I recently started to add some security features to my asterisk server. One was adding a fail2ban jail. Because I have asterisk running inside of docker, I mounted my log folder and changed fail2ban (installed on my docker host itself) to use the message file
(in my case: /opt/asterisk/log/messages) .
Start by editing /etc/fail2ban/jail.d/asterisk.conf:
[asterisk] enabled = true filter = asterisk action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] banaction = iptables-multiport logpath = /opt/asterisk/log/messages maxretry = 5 findtime = 3h bantime = 1d
Fail2ban needs a specific timestamp format and to prevent asterisk from creating GBs of logs I changed it to only log notice and error messages in the /etc/asterisk/logger.conf file.
dateformat=%F %T ... rotatestrategy = rotate ... messages => notice,error
Finally restart the asterisk logger and fail2ban.
asterisk*CLI > logger reload
service fail2ban restart