csf asterisk regex's

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#1
for those of us that use it (thanks Ramon for posting it here)

echo notice => notice >> /etc/asterisk/logger.conf
rasterisk -x "logger reload"

and add these rules to /etc/csf/regex.custom.conf
Code:
        if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\[.*failed for '(\d+(\.\d+){3})' - (No matching peer found).*/)) {
                return ("Failed Asterisk login $2 from",$1,"myasteriskmatch","3","5060","0");
        }

        if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\[.*failed for '(\d+(\.\d+){3})' - (Username\/auth name mismatch).*/)) {
                return ("Failed Asterisk login $2 from",$1,"myasteriskmatch","3","5060","0");
        }

        if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\[.*failed for '(\d+(\.\d+){3})' - (Wrong passord).*/)) {
                return ("Failed Asterisk login $2 from",$1,"myasteriskmatch","3","5060","0");
        }

        if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\[.*failed for '(\d+(\.\d+){3})' - (Device does not match ACL).*/)) {
                return ("Failed Asterisk login $2 from",$1,"myasteriskmatch","3","5060","0");
        }

        if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\[.*Host (\d+(\.\d+){3}) (failed to authenticate).*/)) {
                return ("Failed Asterisk login $2 from",$1,"myasteriskmatch","3","5060","0");
        }

        if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\[.*(No registration for peer).*from (\d+(\.\d+){3}).*/)) {
                return ("Failed Asterisk login $1 from",$2,"myasteriskmatch","3","5060","0");
        }

        if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\[.*(Failed to authenticate user).*@(\d+(\.\d+){3}).*/)) {
                return ("Failed Asterisk login $1 from",$2,"myasteriskmatch","3","5060","0");
        }

        if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\[.*Host (\d+(\.\d+){3}) (failed MD5 authentication).*/)) {
                return ("Failed Asterisk login $2 from",$1,"myasteriskmatch","3","5060","0");
        }
CUSTOM1_LOG = "/var/log/


change /etc/csf/csf.conf a la:-

CUSTOM1_LOG = "/var/log/asterisk/notice"


and just for completeness something like:-


echo "/var/log/asterisk/notice {
missingok
rotate 15
daily
create 0640 asterisk asterisk
}
" >> /var/logrotate.d/asterisk-notice




csf -r
lfd -r


I would appreciate any feedback on this recipe as a replacement for fail2ban.

dicko
 

ramoncio

Joined
May 12, 2010
Messages
1,663
Likes
0
Points
0
#2
Hi Dick!

I see you liked csf. :)

This is niiiiice work!


Thank you, +1 to your karma!!
 

Lee Sharp

Joined
Sep 28, 2010
Messages
332
Likes
0
Points
0
#3
How is this intended to behave differently than fail2ban? My reading of regex is rusty... :)
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#4
It isn't, it's intended to do much the same thing, as I said at the bottom:-
.
.
I would appreciate any feedback on this recipe as a replacement for fail2ban.
.
.

It is just a transliteration of the fail2ban php regex'es into perl, and for efficiency, creating a pared down log file (notice) so not to drag down the system as it parses the usually very verbose "full" log (coincidently you can use that sparser log file 'notice' to also increase the efficiency and responsiveness of fail2ban on a busy system also, just watch the load of fail2ban while watching full with rtp debug on, all attempted failures to register will be of the [NOTICE] variety, other log entries are spurious), so basically you catch the knuckle-draggers after a very few attempts rather than hundreds, my study of those scripts lead me to believe that this lower latency will discourage further attention from them and their associated bots significantly.

I used to use

csfpre.sh
#!/bin/sh
/etc/init.d/fail2ban stop

and
csfpost.sh
#!/bin/sh
/etc/init.d/fail2ban start

but I believe that csf shows less latency than fail2ban simply because perl is meaner and leaner than php although it does basically the same logfile parsing, 'notice' will be probably only 1 or 2 percent of 'full', that's just math to work out why one should use the leaner log file.

Don't forget I'm a greenie and a minimalist ;) I don't run two processes when one will suffice.

However, I would be very interested to have the community identify and submit other noticed attacks that my filters miss (or any captured attacks that my regex'es miss, we can then add/correct them)

dicko
 

Members online

No members online now.

Latest posts

Forum statistics

Threads
30,902
Messages
130,887
Members
17,566
Latest member
Fpino
Top