On 9/27/2010 8:09 AM, Tony Graziano wrote: > Or a text log that can be easily parsed, SNMP could be problematic, but > applications like fail2ban want to look in a basic log file to leverage. > > It's more a question of identifying the behavior accurately first (at > least to me). > > On Mon, Sep 27, 2010 at 8:02 AM, Joegen Baclor <[email protected] > <mailto:[email protected]>> wrote: > > sipXsupervisor is the right place to do this. This begs the > question what is the most conducive channel to relay alerts coming > from the bridge as it triggers a potential DOS attack alarm. SNMP > traps is the first thing that comes to mind. Comments? I briefly looked into this. It looks like the sipregistrar.log file, in INFO level, is the only file that will give us a bad login/IP address combo. The file will have a "401 Unauthorized" and eventually the last nVia: will have the IP.
It is too bad that sipx does not have the ability to log the registration attempts (at least the ones that fail) to a log similar to sipxconfig-logins.log I'll see if I can create a fail2ban config file to work with sipregister.log and sipxconfig-logins.log. -- Regards -------------------------------------- Gerald Drouillard Technology Architect Drouillard & Associates, Inc. http://www.Drouillard.biz _______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/
