ban2fail
ban2fail copied to clipboard
jrbrtsn
asterisk
I don't have any experience with asterisk. ban2fail searches for patterns in log files when they change using the regular expression facility found in glibc.
It work, but have problem with timestamp... ill try solve then put here
LOGTYPE asterisk {
DIR= /var/log/asterisk PREFIX= messages
TIMESTAMP asterisk_ts { REGEX= (\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}) STRPTIME= %Y-%m-%d %H:%M:%S }
TARGET worm { REGEX = NOTICE.failed for.'([0-9.a-f:]+): }
}
Without a sample matching line from the log file, I can't pinpoint your problem. One easy way to debug the REGEX's is to use the built-in bash REGEX facility like so:
LOG_LINE='Dec 4 12:57:28 srv dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 0 secs): user=
Result> Dec 4 12:57:28
As for the STRPTIME format specification, you can either write a C program to test your string, or maybe a website like this: http://www.strfti.me
Good luck!
I forget put a sample of log line, sorry. I use this website to debug: https://regex101.com/ Please look:
LOG LINE:
[2021-01-18 14:24:01] NOTICE[121559] chan_sip.c: Registration from '"205" <sip:[email protected]>' failed for '193.29.14.115:5836' - Wrong password
This regex:
NOTICE.*failed for.*'([0-9.a-f:]+):
result => 193.29.14.115
This regex:
(\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2})
result=> 2021-01-18 14:24:01
So i make this config:
LOGTYPE asterisk {
DIR= /var/mcut/log/asterisk
PREFIX= messages
TIMESTAMP asterisk_ts {
REGEX= (\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2})
STRPTIME= %Y-%m-%d %H:%M:%S
}
TARGET worm {
REGEX = NOTICE.*failed for.*'([0-9.a-f:]+):
}
}
System work, block ips, but when got error in date .
Please, if you can, check when you have a time.
There isn't much I can do without the error messages from ban2fail. I'm a software engineer, not a psychic ;-)