I recently started to add some security features to my asterisk server. One was adding a fail2ban jail. Because I have asterisk running inside of docker, I mounted my log folder and changed fail2ban (installed on my docker host itself) to use the message file (in my case: /opt/asterisk/log/messages) .

Start by editing /etc/fail2ban/jail.d/asterisk.conf:

[asterisk]
enabled = true
filter = asterisk
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
         %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
banaction = iptables-multiport
logpath = /opt/asterisk/log/messages
maxretry = 5
findtime = 3h
bantime = 1d

Fail2ban needs a specific timestamp format and to prevent asterisk from creating GBs of logs I changed it to only log notice and error messages in the /etc/asterisk/logger.conf file.

dateformat=%F %T

...

rotatestrategy = rotate

...

messages => notice,error

Finally restart the asterisk logger and fail2ban.

asterisk*CLI > logger reload
service fail2ban restart