csf asterisk regex's

Discussion in 'General' started by dicko, Dec 2, 2010.

  1. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    for those of us that use it (thanks Ramon for posting it here)

    echo notice => notice >> /etc/asterisk/logger.conf
    rasterisk -x "logger reload"

    and add these rules to /etc/csf/regex.custom.conf
    Code:
            if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\[.*failed for '(\d+(\.\d+){3})' - (No matching peer found).*/)) {
                    return ("Failed Asterisk login $2 from",$1,"myasteriskmatch","3","5060","0");
            }
    
            if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\[.*failed for '(\d+(\.\d+){3})' - (Username\/auth name mismatch).*/)) {
                    return ("Failed Asterisk login $2 from",$1,"myasteriskmatch","3","5060","0");
            }
    
            if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\[.*failed for '(\d+(\.\d+){3})' - (Wrong passord).*/)) {
                    return ("Failed Asterisk login $2 from",$1,"myasteriskmatch","3","5060","0");
            }
    
            if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\[.*failed for '(\d+(\.\d+){3})' - (Device does not match ACL).*/)) {
                    return ("Failed Asterisk login $2 from",$1,"myasteriskmatch","3","5060","0");
            }
    
            if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\[.*Host (\d+(\.\d+){3}) (failed to authenticate).*/)) {
                    return ("Failed Asterisk login $2 from",$1,"myasteriskmatch","3","5060","0");
            }
    
            if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\[.*(No registration for peer).*from (\d+(\.\d+){3}).*/)) {
                    return ("Failed Asterisk login $1 from",$2,"myasteriskmatch","3","5060","0");
            }
    
            if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\[.*(Failed to authenticate user).*@(\d+(\.\d+){3}).*/)) {
                    return ("Failed Asterisk login $1 from",$2,"myasteriskmatch","3","5060","0");
            }
    
            if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\[.*Host (\d+(\.\d+){3}) (failed MD5 authentication).*/)) {
                    return ("Failed Asterisk login $2 from",$1,"myasteriskmatch","3","5060","0");
            }
    
    CUSTOM1_LOG = "/var/log/


    change /etc/csf/csf.conf a la:-

    CUSTOM1_LOG = "/var/log/asterisk/notice"


    and just for completeness something like:-


    echo "/var/log/asterisk/notice {
    missingok
    rotate 15
    daily
    create 0640 asterisk asterisk
    }
    " >> /var/logrotate.d/asterisk-notice




    csf -r
    lfd -r


    I would appreciate any feedback on this recipe as a replacement for fail2ban.

    dicko
     
  2. ramoncio

    Joined:
    May 12, 2010
    Messages:
    1,663
    Likes Received:
    0
    Hi Dick!

    I see you liked csf. :)

    This is niiiiice work!


    Thank you, +1 to your karma!!
     
  3. Lee Sharp

    Joined:
    Sep 28, 2010
    Messages:
    332
    Likes Received:
    0
    How is this intended to behave differently than fail2ban? My reading of regex is rusty... :)
     
  4. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    It isn't, it's intended to do much the same thing, as I said at the bottom:-
    .
    .
    I would appreciate any feedback on this recipe as a replacement for fail2ban.
    .
    .

    It is just a transliteration of the fail2ban php regex'es into perl, and for efficiency, creating a pared down log file (notice) so not to drag down the system as it parses the usually very verbose "full" log (coincidently you can use that sparser log file 'notice' to also increase the efficiency and responsiveness of fail2ban on a busy system also, just watch the load of fail2ban while watching full with rtp debug on, all attempted failures to register will be of the [NOTICE] variety, other log entries are spurious), so basically you catch the knuckle-draggers after a very few attempts rather than hundreds, my study of those scripts lead me to believe that this lower latency will discourage further attention from them and their associated bots significantly.

    I used to use

    csfpre.sh
    #!/bin/sh
    /etc/init.d/fail2ban stop

    and
    csfpost.sh
    #!/bin/sh
    /etc/init.d/fail2ban start

    but I believe that csf shows less latency than fail2ban simply because perl is meaner and leaner than php although it does basically the same logfile parsing, 'notice' will be probably only 1 or 2 percent of 'full', that's just math to work out why one should use the leaner log file.

    Don't forget I'm a greenie and a minimalist ;) I don't run two processes when one will suffice.

    However, I would be very interested to have the community identify and submit other noticed attacks that my filters miss (or any captured attacks that my regex'es miss, we can then add/correct them)

    dicko
     

Share This Page