Skip to content

Security tooling

Fail2Ban SIP regex generator & tester

Paste a line from your Asterisk or Kamailio log and get a production-ready Fail2Ban failregex. Includes presets for registration brute-force, INVITE scans, and Kamailio auth failures.

Output

Fail2Ban filter block

[Definition]
failregex = ^Registration from '[^']+' failed for '<HOST>:\d+' - (Wrong password|No matching peer found|Username/auth name mismatch|Challenge response failed|Device does not match ACL)$

# Recommended jail settings:
# maxretry = 5
# bantime = 3600
# findtime = 600

# /etc/fail2ban/jail.local
# [asterisk-sip]
# enabled = true
# filter = asterisk-sip
# logpath = /var/log/asterisk/full
# port = 5060,5061
# protocol = udp

How it works

Three steps to results

  1. 01

    Paste a log line

    Copy a single line from /var/log/asterisk/full, Kamailio syslog, or FreePBX security logs. The generator tokenizes static text and replaces IPs, extensions, and usernames with capture groups.

  2. 02

    Copy the filter block

    Get a complete [Definition] section with failregex, ignoreregex, and recommended maxretry/bantime values. Presets cover the most common SIP attack patterns across major PBX platforms.

  3. 03

    Test before deploy

    Paste sample attack lines into the built-in tester to confirm your regex matches real traffic without false positives on legitimate registrations.

FAQ

Frequently asked questions

Common questions about this tool and how it fits into your VoIP security workflow.

Contact support →
  • Paste a failed registration line from /var/log/asterisk/full into this generator. It escapes static text and replaces the attacker IP and extension with regex capture groups, then outputs a complete [Definition] block you can drop into /etc/fail2ban/filter.d/.

Skip manual Fail2Ban tuning

SipRadar pushes a global SIP blacklist straight into iptables.

Why wrestle with regex when our API auto-blocks known toll-fraud infrastructure across 214 honeypots? Community tier is free.