Asterisk 1.8.11.1 & fail2ban

Hi,

how can i stop this attacks ?:

I use fail2ban with the fallowing regexp:

[quote]failregex = Registration from ‘.’ failed for ‘(:[0-9]{1,5})?’ - Wrong password
Registration from '.
’ failed for ‘(:[0-9]{1,5})?’ - No matching peer found
Registration from ‘.’ failed for ‘(:[0-9]{1,5})?’ - Device does not match ACL
Registration from '.
’ failed for ‘(:[0-9]{1,5})?’ - Username/auth name mismatch
Registration from ‘.’ failed for ‘(:[0-9]{1,5})?’ - Peer is not supposed to register
NOTICE.
failed to authenticate as ‘.’$
NOTICE.
.: No registration for peer '.’ (from )
NOTICE.* .: Host failed MD5 authentication for '.’ (.)
[b]NOTICE.
.: Call from '.’ ((:[0-9]{1,5})?) to extension ‘[0-9]{4,}’ rejected because extension not found.* ..[/b]
VERBOSE.
logger.c: – .IP/-. Playing ‘ss-noservice’ (language ‘.*’)
[/quote]

I’ve added the bolded line for catching this kind of attack, but it seems that this kind of error cannot be catched by fail2ban. Indeed when i try the unix command:

fail2ban-regex /var/log/asterisk/messages /etc/fail2ban/filter.d/asterisk.conf

no line is captured. Where am I wrong ? tnx

do you have the allowguest=yes?

No I haven’t set that option. May be, if i haven’t set it, the default value is yes…

Up

The default for allowguest is yes. For security, it needs to be explicitly set to no.

I’m not familiar with the details of fail2ban, but including a log file line that you would have expected to match the pattern would help diagnose the pattern.