In Debian Buster’s /etc/fail2ban/filter.d/asterisk.conf filter, the rule to match “extension not found” events is:
^Call from ‘[^’]’ (:\d+) to extension ‘[^’]’ rejected because extension not found in context
When using Asterisk 16.2.1, I see in log files, lines such as:
[Mar 25 11:07:36] NOTICE res_pjsip_session.c: Call from ‘sipp2’ (UDP:192.168.64.38:15060) to extension ‘3’ rejected because extension not found in context ‘from-sipp’.
Those logged events differs with (UDP:192.168.64.38:15060) instead of (192.168.64.38:15060)
I successfully tried with PJSIP and:
^Call from ‘[^’]’ ((UDP:|TCP:|):\d+) to extension ‘[^’]’ rejected because extension not found in context
Is the presence of UPD/TCP/whatever in above events something that was introduced with a specific Asterisk version or simply an error in fail2ban default filters ?
What is the best way to update this specific fail2ban rule to cover as much use cases as possible (old or current Asterisk versions, TLS, chan_sip, …) ?