According to the asterisk devs, asterisk does not buffer it's messages log, please keep in mind i had this originally setup for fail2ban to check /var/log/asterisk/messages but i switched it to /var/log/messages because i thought it might help resolve this issue.

On Mon, Mar 28, 2011 at 10:46 AM, Tom Hendrikx <tom@whyscream.net> wrote:
On 28/03/11 15:56, vip killa wrote:
> On Mon, Mar 28, 2011 at 9:46 AM, Tom Hendrikx <tom@whyscream.net
> <mailto:tom@whyscream.net>> wrote:
>
>     On 28/03/11 15:34, vip killa wrote:
>     > Is anyone using asterisk with fail2ban? I have it working except it
>     > takes way more break-in attempts than what is set in "maxretry" in
>     jail.conf
>     > For example, I get an email saying:
>     > "The IP 199.204.45.19 has just been banned by Fail2Ban after 181
>     > attempts against ASTERISK."
>     >
>     > when "maxretry = 5" in jail.conf
>     >
>     > I asked asterisk-users about this and they said:
>     > "How often does fail2ban check the logs? It can only block that often,
>     > so if more attempts happen in that time period it can't do anything
>     > until it knows."
>     > Perhaps someone else is experiencing this or has resolved it,
>     thank you
>     > in advance for your time.
>     >
>
>     This can be caused by many things, f.i. log output buffering by the
>     application writing the logfiles, or the attackers sending many attempts
>     in a small timeframe.
>
>     Could you first look at the asterisk logfile and check what in timeframe
>     the 181 attempts are?
>
> Log shows break-in attempt began at 09:06:51 and ended at 09:07:08
>

So the attacker sends more than 10 requests per second. This should
trigger fail2ban with maxretry=5 after 1 second of logging. It seems to
take much longer (~17 seconds until the block is effective). Read [0] on
why this could be happening.

According to [1], you're monitoring the syslog output for asterisk.

Depending on which backend fail2ban is using, and how often the logfile
is updated (many syslog implementations use buffered logging), the
actual blocking could take some time.

My first guess is your syslog is buffering output, so fail2ban does not
see the failed attempts soon enough.

[0] http://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Reaction_time
[1] http://www.fail2ban.org/wiki/index.php/Asterisk


------------------------------------------------------------------------------
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and security demands of your customers. Businesses
are taking advantage of Intel(R) vPro (TM) technology - will your software
be a part of the solution? Download the Intel(R) Manageability Checker
today! http://p.sf.net/sfu/intel-dev2devmar
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users