Hi ,
I just installed CSF on an Asterisk box.
Is there any setup I could use in order to block IP addresses that failed to login on SIP / port 5060 with the help of CSF ?
Thanks !
CSF / Asterisk
Re: CSF / Asterisk
Hi, did you find any answer about this ? looking for the same !
-
simon templar
- Junior Member
- Posts: 19
- Joined: 25 Mar 2010, 14:49
Re: CSF / Asterisk
NO.
I'm thinking about creating the script that will take care of this.
You can join the team if you know how to program.
I was almost done in C++ but I was told to switch to Python. So I am learning the language now.
I'm thinking about creating the script that will take care of this.
You can join the team if you know how to program.
I was almost done in C++ but I was told to switch to Python. So I am learning the language now.
Re: CSF / Asterisk
Yes, you can do it with CSF.simon templar wrote:Hi ,
I just installed CSF on an Asterisk box.
Is there any setup I could use in order to block IP addresses that failed to login on SIP / port 5060 with the help of CSF ?
Thanks !
Check in what log the error is reported and the add your own REGEX rule to regex.custom.pm
-
simon templar
- Junior Member
- Posts: 19
- Joined: 25 Mar 2010, 14:49
Re: CSF / Asterisk
Hi Sergio,
I wish I read the whole readme file, I never paid attention to that. Probably because I do not know regex. Could you give me a hand with the regex to setup ?
The file is /var/log/asteriss/messages
The type of errors I am looking for are like:
[2014-03-03 15:04:39] NOTICE[4632] chan_sip.c: Registration from '"X-Lite"<sip:1000@192.168.1.242>' failed for '192.168.1.101:41444' - Wrong password
*If possible*, I would like to block IPs that do 3 bad attempts.
If not possible, I will block IPs at the first attempt.
Is there a way to excluse 192.168.1.0 network ?
Thank you so much for your help.
I wish I read the whole readme file, I never paid attention to that. Probably because I do not know regex. Could you give me a hand with the regex to setup ?
The file is /var/log/asteriss/messages
The type of errors I am looking for are like:
[2014-03-03 15:04:39] NOTICE[4632] chan_sip.c: Registration from '"X-Lite"<sip:1000@192.168.1.242>' failed for '192.168.1.101:41444' - Wrong password
*If possible*, I would like to block IPs that do 3 bad attempts.
If not possible, I will block IPs at the first attempt.
Is there a way to excluse 192.168.1.0 network ?
Thank you so much for your help.
Re: CSF / Asterisk
Normally I don't do regex for something that I can't test in any of my servers.
You will need to do the tests on your own when the rule is done.
For the regex to be created I need the following info:
What is the name of the error log where you can search for this info?
Please give 5 error lines copied from the error log.
You will need to do the tests on your own when the rule is done.
For the regex to be created I need the following info:
What is the name of the error log where you can search for this info?
Please give 5 error lines copied from the error log.
-
simon templar
- Junior Member
- Posts: 19
- Joined: 25 Mar 2010, 14:49
Re: CSF / Asterisk
The error shows up in /var/log/asterisk/messages
[2014-03-24 21:15:18] NOTICE[18393] chan_sip.c: Registration from '"X-Lite"<sip:1000@192.168.1.242>' failed for '192.168.1.101:5140' - Wrong password
[2014-03-24 21:15:22] NOTICE[18393] chan_sip.c: Registration from '"X-Lite"<sip:1000@192.168.1.242>' failed for '192.168.1.101:5140' - Wrong password
[2014-03-24 21:15:23] NOTICE[18393] chan_sip.c: Registration from '"X-Lite"<sip:1000@192.168.1.242>' failed for '192.168.1.101:5140' - Wrong password
[2014-03-24 21:15:25] NOTICE[18393] chan_sip.c: Registration from '"X-Lite"<sip:1000@192.168.1.242>' failed for '192.168.1.101:5140' - Wrong password
[2014-03-24 21:15:27] NOTICE[18393] chan_sip.c: Registration from '"X-Lite"<sip:1000@192.168.1.242>' failed for '192.168.1.101:5140' - Wrong password
At the minimum, I would like to block IPs (failed for xx.xx.xx.xx) after the 1st wrong password attempt.
If possible, I would like to prevent blocking IPs from network 192.168.1.0
If I can get that, it would be awesome.
[2014-03-24 21:15:18] NOTICE[18393] chan_sip.c: Registration from '"X-Lite"<sip:1000@192.168.1.242>' failed for '192.168.1.101:5140' - Wrong password
[2014-03-24 21:15:22] NOTICE[18393] chan_sip.c: Registration from '"X-Lite"<sip:1000@192.168.1.242>' failed for '192.168.1.101:5140' - Wrong password
[2014-03-24 21:15:23] NOTICE[18393] chan_sip.c: Registration from '"X-Lite"<sip:1000@192.168.1.242>' failed for '192.168.1.101:5140' - Wrong password
[2014-03-24 21:15:25] NOTICE[18393] chan_sip.c: Registration from '"X-Lite"<sip:1000@192.168.1.242>' failed for '192.168.1.101:5140' - Wrong password
[2014-03-24 21:15:27] NOTICE[18393] chan_sip.c: Registration from '"X-Lite"<sip:1000@192.168.1.242>' failed for '192.168.1.101:5140' - Wrong password
At the minimum, I would like to block IPs (failed for xx.xx.xx.xx) after the 1st wrong password attempt.
If possible, I would like to prevent blocking IPs from network 192.168.1.0
If I can get that, it would be awesome.
Re: CSF / Asterisk
You have a PM with the rule.
Please add the rule following the readme file directions.
After you add the regex, you have to restart LFD and it will show if the rules is right or if it has an error.
Remember to create a CUSTOM3_LOG in your CSF configuration with the /var/log/asterisk/messages
Please add the rule following the readme file directions.
After you add the regex, you have to restart LFD and it will show if the rules is right or if it has an error.
Remember to create a CUSTOM3_LOG in your CSF configuration with the /var/log/asterisk/messages
-
simon templar
- Junior Member
- Posts: 19
- Joined: 25 Mar 2010, 14:49
Re: CSF / Asterisk
Thank you - I will try tomorrow during the day .
Re: CSF / Asterisk
For the IPs that you don't want to be blocked, you will have to add them to the ALLOW IPs in CSF