asterisk 11 + fail2ban (перестал банить)

[kom-pik]

fail2ban перестал банить
./jail.conf

Код: Выделить всё

[DEFAULT]
ignoreip =
bantime  = 600
findtime  = 600
maxretry = 3
backend = auto

[asterisk-iptables]

enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
           sendmail-whois[name=ASTERISK, dest=root, sender=asterisk-iptables]
logpath  = /var/log/asterisk/messages
maxretry = 3
findtime = 3600
bantime = 36000
destemail = support@domain.ru
ignoreip = wan/24  lan/12

./filter.d/asterisk.conf

Код: Выделить всё

[INCLUDES]
[Definition]
failregex = .*NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password
            .*NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Peer is not supposed to register
            .*NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Wrong password
            .*NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found
            .*NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
            .*NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Username/auth name mismatch
            .*NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
            .*NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Peer is not supposed to register
            .*NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - ACL error (permit/deny)
            .*NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
            .*NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>:.*' - No matching peer found
            .*NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>:.*' - Wrong password
            .*NOTICE.* <HOST> failed to authenticate as '.*'$
            .*NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
            .*NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
            .*NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
            .*NOTICE.* .*[logfiles]: <HOST> failed to authenticate as '.*'
            .*NOTICE.* .*: <HOST> tried  to authenticate with nonexistent user '.*'
            .*VERBOSE.*SIP/<HOST>-.*Received incoming SIP connection from unknown peer
            .*NOTICE.* .*: Sending fake auth rejection for device.* \[IP: <HOST>:.*\]
ignoreregex =

./asterisk/logger.conf

Код: Выделить всё

dateformat=%F %T
[logfiles]
console => notice,warning,error
messages => notice,warning,error
messages => security
full => notice,warning,error,debug,verbose,dtmf,fax	

Код: Выделить всё

Connected to Asterisk 11.5.0 currently running on server (pid = 1152)
[2013-12-26 08:30:18] NOTICE[1238]: chan_sip.c:27919 handle_request_register: Registration from '"0002499037" <sip:0002499037@ip>' failed for '176.74.14.86:5060' - Wrong password
[2013-12-26 08:30:18] NOTICE[1238]: chan_sip.c:27919 handle_request_register: Registration from '"0002499038" <sip:0002499038@ip>' failed for '176.74.14.86:5060' - Wrong password
[2013-12-26 08:33:18] NOTICE[1238]: chan_sip.c:27919 handle_request_register: Registration from '"0002499037" <sip:0002499037@ip>' failed for '176.74.14.86:5060' - Wrong password
[2013-12-26 08:33:18] NOTICE[1238]: chan_sip.c:27919 handle_request_register: Registration from '"0002499038" <sip:0002499038@ip>' failed for '176.74.14.86:5060' - Wrong password

/var/log/asterisk/messages

Код: Выделить всё

[2013-12-26 08:33:18] NOTICE[1238] chan_sip.c: Registration from '"0002499037" <sip:0002499037@ip>' failed for '176.74.14.86:5060' - Wrong password
[2013-12-26 08:33:18] SECURITY[1165] res_security_log.c: SecurityEvent="InvalidPassword",EventTV="1388046798-520090",Severity="Error",Service="SIP",EventVersion="2",AccountID="0002499037",SessionID="0x7f0eedc82278",LocalAddress="IPV4/UDP/ip/5060",RemoteAddress="IPV4/UDP/176.74.14.86/5060",Challenge="2ffb348e",ReceivedChallenge="2ffb348e",ReceivedHash="fb80d1d181d8ba969b94c72836fbc9cc"
[2013-12-26 08:33:18] NOTICE[1238] chan_sip.c: Registration from '"0002499038" <sip:0002499038@ip>' failed for '176.74.14.86:5060' - Wrong password
[2013-12-26 08:33:18] SECURITY[1165] res_security_log.c: SecurityEvent="InvalidPassword",EventTV="1388046798-520764",Severity="Error",Service="SIP",EventVersion="2",AccountID="0002499038",SessionID="0x7f0eec6bbd28",LocalAddress="IPV4/UDP/ip/5060",RemoteAddress="IPV4/UDP/176.74.14.86/5060",Challenge="4e13c1bb",ReceivedChallenge="4e13c1bb",ReceivedHash="8c248aada11d99a6cb34157a9c796f64"
[2013-12-26 08:34:44] SECURITY[1165] res_security_log.c: SecurityEvent="ChallengeSent",EventTV="1388046884-703707",Severity="Informational",Service="SIP",EventVersion="1",AccountID="sip:0000001400@ip",SessionID="0x7f0eec70c008",LocalAddress="IPV4/UDP/ip/5060",RemoteAddress="IPV4/UDP/176.74.14.86/5060",Challenge="27d815f2"	

Подскажите возможные причины
В какую сторону "рыть"?

[ded]

Сообщения в логе (выше) 100% ловятся правилом
failregex = .*NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Wrong password
Проверил сам, только что.

Тестируйте сами
fail2ban-regex /etc/fail2ban/filter.d/asterisk.conf ./asterisk/logger.conf

[kom-pik]

Код: Выделить всё

Running tests
=============

Use regex file : /etc/asterisk/logger.conf
No [Definition] section in /etc/asterisk/logger.conf

[ded]

Очень рассчитываю на Ваше понимание, а не на умение копипастить.
Use regex file : /etc/asterisk/logger.conf - файл /etc/asterisk/logger.conf - это <LOG>, а не <REGEX> (regex file)

Код: Выделить всё

# fail2ban-regex
Usage: /usr/bin/fail2ban-regex [OPTIONS] <LOG> <REGEX> [IGNOREREGEX]

Fail2Ban v0.8.7 reads log file that contains password failure report
and bans the corresponding IP addresses using firewall rules.

This tools can test regular expressions for "fail2ban".

Options:
    -h, --help              display this help message
    -V, --version           print the version
    -v, --verbose           verbose output

Log:
    string                  a string representing a log line
    filename                path to a log file (/var/log/auth.log)

Regex:
    string                  a string representing a 'failregex'
    filename                path to a filter file (filter.d/sshd.conf)

IgnoreRegex:
    string                  a string representing an 'ignoreregex'
    filename                path to a filter file (filter.d/sshd.conf)

[kom-pik]

Код: Выделить всё

fail2ban-regex /var/log/asterisk/messages /etc/fail2ban/filter.d/asterisk.conf
Running tests
=============

Use regex file : /etc/fail2ban/filter.d/asterisk.conf
Use log file   : /var/log/asterisk/messages

........

176.74.14.86 (Thu Dec 26 13:22:55 2013) (already matched)
    176.74.14.86 (Thu Dec 26 13:22:55 2013) (already matched)
    89.19.189.64 (Thu Dec 26 13:25:15 2013) (already matched)
    176.74.14.86 (Thu Dec 26 13:25:56 2013) (already matched)
    176.74.14.86 (Thu Dec 26 13:25:56 2013) (already matched)

Date template hits:
1411191 hit(s): Year-Month-Day Hour:Minute:Second

Success, the total number of match is 3792

However, look at the above section 'Running tests' which could contain important
information.

[ded]

Всё работает, но fail2ban или не запущен, или сконфигурен неверно.

[kom-pik]

Банил же, пару дней назад перестал и ночью сегодня ломанули

[ded]

Проковыряли дырочку через вэб интерфейс, остановили или повредили fail2ban, и готово!
Это их работа такая.

[kom-pik]

у нас на астере нет вебки

[kom-pik]

единственное есть скрипт php который парсит логи и кладет на билинг