regex 星号19的fail2ban正则表达式

disho6za  于 2023-08-08  发布在  其他
关注(0)|答案(1)|浏览(92)

我有一个被攻击的星号服务器。星号日志有一个fail 2ban jail,但配置不支持这种情况:

[2023-07-27 11:25:57] NOTICE[152571] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"213" <sip:213@54.36.115.125>' failed for '185.210.157.40:5977' (callid: 1048704493) - Failed to authenticate
[2023-07-27 11:25:57] NOTICE[152571] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"322" <sip:322@54.36.115.125>' failed for '185.210.157.40:5803' (callid: 522785130) - No matching endpoint found after 35 tries in 0.182 ms
[2023-07-27 11:25:57] NOTICE[152571] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"322" <sip:322@54.36.115.125>' failed for '185.210.157.40:5803' (callid: 522785130) - Failed to authenticate
[2023-07-27 11:25:57] NOTICE[152570] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"322" <sip:322@54.36.115.125>' failed for '185.210.157.40:5803' (callid: 1616436563) - No matching endpoint found after 36 tries in 0.187 ms
[2023-07-27 11:25:57] NOTICE[152570] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"322" <sip:322@54.36.115.125>' failed for '185.210.157.40:5803' (callid: 1616436563) - Failed to authenticate
[2023-07-27 11:25:57] NOTICE[152570] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"213" <sip:213@54.36.115.125>' failed for '185.210.157.40:5977' (callid: 2926631629) - No matching endpoint found after 37 tries in 0.199 ms
[2023-07-27 11:25:57] NOTICE[152570] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"213" <sip:213@54.36.115.125>' failed for '185.210.157.40:5977' (callid: 2926631629) - Failed to authenticate
[2023-07-27 11:25:57] NOTICE[152571] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"212" <sip:212@54.36.115.125>' failed for '185.210.157.40:5677' (callid: 2397138656) - No matching endpoint found after 38 tries in 0.200 ms
[2023-07-27 11:25:57] NOTICE[152571] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"212" <sip:212@54.36.115.125>' failed for '185.210.157.40:5677' (callid: 2397138656) - Failed to authenticate

字符串
/etc/fail2ban/asterisk-security.conf:

[INCLUDES]

[Definition]

failregex = SECURITY.* SecurityEvent="FailedACL".*RemoteAddress="[^"]*/[^"]*/(<HOST>)/[^"]*".*
            SECURITY.* SecurityEvent="InvalidAccountID".*RemoteAddress="[^"]*/[^"]*/(<HOST>)/[^"]*".*
            SECURITY.* SecurityEvent="ChallengeResponseFailed".*RemoteAddress="[^"]*/[^"]*/(<HOST>)/[^"]*".*
            SECURITY.* SecurityEvent="InvalidPassword".*RemoteAddress="[^"]*/[^"]*/(<HOST>)/[^"]*".*

ignoreregex =


我对正则表达式的理解很差,如果有人能帮助我定义failregex来检测这种攻击,我将非常感谢!

p4rjhz4m

p4rjhz4m1#

最后发现fail 2ban是交付一个星号过滤器,做所有我需要的。(/etc/fail 2ban/filter.d/asterisk.conf)所以我只需要使用这个。

相关问题