CSF / Asterisk

simon templar
Junior Member
Posts: 19
Joined: 25 Mar 2010, 14:49

CSF / Asterisk

Post by simon templar »

Hi ,

I just installed CSF on an Asterisk box.
Is there any setup I could use in order to block IP addresses that failed to login on SIP / port 5060 with the help of CSF ?

Thanks !
keyjey
Junior Member
Posts: 7
Joined: 31 Oct 2013, 16:41

Re: CSF / Asterisk

Post by keyjey »

Hi, did you find any answer about this ? looking for the same !
simon templar
Junior Member
Posts: 19
Joined: 25 Mar 2010, 14:49

Re: CSF / Asterisk

Post by simon templar »

NO.
I'm thinking about creating the script that will take care of this.
You can join the team if you know how to program.
I was almost done in C++ but I was told to switch to Python. So I am learning the language now.
Sergio
Junior Member
Posts: 1715
Joined: 12 Dec 2006, 14:56

Re: CSF / Asterisk

Post by Sergio »

simon templar wrote:Hi ,

I just installed CSF on an Asterisk box.
Is there any setup I could use in order to block IP addresses that failed to login on SIP / port 5060 with the help of CSF ?

Thanks !
Yes, you can do it with CSF.

Check in what log the error is reported and the add your own REGEX rule to regex.custom.pm
simon templar
Junior Member
Posts: 19
Joined: 25 Mar 2010, 14:49

Re: CSF / Asterisk

Post by simon templar »

Hi Sergio,

I wish I read the whole readme file, I never paid attention to that. Probably because I do not know regex. Could you give me a hand with the regex to setup ?

The file is /var/log/asteriss/messages

The type of errors I am looking for are like:
[2014-03-03 15:04:39] NOTICE[4632] chan_sip.c: Registration from '"X-Lite"<sip:1000@192.168.1.242>' failed for '192.168.1.101:41444' - Wrong password

*If possible*, I would like to block IPs that do 3 bad attempts.
If not possible, I will block IPs at the first attempt.

Is there a way to excluse 192.168.1.0 network ?

Thank you so much for your help.
Sergio
Junior Member
Posts: 1715
Joined: 12 Dec 2006, 14:56

Re: CSF / Asterisk

Post by Sergio »

Normally I don't do regex for something that I can't test in any of my servers.
You will need to do the tests on your own when the rule is done.

For the regex to be created I need the following info:
What is the name of the error log where you can search for this info?
Please give 5 error lines copied from the error log.
simon templar
Junior Member
Posts: 19
Joined: 25 Mar 2010, 14:49

Re: CSF / Asterisk

Post by simon templar »

The error shows up in /var/log/asterisk/messages

[2014-03-24 21:15:18] NOTICE[18393] chan_sip.c: Registration from '"X-Lite"<sip:1000@192.168.1.242>' failed for '192.168.1.101:5140' - Wrong password
[2014-03-24 21:15:22] NOTICE[18393] chan_sip.c: Registration from '"X-Lite"<sip:1000@192.168.1.242>' failed for '192.168.1.101:5140' - Wrong password
[2014-03-24 21:15:23] NOTICE[18393] chan_sip.c: Registration from '"X-Lite"<sip:1000@192.168.1.242>' failed for '192.168.1.101:5140' - Wrong password
[2014-03-24 21:15:25] NOTICE[18393] chan_sip.c: Registration from '"X-Lite"<sip:1000@192.168.1.242>' failed for '192.168.1.101:5140' - Wrong password
[2014-03-24 21:15:27] NOTICE[18393] chan_sip.c: Registration from '"X-Lite"<sip:1000@192.168.1.242>' failed for '192.168.1.101:5140' - Wrong password


At the minimum, I would like to block IPs (failed for xx.xx.xx.xx) after the 1st wrong password attempt.
If possible, I would like to prevent blocking IPs from network 192.168.1.0

If I can get that, it would be awesome.
Sergio
Junior Member
Posts: 1715
Joined: 12 Dec 2006, 14:56

Re: CSF / Asterisk

Post by Sergio »

You have a PM with the rule.

Please add the rule following the readme file directions.

After you add the regex, you have to restart LFD and it will show if the rules is right or if it has an error.

Remember to create a CUSTOM3_LOG in your CSF configuration with the /var/log/asterisk/messages
simon templar
Junior Member
Posts: 19
Joined: 25 Mar 2010, 14:49

Re: CSF / Asterisk

Post by simon templar »

Thank you - I will try tomorrow during the day .
Sergio
Junior Member
Posts: 1715
Joined: 12 Dec 2006, 14:56

Re: CSF / Asterisk

Post by Sergio »

For the IPs that you don't want to be blocked, you will have to add them to the ALLOW IPs in CSF
Post Reply