我有一个被攻击的星号服务器。星号日志有一个fail 2ban jail,但配置不支持这种情况:
[2023-07-27 11:25:57] NOTICE[152571] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"213" <sip:213@54.36.115.125>' failed for '185.210.157.40:5977' (callid: 1048704493) - Failed to authenticate
[2023-07-27 11:25:57] NOTICE[152571] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"322" <sip:322@54.36.115.125>' failed for '185.210.157.40:5803' (callid: 522785130) - No matching endpoint found after 35 tries in 0.182 ms
[2023-07-27 11:25:57] NOTICE[152571] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"322" <sip:322@54.36.115.125>' failed for '185.210.157.40:5803' (callid: 522785130) - Failed to authenticate
[2023-07-27 11:25:57] NOTICE[152570] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"322" <sip:322@54.36.115.125>' failed for '185.210.157.40:5803' (callid: 1616436563) - No matching endpoint found after 36 tries in 0.187 ms
[2023-07-27 11:25:57] NOTICE[152570] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"322" <sip:322@54.36.115.125>' failed for '185.210.157.40:5803' (callid: 1616436563) - Failed to authenticate
[2023-07-27 11:25:57] NOTICE[152570] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"213" <sip:213@54.36.115.125>' failed for '185.210.157.40:5977' (callid: 2926631629) - No matching endpoint found after 37 tries in 0.199 ms
[2023-07-27 11:25:57] NOTICE[152570] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"213" <sip:213@54.36.115.125>' failed for '185.210.157.40:5977' (callid: 2926631629) - Failed to authenticate
[2023-07-27 11:25:57] NOTICE[152571] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"212" <sip:212@54.36.115.125>' failed for '185.210.157.40:5677' (callid: 2397138656) - No matching endpoint found after 38 tries in 0.200 ms
[2023-07-27 11:25:57] NOTICE[152571] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"212" <sip:212@54.36.115.125>' failed for '185.210.157.40:5677' (callid: 2397138656) - Failed to authenticate字符串
/etc/fail2ban/asterisk-security.conf:
[INCLUDES]
[Definition]
failregex = SECURITY.* SecurityEvent="FailedACL".*RemoteAddress="[^"]*/[^"]*/(<HOST>)/[^"]*".*
SECURITY.* SecurityEvent="InvalidAccountID".*RemoteAddress="[^"]*/[^"]*/(<HOST>)/[^"]*".*
SECURITY.* SecurityEvent="ChallengeResponseFailed".*RemoteAddress="[^"]*/[^"]*/(<HOST>)/[^"]*".*
SECURITY.* SecurityEvent="InvalidPassword".*RemoteAddress="[^"]*/[^"]*/(<HOST>)/[^"]*".*
ignoreregex =型
我对正则表达式的理解很差,如果有人能帮助我定义failregex来检测这种攻击,我将非常感谢!
1条答案
按热度按时间p4rjhz4m1#
最后发现fail 2ban是交付一个星号过滤器,做所有我需要的。(/etc/fail 2ban/filter.d/asterisk.conf)所以我只需要使用这个。