asterisk users - Nov 2010 - ID'ing failed auth IPs

So when someone's brute forcing your server is there a way to identify
the originating IPs without using a tcpdump?  When I get a failed auth
on the console it shows 'account at asteriskserver' then tag=as25ca5023
(or
some random string, though it's a bit odd as alwaysauthreject = yes is
on in sip.conf).  Anyway, the logs don't show anything more useful
either.  Is there something obvious I'm missing?  Cranking up verbosity
on the console doesn't seem to do anything.

hose

On Mon, Nov 29, 2010 at 2:01 PM, Hose <hose+asterisk at
bluemaggottowel.com> wrote:
> So when someone's brute forcing your server is there a way to identify
> the originating IPs without using a tcpdump? ?When I get a failed auth
> on the console it shows 'account at asteriskserver' then
tag=as25ca5023 (or
> some random string, though it's a bit odd as alwaysauthreject = yes is
> on in sip.conf). ?Anyway, the logs don't show anything more useful
> either. ?Is there something obvious I'm missing? ?Cranking up verbosity
> on the console doesn't seem to do anything.
>
> hose
You can use IPTABLES to log all traffic on a port for you.  Instead of
ACCEPT or DROP use LOG.