Skip to main content

Fail2ban Asterisk.conf file examples

Posted by armandomuniz305 on Thu, 10/04/2012

# Fail2Ban configuration file
#
#
# $Revision: 250 $
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf

[Definition]

#_daemon = asterisk

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P\S+)
# Values: TEXT
#
# Changes below made By Armando 04/04/2012 ASTERISK 1.8 Rules

failregex = NOTICE.* .*: Registration from '.*' failed for ':.*' - Wrong password
NOTICE.* .*: Registration from '.*' failed for ':.*' - No matching peer found
NOTICE.* .*: Registration from '.*' failed for ':.*' - Username/auth name mismatch
NOTICE.* .*: Registration from '.*' failed for ':.*' - Device does not match ACL
Registration from '.*' failed for '(:[0-9]{1,5})?' - Peer is not supposed to register
NOTICE.* failed to authenticate as '.*'$
NOTICE.* .*: No registration for peer '.*' (from )
NOTICE.* .*: Host failed MD5 authentication for '.*' (.*)
NOTICE.* .*: Call from '.*' \((:[0-9]{1,5})?\) to extension '.*' rejected because extension not found in context 'from-outside'\.
NOTICE.* .*: Call from '\".*\".*' \((:[0-9]{1,5})?\) to extension '.*' rejected because extension not found in context 'from-outside'\.
NOTICE.* .*: Sending fake auth rejection for device \".*\" .* \((:[0-9]{1,5})?\)
VERBOSE.* logger.c: -- .*IP/-.* Playing 'ss-noservice' (language '.*')

# ASTERISK 1.6 Rules
#failregex = NOTICE.* .*: Registration from '.*' failed for '' - Wrong password
# NOTICE.* .*: Registration from '.*' failed for ':.*' - No matching peer found
# NOTICE.* .*: Registration from '.*' failed for '' - Peer is not supposed to register
# NOTICE.* .*: Registration from '.*' failed for ':.*' - Username/auth name mismatch
# NOTICE.* .*: Registration from '.*' failed for ':.*' - Device does not match ACL
# NOTICE.* failed to authenticate as '.*'$
# NOTICE.* .*: No registration for peer '.*' \(from \)
# NOTICE.* .*: Host failed MD5 authentication for '.*' (.*)
# NOTICE.* .*: Failed to authenticate user .*@.*

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =


Submitted by eeman on Sat, 10/06/2012 Permalink

you should not need these

NOTICE.* .*: Call from '.*' \((:[0-9]{1,5})?\) to extension '.*' rejected because extension not found in context 'from-outside'\.
NOTICE.* .*: Call from '\".*\".*' \((:[0-9]{1,5})?\) to extension '.*' rejected because extension not found in context 'from-outside'\.
VERBOSE.* logger.c: -- .*IP/-.* Playing 'ss-noservice' (language '.*')

your sip.conf should _ALWAYS_ have allowguest=no .. why would you want unsolicited spammers calling legitimate numbers in a way that protects them from legal recourse? If allowguest=no and you are still getting this error, its only because someone is improperly sending you the wrong extension, banning them is not going to make your life any easier since you are either paying them to receive the calls or they are paying you to send you the calls.