension not found in context ‘default’.
[2012-07-24 06:55:07] NOTICE[6509] chan_sip.c: Call from ‘’ (173.45.248.243:1038) to extension ‘4444400972592577022’ rejected because extension not found in context ‘default’.
[2012-07-24 06:55:10] NOTICE[6509] chan_sip.c: Call from ‘’ (173.45.248.243:5099) to extension ‘5555500972592577022’ rejected because extension not found in context ‘default’.
[2012-07-24 06:55:11] NOTICE[6509] chan_sip.c: Call from ‘’ (173.45.248.243:1037) to extension ‘6666600972592577022’ rejected because extension not found in context ‘default’.
[2012-07-24 06:55:13] NOTICE[6509] chan_sip.c: Call from ‘’ (173.45.248.243:1031) to extension ‘7777700972592577022’ rejected because extension not found in context ‘default’.
[2012-07-24 06:55:15] NOTICE[6509] chan_sip.c: Call from ‘’ (173.45.248.243:1037) to extension ‘8888800972592577022’ rejected because extension not found in context ‘default’.
[2012-07-24 06:55:16] NOTICE[6509] chan_sip.c: Call from ‘’ (173.45.248.243:1040) to extension ‘9999900972592577022’ rejected because extension not found in context ‘default’.

I use fail2ban with the fallowing regexp:

[quote]failregex = Registration from ‘.’ failed for ‘(:[0-9]{1,5})?’ - Wrong password
Registration from '.’ failed for ‘(:[0-9]{1,5})?’ - No matching peer found
Registration from ‘.’ failed for ‘(:[0-9]{1,5})?’ - Device does not match ACL
Registration from '.’ failed for ‘(:[0-9]{1,5})?’ - Username/auth name mismatch
Registration from ‘.’ failed for ‘(:[0-9]{1,5})?’ - Peer is not supposed to register
NOTICE. failed to authenticate as ‘.'$
NOTICE. .: No registration for peer '.’ (from )
NOTICE.* .: Host failed MD5 authentication for '.’ (.)
[b]NOTICE. .: Call from '.’ ((:[0-9]{1,5})?) to extension ‘[0-9]{4,}’ rejected because extension not found.* ..[/b]
VERBOSE. logger.c: – .IP/-. Playing ‘ss-noservice’ (language ‘.*’)
[/quote]

I’ve added the bolded line for catching this kind of attack, but it seems that this kind of error cannot be catched by fail2ban. Indeed when i try the unix command:

fail2ban-regex /var/log/asterisk/messages /etc/fail2ban/filter.d/asterisk.conf

no line is captured. Where am I wrong ? tnx

navaismo · July 25, 2012, 2:24pm

do you have the allowguest=yes?

cheissol · July 26, 2012, 6:29am

No I haven’t set that option. May be, if i haven’t set it, the default value is yes…

cheissol · August 27, 2012, 8:04am

Up

david55 · August 27, 2012, 8:10am

The default for allowguest is yes. For security, it needs to be explicitly set to no.

I’m not familiar with the details of fail2ban, but including a log file line that you would have expected to match the pattern would help diagnose the pattern.

Topic		Replies	Views
Spam (I think) Asterisk Support	5	268	March 19, 2013
Getting hacked Asterisk Support	2	153	March 15, 2011
Someone is trying to make calls without being registered Asterisk Support	1	347	January 31, 2013
Newbie: hack attempts in asterisk log Asterisk Support	4	294	July 9, 2012
Extension fake connections Asterisk SIP	1	484	January 18, 2017

Asterisk 1.8.11.1 & fail2ban

Related topics