From Commodious Capybara, 2 Years ago, written in Plain Text.
- view diff
Embed
  1. Ok, so the purpose is to match log lines like these and have fail2ban action:
  2.  
  3. 4f4ec31d-0a0e-4598-95af-3a973cf96244 2016-09-09 07:02:31.618593 [WARNING] switch_core_state_machine.c:646 4f4ec31d-0a0e-4598-95af-3a973cf96244 sofia/default/101@192.168.5.57:5060 Abandoned
  4.  
  5. However, the first issue I ran into was this line does not actually have a string which can be used as a <HOST> by fail2ban..
  6.  
  7. But there is a string which can be used a few lines earlier than this line in the log, so I opted to make a multi-line regex to match this block of log messages:
  8.  
  9. 2016-09-09 07:02:21.578620 [WARNING] sofia_reg.c:1775 SIP auth challenge (INVITE) on sofia profile 'default' for [800970598652903@192.168.5.57] from ip 146.0.32.171
  10. 4f4ec31d-0a0e-4598-95af-3a973cf96244 2016-09-09 07:02:21.578620 [DEBUG] switch_core_state_machine.c:562 (sofia/default/101@192.168.5.57:5060) State NEW
  11. 2016-09-09 07:02:21.578620 [DEBUG] sofia.c:2214 detaching session 4f4ec31d-0a0e-4598-95af-3a973cf96244
  12. 4f4ec31d-0a0e-4598-95af-3a973cf96244 2016-09-09 07:02:31.618593 [WARNING] switch_core_state_machine.c:646 4f4ec31d-0a0e-4598-95af-3a973cf96244 sofia/default/101@192.168.5.57:5060 Abandoned
  13.  
  14. Here is the regex I came up with(based on existing freeswitch fail2ban filter which was created when i installed mod_fail2ban).
  15.  
  16. It would be awesome to verify/simplify and/or improve this regex:
  17.  
  18.  
  19. failregex = \.\d+ \[WARNING\] sofia_reg\.c:\d+ SIP auth (failure|challenge) \((REGISTER|INVITE)\) on sofia profile \'[^\']+\' for \[.*\] from ip <HOST> .*\n.*\n.*\n.*\.\d+ \[WARNING\] switch_core_state_machine\.c\:\d+ .................................... sofia\/default\/\d+@\d+\.\d+\.\d+\.\d+\:\d+ Abandoned