Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Asterisk 11: Detect device auth failures #305

Merged
merged 2 commits into from

5 participants

@Jamyn

Sebastian Arcus to fail2ban-users:

Just some more log variations I noticed today slipping through the cracks unnoticed by current asterisk.conf filter from git. Asterisk version is 11.4.0. Here are the lines from the log:

[2013-07-25 07:26:43] NOTICE[26015][C-000006b2] chan_sip.c: Failed to authenticate device 101sip:101@92.28.85.72;tag=65d997a4

Running tests

Use regex line : Failed to authenticate (user|device) [^@]+@\S*$
Use single line: [2013-07-25 07:26:43] NOTICE[26015][C-000006b2] ch...

Results

Failregex: 1 total
|- #) [# of hits] regular expression
| 1) [1] Failed to authenticate (user|device) [^@]+@\S*$
`-

Ignoreregex: 0 total

Summary

Addresses found:
[1]
92.28.85.72 (Thu Jul 25 07:26:43 2013)

Date template hits:
2 hit(s): Year-Month-Day Hour:Minute:Second

Success, the total number of match is 1

@coveralls

Coverage Status

Coverage remained the same when pulling 156ee8a0e9db0f9fc433d040491501edad5d8d53 on Jamyn:master into 2d52fc3 on fail2ban:master.

@grooverdan
Collaborator

Thanks @Jamyn . Looks good.

Can you please commit a sample log entry to testcases/files/logs/asterisk along with the "# failJSON: { .." line above it.

@Jamyn

Updated commit Jamyn@8936f2c

Thanks!

@coveralls

Coverage Status

Coverage remained the same when pulling 8936f2c on Jamyn:master into 1721991 on fail2ban:master.

@Jamyn Jamyn fail2ban#306
Fix regex for latest dropbear (keep backwards compatibility). Add test case logfiles.

Signed-off-by: Jamyn Shanley <jshanley@gmail.com>
a355fab
@coveralls

Coverage Status

Coverage remained the same when pulling a355fab on Jamyn:master into 1721991 on fail2ban:master.

@kwirk
Collaborator

Looks good @Jamyn.
Noticed your dropbear changes from #307 have got muddled in. We'll probably just merge both from here once #307 is complete as well…

@yarikoptic yarikoptic was assigned
@yarikoptic yarikoptic merged commit a355fab into fail2ban:master

1 check passed

Details default The Travis CI build passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Jul 27, 2013
  1. @Jamyn

    fail2ban-users: Sebastian Arcus - Detect device auth failures on Aste…

    Jamyn authored Jamyn committed
    …risk 11
  2. @Jamyn

    fail2ban#306

    Jamyn authored
    Fix regex for latest dropbear (keep backwards compatibility). Add test case logfiles.
    
    Signed-off-by: Jamyn Shanley <jshanley@gmail.com>
This page is out of date. Refresh to see the latest.
View
2  config/filter.d/asterisk.conf
@@ -30,7 +30,7 @@ failregex = ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?'
^%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$
^%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$
^%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
- ^%(log_prefix)s Failed to authenticate user [^@]+@<HOST>\S*$
+ ^%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$
^%(log_prefix)s (?:handle_request_subscribe: )?Sending fake auth rejection for (device|user) \d*<sip:[^@]+@<HOST>>;tag=\w+\S*$
^%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d+",SessionID="0x[\da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UD|TC)P/<HOST>/\d+"(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?$
View
5 config/filter.d/dropbear.conf
@@ -27,8 +27,9 @@ _daemon = dropbear
# These match the unmodified dropbear messages. It isn't possible to
# match the source of the 'exit before auth' messages from dropbear.
#
-failregex = ^%(__prefix_line)slogin attempt for nonexistent user ('.*' )?from <HOST>:.*\s*$
- ^%(__prefix_line)sbad password attempt for .+ from <HOST>:.*\s*$
+failregex = ^%(__prefix_line)s(L|l)ogin attempt for nonexistent user ('.*' )?from <HOST>:.*\s*$
+ ^%(__prefix_line)s(B|b)ad password attempt for .+ from <HOST>:.*\s*$
+ ^%(__prefix_line)sExit before auth \(user .+, \d+ fails\): Max auth tries reached - user .+ from <HOST>:.*\s*$
# The only line we need to match with the modified dropbear.
View
2  testcases/files/logs/asterisk
@@ -1,4 +1,6 @@
# Sample log files for asterisk
+# failJSON: { "time": "2013-07-25T07:26:43", "match": true , "host": "1.2.3.4" }
+[2013-07-25 07:26:43] NOTICE[26015][C-000006b2] chan_sip.c: Failed to authenticate device 101<sip:101@1.2.3.4>;tag=deadbeef
# failJSON: { "time": "2012-02-13T17:21:54", "match": true , "host": "1.2.3.4" }
[2012-02-13 17:21:54] NOTICE[1638] chan_sip.c: Registration from '<sip:301@example.com>' failed for '1.2.3.4' - Wrong password
# failJSON: { "time": "2012-02-13T17:18:22", "match": true , "host": "1.2.3.4" }
View
6 testcases/files/logs/dropbear
@@ -0,0 +1,6 @@
+# failJSON: { "time": "2005-07-27T01:04:12", "match": true , "host": "1.2.3.4" }
+Jul 27 01:04:12 fail2ban-test dropbear[1335]: Bad password attempt for 'root' from 1.2.3.4:60588
+# failJSON: { "time": "2005-07-27T01:04:22", "match": true , "host": "1.2.3.4" }
+Jul 27 01:04:22 fail2ban-test dropbear[1335]: Exit before auth (user 'root', 10 fails): Max auth tries reached - user 'root' from 1.2.3.4:60588
+# failJSON: { "time": "2005-07-27T01:18:59", "match": true , "host": "1.2.3.4" }
+Jul 27 01:18:59 fail2ban-test dropbear[1477]: Login attempt for nonexistent user from 1.2.3.4:60794
Something went wrong with that request. Please try again.