iptables -I INPUT 1 -p tcp --dport 5060 -m string --string "VaxSIPUserAgent"
--algo bm -j DROP
Its something like this
Registration from '"30" <sp:30@my_public_ip:5060> failed for
'192.168.xxx.xxx:6373' - Wrong Password
and there are approx 10 request per minute of this type.
Please suggest some way to stop this.
In my experience you need to do 2 things to fix your problem.
#1) Get the real IP address of the attacker.
First you will need to recompile Asterisk to enable the log that shows
the IP of the attacker. It apparently is only set for debug so you need
to edit chan_sip.c
In chan_sip.c
if (!peer) {
if (debug) *** <--- delete this line
ast_verbose("No matching peer for '%s' from
'%s'\n",
of, ast_sockaddr_stringify(&p->recv));
} *** <--- delete this line
This will enable logs like:
VERBOSE[24693] chan_sip.c: No matching peer for '1000' from
'104.14.190.14:5080
#2) Now that you have the IP of the attacker, just use fail2ban to block
him automatically. Make sure you test out your rules. For example the
above log is detected with fail2ban rule:
VERBOSE%(__pid_re)s [^:]+: No matching peer for '[^']*' from
'<HOST>(:[0-9]+)?'$
--
Anurag Rana
http://newbie42.blogspot.in/
On the trampoline of life's experiences, Striving towards a saintly
life in the midst of these materialistic turbulences.
--
Technical Support
http://www.cellroute.net
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
