Keep in mind that the attacks you are seeing in the log are ONLY the ones that Asterisk is detecting and rejecting. All other attacks aren't even showing up!
There's a good discussion of how to secure your PBX here: https://www.voip-info.org/wiki/view/asterisk+security In general, don't let the malevolent traffic get as far as the PBX (block at the firewall). Also, Digium regularly warns users that fail2ban is NOT a security system: http://forums.asterisk.org/viewtopic.php?p=159984 -----Original Message----- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of mdiehl Sent: Tuesday, August 15, 2017 3:38 PM To: asterisk-users@lists.digium.com Subject: [asterisk-users] Detecting DoS attacks via SIP Hi all, Lately, I've seen an increase in the number of attacks against my system from the so-called "Friendly Scanner." When one of these script kiddies targets my server, all I see for symptoms is a few of my trunks become lagged due to server load and a stream of messages on the console that resemble this: [Aug 2 20:27:50] == Using SIP VIDEO CoS mark 6 [Aug 2 20:27:50] == Using SIP RTP TOS bits 24 [Aug 2 20:27:50] == Using SIP RTP CoS mark 5 [Aug 2 20:32:47] == Using SIP VIDEO TOS bits 24 [Aug 2 20:32:47] == Using SIP VIDEO CoS mark 6 [Aug 2 20:32:47] == Using SIP RTP TOS bits 24 [Aug 2 20:32:47] == Using SIP RTP CoS mark 5 [Aug 2 20:34:26] == Using SIP VIDEO TOS bits 24 [Aug 2 20:34:26] == Using SIP VIDEO CoS mark 6 I have to turn on sip debugging to find out who's hitting me. However, I can't just leave it on because it would kill my logging system. So, how are other people handling this? Is there an AMI event I want watch for? I watch for PeerStatus, but since there's no actual peer in the attack, I don't seem to get an event from AMI. Any ideas? Mike Diehl. -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users