1. Ok, so the purpose is to match log lines like these and have fail2ban action:
2.  
3. 4f4ec31d-0a0e-4598-95af-3a973cf96244 2016-09-09 07:02:31.618593 [WARNING] switch_core_state_machine.c:646 4f4ec31d-0a0e-4598-95af-3a973cf96244 sofia/default/101@192.168.5.57:5060 Abandoned
4.  
5. However, the first issue I ran into was this line does not actually have a string which can be used as a <HOST> by fail2ban..
6.  
7. But there is a string which can be used a few lines earlier than this line in the log, so I opted to make a multi-line regex to match this block of log messages:
8.  
9. 2016-09-09 07:02:21.578620 [WARNING] sofia_reg.c:1775 SIP auth challenge (INVITE) on sofia profile 'default' for [800970598652903@192.168.5.57] from ip 146.0.32.171
10. 4f4ec31d-0a0e-4598-95af-3a973cf96244 2016-09-09 07:02:21.578620 [DEBUG] switch_core_state_machine.c:562 (sofia/default/101@192.168.5.57:5060) State NEW
11. 2016-09-09 07:02:21.578620 [DEBUG] sofia.c:2214 detaching session 4f4ec31d-0a0e-4598-95af-3a973cf96244
12. 4f4ec31d-0a0e-4598-95af-3a973cf96244 2016-09-09 07:02:31.618593 [WARNING] switch_core_state_machine.c:646 4f4ec31d-0a0e-4598-95af-3a973cf96244 sofia/default/101@192.168.5.57:5060 Abandoned
13.  
14. Here is the regex I came up with(based on existing freeswitch fail2ban filter which was created when i installed mod_fail2ban).
15.  
16. It would be awesome to verify/simplify and/or improve this regex:
17.  
18.  
19. failregex = \.\d+ \[WARNING\] sofia_reg\.c:\d+ SIP auth (failure|challenge) \((REGISTER|INVITE)\) on sofia profile \'[^\']+\' for \[.*\] from ip <HOST> .*\n.*\n.*\n.*\.\d+ \[WARNING\] switch_core_state_machine\.c\:\d+ .................................... sofia\/default\/\d+@\d+\.\d+\.\d+\.\d+\:\d+ Abandoned