ConfigServer Community Forum

Posted: **10 Sep 2013, 07:12**

I am running an Asterisk system with the SIP port open to the internet. I would like csf to block SIP brute force. I have spent many hours searching and testing but my custom regex doesn't do anything. I don't see anything logged from my custom script in lfd.log and my ip is not being blocked.

under /etc/csf/csf.conf

Code: Select all

CUSTOM1_LOG = "/var/log/asterisk/full"

under /etc/csf/regex.custom.pm

Code: Select all

#CUSTOM1_LOG:
       if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^.* failed for .* - No matching peer found/ )) {
                return ("Failed Asterisk login from",$1,"myasteriskmatch","3","5060","1");
        }

Entries from /var/log/asterisk/full

Code: Select all

[Sep 10 01:24:09] NOTICE[1914] chan_sip.c: Registration from '<sip:200se@demo1.mydomain.xxx>' failed for '111.222.333.444:59509' - No matching peer found
[Sep 10 01:32:37] NOTICE[1914] chan_sip.c: Registration from '<sip:200se@demo1.mydomain.xxx>' failed for '111.222.333.444:51686' - No matching peer found

I test my pattern matching using 'awk' and got results back

Code: Select all

awk '/^.* failed for .* - No matching peer found/' /var/log/asterisk/full

I have LF_TRIGGER = 0 and LF_SELECT = 0. So what am I doing wrong here? TIA!

Posted: **11 Sep 2013, 01:18**

I am lost as why the regex.custom.pm is not running. To test if it even getting into the script, I added an Else statement. Nothing in thing lfd.log.

Code: Select all

 if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^.* failed for .* - No matching peer found/ )) {
                return ("Failed Asterisk login $1 from",$1,"myasteriskmatch","3","5060","0");
        }
        else {
                return ("Test Asterisk login $1 from",$1,"myasteriskmatch","3","5060","0");
        }

ConfigServer Community Forum

custom regex for SIP and Asterisk

custom regex for SIP and Asterisk

Re: custom regex for SIP and Asterisk