Best fail2ban regex to match "extension not found" events

oliv2831 · March 25, 2021, 10:32am

Hello,

In Debian Buster’s /etc/fail2ban/filter.d/asterisk.conf filter, the rule to match “extension not found” events is:
^Call from ‘[^’]’ (:\d+) to extension ‘[^’]’ rejected because extension not found in context

When using Asterisk 16.2.1, I see in log files, lines such as:
[Mar 25 11:07:36] NOTICE[15845] res_pjsip_session.c: Call from ‘sipp2’ (UDP:192.168.64.38:15060) to extension ‘3’ rejected because extension not found in context ‘from-sipp’.

Those logged events differs with (UDP:192.168.64.38:15060) instead of (192.168.64.38:15060)

I successfully tried with PJSIP and:
^Call from ‘[^’]’ ((UDP:|TCP:|):\d+) to extension ‘[^’]’ rejected because extension not found in context

Is the presence of UPD/TCP/whatever in above events something that was introduced with a specific Asterisk version or simply an error in fail2ban default filters ?
What is the best way to update this specific fail2ban rule to cover as much use cases as possible (old or current Asterisk versions, TLS, chan_sip, …) ?

Best regards

jcolp · March 25, 2021, 10:35am

According to the first release that included PJSIP, which was 12.0.0, it has always included the transport type name (UDP/TCP).

system · April 24, 2021, 10:35am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.