I recently started to add some security features to my asterisk server. One was adding a fail2ban jail. Because I have asterisk running inside of docker, I mounted my log folder and changed fail2ban (installed on my docker host itself) to use the message file (in my case: /opt/asterisk/log/messages) .
Start by editing /etc/fail2ban/jail.d/asterisk.conf:
[asterisk]
enabled = true
filter = asterisk
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
banaction = iptables-multiport
logpath = /opt/asterisk/log/messages
maxretry = 5
findtime = 3h
bantime = 1d
Fail2ban needs a specific timestamp format and to prevent asterisk from creating GBs of logs I changed it to only log notice and error messages in the /etc/asterisk/logger.conf file.
dateformat=%F %T
...
rotatestrategy = rotate
...
messages => notice,error
Finally restart the asterisk logger and fail2ban.
asterisk*CLI > logger reload
service fail2ban restart