Join Log in
Score:1
Nick Coons avatar Server

Fail2Ban - Match Asterisk PJSIP Successful Authentication

cn flag
Nick Coons

I'm trying to create a fail2ban filter that will match successful authentications. An example log entry looks like this:

[2023-05-25 18:41:00] VERBOSE[26149] res_pjsip/pjsip_options.c: Contact user/sip:[email protected]:47682;transport=ws;x-ast-orig-host=b0cnalpndgjm.invalid:0 is now Reachable.  RTT: 27.843 msec

I am not well-versed in creating fail2ban filters, but here's my attempt (I started by copying the asterisk.conf in filter.d to asterisk-whitelist.conf to use as a template, then changed failregex in an attempt to match lines like the above):

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = asterisk

__pid_re = (?:\s*\[\d+\])

iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4}

# All Asterisk log messages begin like this:
log_prefix= (?:NOTICE|SECURITY|WARNING)%(__pid_re)s:?(?:\[C-[\da-f]*\])? [^:]+:\d*(?:(?: in)? \w+:)?

prefregex = ^%(__prefix_line)s%(log_prefix)s <F-CONTENT>.+</F-CONTENT>$

failregex = ^Contact [A-Za-z0-9]+/sip:[A-Za-z0-9]+@<HOST>:[0-9]+;transport=[A-Za-z]+;[A-Za-z]+=[A-Za-z0-9\.]+:0 is now Reachable\.  RTT: [0-9]*\.[0-9]+ msec$
ignoreregex =

The above isn't working. I'm not particularly sure how to go about troubleshooting this, or what change needs to be made to match. The result of fail2ban-regex /var/log/asterisk/full asterisk-whitelist.conf shows 0 matches.

Updated to add the final resolution with help from the accepted answer. Here's the config that ultimately worked for me:

[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]
_daemon = asterisk

__pid_re = (?:\s*\[\d+\])

iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4}

# All Asterisk log messages begin like this:
log_prefix= (?:NOTICE|SECURITY|WARNING|VERBOSE)%(__pid_re)s:?(?:\[C-[\da-f]*\])? [^:]+:\d*(?:(?: in)? \w+:)?

prefregex = ^%(__prefix_line)s%(log_prefix)s <F-CONTENT>.+</F-CONTENT>$

failregex = ^.*Contact .*\/sip[s]?:.*@<HOST>.* is now Reachable.*

ignoreregex =
106
1 + 0
Score:1
Saxtheowl avatar Server
by flag
Saxtheowl

Your regex is too complex and wrong, try this one failregex = ^.*Contact .*\/sip:[^@]+@<HOST>.* is now Reachable.*

You can test it with fail2ban-regex /var/log/asterisk/full /etc/fail2ban/filter.d/asterisk-whitelist.conf

edit: lets try something else, lets replace the content of asterisk-whitelist.conf with this conf, it should match the log you provided.

[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]
_daemon = asterisk

__pid_re = (?:\s*\[\d+\])

iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4}

# All Asterisk log messages begin like this:
log_prefix= (?:NOTICE|SECURITY|WARNING)%(__pid_re)s:?(?:\[C-[\da-f]*\])? [^:]+:\d*(?:(?: in)? \w+:)?

prefregex = ^%(__prefix_line)s%(log_prefix)s <F-CONTENT>.+</F-CONTENT>$

failregex = ^\[\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}\] %(__pid_re)s res_pjsip/pjsip_options\.c: Contact user/sip:[^@]+@<HOST>:\d+;transport=[\w-]+;x-ast-orig-host=[\w.-]+:0 is now Reachable\.  RTT: \d+\.\d+ msec$

ignoreregex =
+ 4
Nick Coons avatar
cn flag
Nick Coons
"Too complex and wrong" is an accurate description of my attempt. :-) However, I tested with what you provided and it doesn't match either. The log file I'm testing against has nearly 400k lines and a quick grep for "is now Reachable" shows that there are 379 lines that should match. Thoughts?
0
Reply
Saxtheowl avatar
by flag
Saxtheowl
I have modified my answer, it should work :)
0
Reply
Nick Coons avatar
cn flag
Nick Coons
Thanks for the update. However, still no matches.
0
Reply
Nick Coons avatar
cn flag
Nick Coons
I got this working with two minor changes. First, I used your initial simpler regex, but I had to add VERBOSE to the log_prefix definition (I should have been paying more attention to that, as your first suggestion worked after I noticed that). Second, sometimes the URL has "sips" instead of "sip", so I made a minor change. The final changed entries are `log_prefix= (?:NOTICE|SECURITY|WARNING|VERBOSE)%(__pid_re)s:?(?:\[C-[\da-f]*\])? [^:]+:\d*(?:(?: in)? \w+:)?` and `failregex = ^.*Contact .*\/sip[s]?:.*@<HOST>.* is now Reachable.*`.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.