Page 4 of 4

Re: CSF / Asterisk

Posted: 04 Jan 2017, 21:20
by maisx
good morning everyone I'm testing the script on FreePBX 13 which uses the PJSIP
I wanted to understand where is my error

NOTICE[11123] res_pjsip/pjsip_distributor.c: Request 'SUBSCRIBE' from '<sip:100@vps3xxxxx.ovh.net>' failed for '123.456.123.123:34527' (callid: NTk4YjczNWVlNmVkNzJjNDkyYzFlYTM1MDhiZDVjZmE.) - Failed to authenticate

My script
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /\[\S+\s+\S+\] NOTICE\[\S+\] res_pjsip/pjsip_distributor.c: Request 'SUBSCRIBE' from '(\S+\s?\S+)' f$
return ("Bad Logon: $1",$2,"SecmasASTERIX","1","1");
}

TKS Maisx

Re: CSF / Asterisk

Posted: 05 May 2021, 11:17
by EntrepreneurAJ
Sorry to necrobump this thread but I've used Sergios custom regex script and tried updating it for the fact the chan_sip in asterisk is now deprecated and replaced by chan_pjsip but my regex modifications don't seem to be firing.

OS is Ubuntu 20.04
Asterisk is 18.4

LFD logs confirm it is watching the log file

Code: Select all

Watching /var/log/asterisk/messages.log...
The modified Script is:

Code: Select all

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /\[\S+\s+\S+\] NOTICE\[\S+\] res_pjsip\/pjsip_distributor.c\: log_failed_request\: Request 'INVITE' from '(\S+\s?\S+)' failed for '(\S+)\:\d+' \- No matching endpoint found/))  {
  return ("Bad Logon: $1",$2,"SecmasASTERIX","1","1");
}
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /\[\S+\s+\S+\] NOTICE\[\S+\] res_pjsip\/pjsip_distributor.c\: log_failed_request\: Request 'INVITE' from '(\S+\s?\S+)' failed for '(\S+)\:\d+' \- Failed to authenticate/))  {
  return ("Bad Logon: $1",$2,"SecmasASTERIX","1","1");
}
But it doesn't seem to be triggering.
Here are some of the logs:

Code: Select all

[May  5 11:15:05] NOTICE[801] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"10009" <sip:10009@my servers IP address>' failed for '193.46.255.101:5076' (callid: 2641e75330b425275953230dad937ceb) - No matching endpoint found
[May  5 11:15:05] NOTICE[801] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"10009" <sip:10009@my servers IP address>' failed for '193.46.255.101:5076' (callid: 2641e75330b425275953230dad937ceb) - Failed to authenticate
Any advise would be greatly appreciated I intend to role this out across multiple servers each will be in a cluster.

Re: CSF / Asterisk

Posted: 19 May 2021, 06:44
by Sergio
Hi, all.
Wow 7 years ago around the same day, how fast time pass by.
How many people are using my rule? That will be great to know.

In order to create a new rule I need:
- a few log lines of the error message(s).
- what info should the rule show when it is added to CSF?

Sergio

Re: CSF / Asterisk

Posted: 19 May 2021, 10:30
by EntrepreneurAJ
Hi Sergio, how many log lines will you need? I've posted the two my server is frequently showing in the post immediately above. I think for what should be shown in the logs when it fires is the last 3 to 4 words of the log line. The two log lines are not always together as it's two separate attempts using different methods.

Re: CSF / Asterisk

Posted: 19 May 2021, 15:03
by Sergio
Here is the new rule but before using it, please read the disclaimer:
"I don't assume any responsibility if you use the following rule, use it at your own discretion."

Please, before using it made some test to see if it works for you.

Also, if you see that the rule works for you, please donate us$10.00 to any charity of your choice on my behalf, thank you.

Code: Select all

	if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\[\S+\s+\S+\s+\S+\] NOTICE\[\d+\] res_pjsip\/pjsip_distributor\.c\: Request 'INVITE' from '"\d+" \<sip:.*\>' failed for '(\S+)\:\d+' \(callid: \S+\) \- (No matching endpoint found|Failed to authenticate)/i)) {
		return ("$2",$1,"SecmasASTERIXv2","1","","1");
	}
Sergio

Re: CSF / Asterisk

Posted: 19 May 2021, 16:14
by EntrepreneurAJ
I will set it up today and if it works will donate £10 to EAJ Foundation under the name Sergio CSF on the 1st of June 2021

Re: CSF / Asterisk

Posted: 19 May 2021, 16:34
by Sergio
Thank you!
If you could change to Sergio C, it will be great as I am not related in any way to CSF, I am just a member of the Forum that likes a lot CSF that I think is a great FireWall.

Sergio