[asterisk-tcp]enabled = truefilter = asteriskaction = iptables-multiport[n

1. [asterisk-tcp]
2. enabled = true
3. filter = asterisk
4. action = iptables-multiport[name=asterisk-tcp, port="5060,5061", protocol=tcp]
5. # sendmail-whois[My Server, dest=myemail@example.com, sender=fail2ban@myserversdomainame.com]
6. logpath = /var/log/asterisk/messages
7. bantime = 604800 ; 1 week
8. findtime = 28800 ; 1 day
9. maxretry = 4
10.  
11. [asterisk-udp]
12. enabled = true
13. filter = asterisk
14. action = iptables-multiport[name=asterisk-udp, port="5060,5061", protocol=udp]
15. # sendmail-whois[name=My Server, dest=myemail@example.com, sender=fail2ban@myserversdomainame.com]
16. logpath = /var/log/asterisk/messages
17. bantime = 604800 ; 1 week
18. findtime = 28800 ; 1 day
19. maxretry = 4
20.  
21. [asterisk-iptables]
22. enabled = true
23. filter = asterisk
24. action = iptables-allports[name=asterisk, protocol=all]
25. # sendmail-whois[name=My Server, dest=myemail@example.com, sender=fail2ban@myserversdomainame.com]
26. logpath = /var/log/asterisk/security
27. bantime = 604800 ; 1 week
28. findtime = 28800 ; 1 day
29. maxretry = 4
30.  
31.  
32. # Fail2Ban configuration file
33. #
34. #
35. # $Revision: 250 $
36. #
37.  
38. [INCLUDES]
39.  
40. # Read common prefixes. If any customizations available -- read them from
41. # common.local
42. #before = common.conf
43.  
44.  
45. [Definition]
46.  
47. #_daemon = asterisk
48.  
49. # Option: failregex
50. # Notes.: regex to match the password failures messages in the logfile. The
51. # host must be matched by a group named "host". The tag "<HOST>" can
52. # be used for standard IP/hostname matching and is only an alias for
53. # (?:::f{4,6}:)?(?P<host>\S+)
54. # Values: TEXT
55. #
56.  
57. failregex = SECURITY.* SecurityEvent="FailedACL".*RemoteAddress=".+?/.+?/<HOST>/.+?".*
58. SECURITY.* SecurityEvent="InvalidAccountID".*RemoteAddress=".+?/.+?/<HOST>/.+?".*
59. SECURITY.* SecurityEvent="ChallengeResponseFailed".*RemoteAddress=".+?/.+?/<HOST>/.+?".*
60. SECURITY.* SecurityEvent="InvalidPassword".*RemoteAddress=".+?/.+?/<HOST>/.+?".*
61.  
62. # Option: ignoreregex
63. # Notes.: regex to ignore. If this regex matches, the line is ignored.
64. # Values: TEXT
65. #
66. ignoreregex =
67.  
68. [2015-04-23 13:29:52] SECURITY[30549] res_security_log.c: SecurityEvent="InvalidPassword",EventTV="1429810192-157871",Severity="Error",Service="SIP",EventVersion="2",AccountID="100",SessionID="0x7ff24806a428",LocalAddress="IPV4/UDP/50.248.225.203/5060",RemoteAddress="IPV4/UDP/192.187.115.214/5104",Challenge="1e883ad3",ReceivedChallenge="1e883ad3",ReceivedHash="94a91e1acaa21aba706fb3fdb8806d55"
69. [2015-04-23 13:29:58] SECURITY[30549] res_security_log.c: SecurityEvent="InvalidPassword",EventTV="1429810198-858898",Severity="Error",Service="SIP",EventVersion="2",AccountID="2001",SessionID="0x7ff24805d1f8",LocalAddress="IPV4/UDP/50.248.225.203/5060",RemoteAddress="IPV4/UDP/192.187.115.214/5084",Challenge="24e9888e",ReceivedChallenge="24e9888e",ReceivedHash="3fd246592e70bc79f4d89a12a3fbc7c1"
70. [2015-04-23 13:30:08] SECURITY[30549] res_security_log.c: SecurityEvent="InvalidPassword",EventTV="1429810208-121434",Severity="Error",Service="SIP",EventVersion="2",AccountID="311",SessionID="0x7ff2480efa08",LocalAddress="IPV4/UDP/50.248.225.203/5060",RemoteAddress="IPV4/UDP/192.187.115.214/5064",Challenge="42496ecf",ReceivedChallenge="42496ecf",ReceivedHash="7b299606203187ef0b1d17b67f4cd16d"