I too have noticed a marked increase, over probably the last 2 weeks, of
SIP scans and brute force attempts at the many different sites we maintain.
There does not appear to be a single source for these attempts, but
France, China and the US feature prominantly.
We also use the various methods described by Reza to limit the attack
footprint and block failed attempts with fail2ban, however, we also use the
allow and deny sip variables. For most of our sites, the majority of SIP
connections are internal, with very few external connections required.
In these cases, we put
deny=0.0.0.0/0.0.0.0
allow- 192.168.1.0/255.255.255.0 (local subnet)
in each sip extension and only for those specific extensions coming in
externally do we have an allow=0.0.0.0/0.0.0.0
This just gives us one additional layer of protection.
What I am curious about is whether there is some utility or tool which
contains a centralized listing of these banned IP's and then this list
could be used to block them at all sites.
What we often see is the same IP blocked at one site, then a few hours
later, blocked at another site and so on. If we could block this IP at
all our sites after the first attempt, it would help. This list could
even be shared/queried by others and the offending IP's blocked
preemptively.
Anybody aware of such a system?
Martin
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
