Ok, so the purpose is to match log lines like these and have fail2ban action:

4f4ec31d-0a0e-4598-95af-3a973cf96244 2016-09-09 07:02:31.618593 [WARNING] switch_core_state_machine.c:646 4f4ec31d-0a0e-4598-95af-3a973cf96244 sofia/default/101@192.168.5.57:5060 Abandoned

However, the first issue I ran into was this line does not actually have a string which can be used as a <HOST> by fail2ban..

But there is a string which can be used a few lines earlier than this line in the log, so I opted to make a multi-line regex to match this block of log messages:

2016-09-09 07:02:21.578620 [WARNING] sofia_reg.c:1775 SIP auth challenge (INVITE) on sofia profile 'default' for [800970598652903@192.168.5.57] from ip 146.0.32.171
4f4ec31d-0a0e-4598-95af-3a973cf96244 2016-09-09 07:02:21.578620 [DEBUG] switch_core_state_machine.c:562 (sofia/default/101@192.168.5.57:5060) State NEW
2016-09-09 07:02:21.578620 [DEBUG] sofia.c:2214 detaching session 4f4ec31d-0a0e-4598-95af-3a973cf96244
4f4ec31d-0a0e-4598-95af-3a973cf96244 2016-09-09 07:02:31.618593 [WARNING] switch_core_state_machine.c:646 4f4ec31d-0a0e-4598-95af-3a973cf96244 sofia/default/101@192.168.5.57:5060 Abandoned

Here is the regex I came up with(based on existing freeswitch fail2ban filter which was created when i installed mod_fail2ban).

It would be awesome to verify/simplify and/or improve this regex:


failregex = \.\d+ \[WARNING\] sofia_reg\.c:\d+ SIP auth (failure|challenge) \((REGISTER|INVITE)\) on sofia profile \'[^\']+\' for \[.*\] from ip <HOST> .*\n.*\n.*\n.*\.\d+ \[WARNING\] switch_core_state_machine\.c\:\d+ .................................... sofia\/default\/\d+@\d+\.\d+\.\d+\.\d+\:\d+ Abandoned