Fail2Ban - 匹配 Asterisk PJSIP 成功认证

Fail2Ban - 匹配 Asterisk PJSIP 成功认证

我正在尝试创建一个匹配的fail2ban过滤器成功的身份验证。示例日志条目如下所示:

[2023-05-25 18:41:00] VERBOSE[26149] res_pjsip/pjsip_options.c: Contact user/sip:[email protected]:47682;transport=ws;x-ast-orig-host=b0cnalpndgjm.invalid:0 is now Reachable.  RTT: 27.843 msec

我并不精通创建 fail2ban 过滤器,但这是我的尝试(我首先将 filter.d 中的 asterisk.conf 复制到 asterisk-whitelist.conf 以用作模板,然后更改 failregex 以尝试匹配上述行):

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = asterisk

__pid_re = (?:\s*\[\d+\])

iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4}

# All Asterisk log messages begin like this:
log_prefix= (?:NOTICE|SECURITY|WARNING)%(__pid_re)s:?(?:\[C-[\da-f]*\])? [^:]+:\d*(?:(?: in)? \w+:)?

prefregex = ^%(__prefix_line)s%(log_prefix)s <F-CONTENT>.+</F-CONTENT>$

failregex = ^Contact [A-Za-z0-9]+/sip:[A-Za-z0-9]+@<HOST>:[0-9]+;transport=[A-Za-z]+;[A-Za-z]+=[A-Za-z0-9\.]+:0 is now Reachable\.  RTT: [0-9]*\.[0-9]+ msec$
ignoreregex =

以上方法不起作用。我不太清楚如何解决此问题,或者需要进行哪些更改才能匹配。结果fail2ban-regex /var/log/asterisk/full asterisk-whitelist.conf显示 0 个匹配项。

已更新,在已接受答案的帮助下添加了最终解决方案。以下是最终对我有用的配置:

[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]
_daemon = asterisk

__pid_re = (?:\s*\[\d+\])

iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4}

# All Asterisk log messages begin like this:
log_prefix= (?:NOTICE|SECURITY|WARNING|VERBOSE)%(__pid_re)s:?(?:\[C-[\da-f]*\])? [^:]+:\d*(?:(?: in)? \w+:)?

prefregex = ^%(__prefix_line)s%(log_prefix)s <F-CONTENT>.+</F-CONTENT>$

failregex = ^.*Contact .*\/sip[s]?:.*@<HOST>.* is now Reachable.*

ignoreregex =

答案1

你的正则表达式太复杂且错误,请尝试这个failregex = ^.*Contact .*\/sip:[^@]+@<HOST>.* is now Reachable.*

你可以用以下方法测试fail2ban-regex /var/log/asterisk/full /etc/fail2ban/filter.d/asterisk-whitelist.conf

编辑:让我们尝试别的东西,让我们用这个conf替换的内容asterisk-whitelist.conf,它应该与您提供的日志相匹配。

[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]
_daemon = asterisk

__pid_re = (?:\s*\[\d+\])

iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4}

# All Asterisk log messages begin like this:
log_prefix= (?:NOTICE|SECURITY|WARNING)%(__pid_re)s:?(?:\[C-[\da-f]*\])? [^:]+:\d*(?:(?: in)? \w+:)?

prefregex = ^%(__prefix_line)s%(log_prefix)s <F-CONTENT>.+</F-CONTENT>$

failregex = ^\[\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}\] %(__pid_re)s res_pjsip/pjsip_options\.c: Contact user/sip:[^@]+@<HOST>:\d+;transport=[\w-]+;x-ast-orig-host=[\w.-]+:0 is now Reachable\.  RTT: \d+\.\d+ msec$

ignoreregex =

相关内容