Monthly Archives: September 2012

Multi line pattern match with fail2ban

I run my own asterisk server where it is well protected against external attacks using iptables + fail2ban.  I thought it was secure enough until I came across attacks which my current fail2ban configuration failed to detect.  In investigation tells me that fail2ban cannot do multi line pattern match and because the attacker’s IP was not logged in the same line where the attack statement was mentioned, fail2ban did not work.

The only solution I could find / think of is to write my own script which will write these multiple lines into one single line.  Assuming you will hit this bottleneck of fail2ban sooner or later, I have uploaded the script which I wrote to github and available for free download.

Feel free to use the script.  I welcome your comments / suggestions.