[Freeswitch-users] fail2ban regex

Sergey Safarov s.safarov at gmail.com
Sun Sep 18 08:57:12 MSD 2016


I use fail2ban more one year.
My changes of FreeSwitch filter rules is present at
https://github.com/fail2ban/fail2ban/pull/1549

Sergey

вс, 18 сент. 2016 г. в 0:23, George Assaad <gassaad at emassembly.com>:

> Don,
> I believe that Steven meant the opposite of what you understood.
> You may have false positive if you are using password.
> I apologize if I misunderstood.
> Best Regards,
>
> On Sat, Sep 17, 2016 at 3:35 PM, Don Hawkins <hawkins at hawkinsegroup.com>
> wrote:
>
>> Right, but everyone is using a password on our system so should cause no
>> issues. However, thanks!
>>
>> Sincerely,
>> Don Hawkins
>>
>> Sent from my NationPCS® Nexus 6.
>>
>> On Sep 17, 2016 2:31 PM, "Steven Ayre" <steveayre at gmail.com> wrote:
>>
>>> Potentially commented out because it'll happen every time a legitimate
>>> user authenticates via password and not IP, so could give false positives
>>> that cause it to block real users. Use with care. :)
>>>
>>> Steve
>>>
>>>
>>> On 17 September 2016 at 06:06, Don Hawkins <hawkins at hawkinsegroup.com>
>>> wrote:
>>>
>>>> Wow, feel KIND of stupid, the regex is in the bottom of the config file
>>>> but commented out...
>>>>
>>>> https://github.com/fail2ban/fail2ban
>>>> /blob/master/config/filter.d/freeswitch.conf
>>>>
>>>> It's commented out but really should not be, I was missing a bunch of
>>>> "hacking" attempts. For anyone else, move it up because you may need it, it
>>>> for sure wont hurt anything.
>>>>
>>>> On Fri, Sep 16, 2016 at 11:53 PM, Don Hawkins <
>>>> hawkins at hawkinsegroup.com> wrote:
>>>>
>>>>> It's missing <host> so no, I dont think it will work.
>>>>>
>>>>> Anyone have any other suggestions?
>>>>>
>>>>> Just to recap, looking for fail2ban regex that will match the
>>>>> following:
>>>>>
>>>>> 2016-09-16 08:42:48.729019 [DEBUG] sofia.c:9623 IP 89.163.231.172
>>>>> Rejected by acl "domains". Falling back to Digest auth.
>>>>>
>>>>>
>>>>> On Fri, Sep 16, 2016 at 9:21 AM, Russell Treleaven <
>>>>> rtreleaven at bunnykick.ca> wrote:
>>>>>
>>>>>> does this work?
>>>>>> ^.+sofia.+Rejected by acl.+$
>>>>>>
>>>>>> On Fri, Sep 16, 2016 at 10:14 AM, Don Hawkins <
>>>>>> hawkins at hawkinsegroup.com> wrote:
>>>>>>
>>>>>>> Morning!
>>>>>>>
>>>>>>>
>>>>>>> - Trying to match:
>>>>>>>
>>>>>>> 2016-09-16 08:42:48.729019 [DEBUG] sofia.c:9623 IP 89.163.231.172
>>>>>>> Rejected by acl "domains". Falling back to Digest auth.
>>>>>>>
>>>>>>>
>>>>>>> - I tried this regex:
>>>>>>>
>>>>>>> ^\.\d+ \[DEBUG\] sofia\.c:\d+ IP <HOST> Rejected by acl "domains"\.
>>>>>>> Falling back to Digest auth\.$
>>>>>>>
>>>>>>>
>>>>>>> And no luck.
>>>>>>>
>>>>>>> Can anyone help? I can't figure out what I'm doing wrong, testing
>>>>>>> indicates no matches.
>>>>>>>
>>>>>>>
>>>>>>> _________________________________________________________________________
>>>>>>> Professional FreeSWITCH Consulting Services:
>>>>>>> consulting at freeswitch.org
>>>>>>> http://www.freeswitchsolutions.com
>>>>>>>
>>>>>>> Official FreeSWITCH Sites
>>>>>>> http://www.freeswitch.org
>>>>>>> http://confluence.freeswitch.org
>>>>>>> http://www.cluecon.com
>>>>>>>
>>>>>>> FreeSWITCH-users mailing list
>>>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>>>> UNSUBSCRIBE:
>>>>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>>>> http://www.freeswitch.org
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> _________________________________________________________________________
>>>>>> Professional FreeSWITCH Consulting Services:
>>>>>> consulting at freeswitch.org
>>>>>> http://www.freeswitchsolutions.com
>>>>>>
>>>>>> Official FreeSWITCH Sites
>>>>>> http://www.freeswitch.org
>>>>>> http://confluence.freeswitch.org
>>>>>> http://www.cluecon.com
>>>>>>
>>>>>> FreeSWITCH-users mailing list
>>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>>> UNSUBSCRIBE:
>>>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>>> http://www.freeswitch.org
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> <http://teleoh.com>
>>>>>
>>>>> *Sincerely,*
>>>>> Don Hawkins
>>>>> CEO
>>>>> Hawkins Enterprise Group LLC
>>>>> http://hawkinsegroup.com
>>>>> Zello PTT <http://zello.com>: push2don
>>>>> P: 469-214-5044
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> <http://teleoh.com>
>>>>
>>>> *Sincerely,*
>>>> Don Hawkins
>>>> CEO
>>>> Hawkins Enterprise Group LLC
>>>> http://hawkinsegroup.com
>>>> Zello PTT <http://zello.com>: push2don
>>>> P: 469-214-5044
>>>>
>>>>
>>>> _________________________________________________________________________
>>>> Professional FreeSWITCH Consulting Services:
>>>> consulting at freeswitch.org
>>>> http://www.freeswitchsolutions.com
>>>>
>>>> Official FreeSWITCH Sites
>>>> http://www.freeswitch.org
>>>> http://confluence.freeswitch.org
>>>> http://www.cluecon.com
>>>>
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:
>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> http://www.freeswitch.org
>>>>
>>>
>>>
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://confluence.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20160918/3c91b2ab/attachment-0001.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list