[asterisk-users] Interesting attack tonight & fail2ban them

Wed, 28 Dec 2011 20:10:02 -0800 

I happened to be in the cli tonight as some (208.122.57.58) initiated a simple 
attack - just trying to make long distance calls from outside context.  
Although harmless, this went on for several minutes as the idiot just used up 
my bandwidth with SIP messages.  Here's and example:

[2011-12-28 22:53:42] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: 
Call from '' to extension '6442032987219' rejected because extension not found.
[2011-12-28 22:53:44] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: 
Call from '' to extension '7442032987216' rejected because extension not found.
[2011-12-28 22:53:46] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: 
Call from '' to extension '8442032987216' rejected because extension not found.
[2011-12-28 22:53:48] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: 
Call from '' to extension '008442032987215' rejected because extension not 
found.
[2011-12-28 22:53:50] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: 
Call from '' to extension '007442032987218' rejected because extension not 
found.
[2011-12-28 22:53:52] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: 
Call from '' to extension '006442032987219' rejected because extension not 
found.
[2011-12-28 22:53:54] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: 
Call from '' to extension '005442032987216' rejected because extension not 
found.
[2011-12-28 22:53:56] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: 
Call from '' to extension '004442032987250' rejected because extension not 
found.

I thought that it might be worth adding a line to my fail2ban filter, but am 
looking for a hand with the regex.  I have come up with:
            NOTICE.* .*: Call from '' to extension '.*' rejected because 
extension not found

but I realize that anyone misdialling a valid extension a few times gets cut 
off. Can someone suggest an improvement?  (How could I limit this to 4 or more 
digits dialled for example?)

Thanks!

--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
               http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Reply via email to