Asterisk Security with CSF

Hi folks,

I am trying to secure my asterisk box, i am also comparing csf performance with fail2ban.

I have installed csf version: 5.14
i have changed custom1 log path in csf.conf

CUSTOM1_LOG = “/var/log/asterisk/notice”

below rules have been placed in regex.custom.pm

#!/usr/bin/perl
sub custom_line {
my $line = shift;
my $lgfile = shift;

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^[.failed for ‘(\d+(.\d+){3})’ - (No matching peer found)./)) {
return (“Failed MondoTalkSIP login $2 from”,$1,“myasteriskmatch”,“3”,“5060”,“0”);
}

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^[.failed for ‘(\d+(.\d+){3})’ - (Username/auth name mismatch)./)) {
return (“Failed MondoTalkSIP login $2 from”,$1,“myasteriskmatch”,“3”,“5060”,“0”);
}

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^[.failed for ‘(\d+(.\d+){3})’ - (Wrong passord)./)) {
return (“Failed Asterisk login $2 from”,$1,“myasteriskmatch”,“3”,“5060”,“0”);
}

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^[.failed for ‘(\d+(.\d+){3})’ - (Device does not match ACL)./)) {
return (“Failed Asterisk login $2 from”,$1,“myasteriskmatch”,“3”,“5060”,“0”);
}

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^[.Host (\d+(.\d+){3}) (failed to authenticate)./)) {
return (“Failed Asterisk login $2 from”,$1,“myasteriskmatch”,“3”,“5060”,“0”);
}

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^[.*(No registration for peer).from (\d+(.\d+){3})./)) {
return (“Failed Asterisk login $1 from”,$2,“myasteriskmatch”,“3”,“5060”,“0”);
}

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^[.(Failed to authenticate user).@(\d+(.\d+){3}).*/)) {
return (“Failed MondoTalkSIP login $1 from”,$2,“myasteriskmatch”,“3”,“5060”,“0”);
}

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^[.Host (\d+(.\d+){3}) (failed MD5 authentication)./)) {
return (“Failed Asterisk login $2 from”,$1,“myasteriskmatch”,“3”,“5060”,“0”);
}

return 0;
}

1;

But this is not working, is there any one who can help me here? what mistake i have made?

ever have any luck with this ?

yah now working for me :smile:

I do the same script but not working can you please help me…?

send me your script.

This is my custom file
/etc/csf/regex.custom.pm

#!/usr/bin/perl

sub custom_line {
my $line = shift;
my $lgfile = shift;

Do not edit before this point

#if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^.*failed for ‘(\d+(.\d+){3}:\d+)’ - Wrong password/)) {
#return (“Failed Asterisk login $2 from”,$1,“myasteriskmatch”,“3”,“5060,5061”,“1”);
#}

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^[.failed for ‘(\d+(.\d+){3})’ - (No matching peer found)./)) {
return (“Failed Asterisk login $2 from”,$1,“myasteriskmatch”,“3”,“5060”,“0”);
}

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^[.failed for ‘(\d+(.\d+){3})’ - (Username/auth name mismatch)./)) {
return (“Failed Asterisk login $2 from”,$1,“myasteriskmatch”,“3”,“5060”,“0”);
}

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^.*failed for ‘(\d+(.\d+){3})’ - Wrong password/)) {
return (“Failed Asterisk login $2 from”,$1,“myasteriskmatch”,“3”,“5060”,“0”);
}

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^[.failed for ‘(\d+(.\d+){3})’ - (Device does not match ACL)./)) {
return (“Failed Asterisk login $2 from”,$1,“myasteriskmatch”,“3”,“5060”,“0”);
}

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^[.Host (\d+(.\d+){3}) (failed to authenticate)./)) {
return (“Failed Asterisk login $2 from”,$1,“myasteriskmatch”,“3”,“5060”,“0”);
}

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^[.*(No registration for peer).from (\d+(.\d+){3})./)) {
return (“Failed Asterisk login $1 from”,$2,“myasteriskmatch”,“3”,“5060”,“0”);
}

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^[.(Failed to authenticate user).@(\d+(.\d+){3}).*/)) {
return (“Failed Asterisk login $1 from”,$2,“myasteriskmatch”,“3”,“5060”,“0”);
}

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^[.Host (\d+(.\d+){3}) (failed MD5 authentication)./)) {
return (“Failed Asterisk login $2 from”,$1,“myasteriskmatch”,“3”,“5060”,“0”);
}

Do not edit beyond this point

    return 0;

}

1;

Here is my log
[Jan 6 18:04:21] NOTICE[20629]: chan_sip.c:29053 handle_request_register: Registration from ‘“9000” sip:9000@my_IP’ failed for ‘185.16.38.53:5266’ - Wrong password

What is your path set for CUSTOM1_LOG ?

/var/log/asterisk/notice

I’d expect the messages you would be looking at would be SECURITY ones, as per https://wiki.asterisk.org/wiki/display/AST/Security+Log+File+Format

and https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Event+Logger

Not yet solved. Please any one help me about the issue…?

It’s unlikely that any regular contributor is using anything other than fail2ban in this role.

I assume CSF stands for “ConfigServer Security & Firewall”, although that was somewhat down the list of hits on Google.

https://download.configserver.com/csf/readme.txt

As already noted, it is the security messages, not the notice ones, that contain the information needed for this sort of tool.

Already change custom log patha to /var/log/asterisk/messages which have that mention log, but not working yet. Can any one tell me, is my regular expression fully right …?

Whilst your still using completely the wrong log for this, your regular expression doesn’t match the port number, and I think it uses the metacharacter “.” as though it were a literal.

Thanks for reply. Please can you tell me the right log.

As already stated, I’d expect the messages you would be looking at would be SECURITY ones, as per https://wiki.asterisk.org/wiki/display/AST/Security+Log+File+Format

and https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Event+Logger