我正在尝试创建一个 fail2ban 过滤器来匹配成功的身份验证。示例日志条目如下所示:
[2023-05-25 18:41:00] VERBOSE[26149] res_pjsip/pjsip_options.c: Contact user/sip:[email protected]:47682;transport=ws;x-ast-orig-host=b0cnalpndgjm.invalid:0 is now Reachable. RTT: 27.843 msec
我不精通创建 fail2ban 过滤器,但这是我的尝试(我首先将 filter.d 中的 asterisk.conf 复制到 asterisk-whitelist.conf 以用作模板,然后更改 failregex 以尝试匹配类似的行以上):
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = asterisk
__pid_re = (?:\s*\[\d+\])
iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4}
# All Asterisk log messages begin like this:
log_prefix= (?:NOTICE|SECURITY|WARNING)%(__pid_re)s:?(?:\[C-[\da-f]*\])? [^:]+:\d*(?:(?: in)? \w+:)?
prefregex = ^%(__prefix_line)s%(log_prefix)s <F-CONTENT>.+</F-CONTENT>$
failregex = ^Contact [A-Za-z0-9]+/sip:[A-Za-z0-9]+@<HOST>:[0-9]+;transport=[A-Za-z]+;[A-Za-z]+=[A-Za-z0-9\.]+:0 is now Reachable\. RTT: [0-9]*\.[0-9]+ msec$
ignoreregex =
以上不起作用。我不是特别确定如何解决此问题,或者需要进行哪些更改才能匹配。结果fail2ban-regex /var/log/asterisk/full asterisk-whitelist.conf
显示 0 个匹配项。
已更新以在已接受答案的帮助下添加最终解决方案。这是最终对我有用的配置:
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = asterisk
__pid_re = (?:\s*\[\d+\])
iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4}
# All Asterisk log messages begin like this:
log_prefix= (?:NOTICE|SECURITY|WARNING|VERBOSE)%(__pid_re)s:?(?:\[C-[\da-f]*\])? [^:]+:\d*(?:(?: in)? \w+:)?
prefregex = ^%(__prefix_line)s%(log_prefix)s <F-CONTENT>.+</F-CONTENT>$
failregex = ^.*Contact .*\/sip[s]?:.*@<HOST>.* is now Reachable.*
ignoreregex =