[Sshguard-users] New patterns for Asterisk, how to cope with color codes?

[Joe G. <jg...@ns...>]

Related to http://www.sshguard.net/support/submission/detail/49ce7182028d8b6f3e3d/

Asterisk is a telephony PBX application; it handles VoIP and POTS phone
traffic.  Because a PBX is essentially a switch for voice traffic, it's
theoretically susceptible to attack, and in fact since many people use
numeric extensions and trivial passwords, many times it turns out to be
actually susceptible to brute force attacks.

VoIP typically uses UDP transport, so an attacker trying to guess at 
your passwords will bombard your server with hundreds or thousands of
packets per second of UDP traffic, essentially DoS'ing your server. 
sshguard sitting live on a logfile from syslogd looks like the ideal 
application to handle this.  Many other people are running things like
fail2ban but it strikes me as suboptimal and requires python anyways,
so a fast compiled daemon is a better choice.

The patterns needed are

.*Registration from '.*' failed for '<HOST>' - Wrong password
.*Registration from '.*' failed for '<HOST>' - No matching peer found
.*Registration from '.*' failed for '<HOST>' - Username/auth name mismatch
.*No registration for peer '.*' (from <HOST>)
.*Host <HOST> failed MD5 authentication for '.*' (.*)
.*Failed to authenticate user .*@<HOST>.*

But so far I'm having a little trouble getting even just the first one
to work.  Maybe I'm just getting the rule structure wrong, but there's
another difficulty: Asterisk may bless its logfiles with color escape
codes.  I'm not sure the best way to cope with that.  I was trying just
".*" to cover for it.  Shouldn't that work?

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.