Security tooling
Fail2Ban SIP regex generator & tester
Paste a line from your Asterisk or Kamailio log and get a production-ready Fail2Ban failregex. Includes presets for registration brute-force, INVITE scans, and Kamailio auth failures.
Output
Fail2Ban filter block
[Definition] failregex = ^Registration from '[^']+' failed for '<HOST>:\d+' - (Wrong password|No matching peer found|Username/auth name mismatch|Challenge response failed|Device does not match ACL)$ # Recommended jail settings: # maxretry = 5 # bantime = 3600 # findtime = 600 # /etc/fail2ban/jail.local # [asterisk-sip] # enabled = true # filter = asterisk-sip # logpath = /var/log/asterisk/full # port = 5060,5061 # protocol = udp
How it works
Three steps to results
- 01
Paste a log line
Copy a single line from /var/log/asterisk/full, Kamailio syslog, or FreePBX security logs. The generator tokenizes static text and replaces IPs, extensions, and usernames with capture groups.
- 02
Copy the filter block
Get a complete [Definition] section with failregex, ignoreregex, and recommended maxretry/bantime values. Presets cover the most common SIP attack patterns across major PBX platforms.
- 03
Test before deploy
Paste sample attack lines into the built-in tester to confirm your regex matches real traffic without false positives on legitimate registrations.
FAQ
Frequently asked questions
Common questions about this tool and how it fits into your VoIP security workflow.
Contact support →Paste a failed registration line from /var/log/asterisk/full into this generator. It escapes static text and replaces the attacker IP and extension with regex capture groups, then outputs a complete [Definition] block you can drop into /etc/fail2ban/filter.d/.
Skip manual Fail2Ban tuning
SipRadar pushes a global SIP blacklist straight into iptables.
Why wrestle with regex when our API auto-blocks known toll-fraud infrastructure across 214 honeypots? Community tier is free.