asterisk users - Dec 2011 - Interesting attack tonight & fail2ban them

I happened to be in the cli tonight as some (208.122.57.58) initiated a simple
attack - just trying to make long distance calls from outside context.  Although
harmless, this went on for several minutes as the idiot just used up my
bandwidth with SIP messages.  Here's and example:

[2011-12-28 22:53:42] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: Call
from '' to extension '6442032987219' rejected because extension
not found.
[2011-12-28 22:53:44] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: Call
from '' to extension '7442032987216' rejected because extension
not found.
[2011-12-28 22:53:46] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: Call
from '' to extension '8442032987216' rejected because extension
not found.
[2011-12-28 22:53:48] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: Call
from '' to extension '008442032987215' rejected because
extension not found.
[2011-12-28 22:53:50] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: Call
from '' to extension '007442032987218' rejected because
extension not found.
[2011-12-28 22:53:52] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: Call
from '' to extension '006442032987219' rejected because
extension not found.
[2011-12-28 22:53:54] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: Call
from '' to extension '005442032987216' rejected because
extension not found.
[2011-12-28 22:53:56] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: Call
from '' to extension '004442032987250' rejected because
extension not found.

I thought that it might be worth adding a line to my fail2ban filter, but am
looking for a hand with the regex.  I have come up with:
            NOTICE.* .*: Call from '' to extension '.*' rejected
because extension not found

but I realize that anyone misdialling a valid extension a few times gets cut
off. Can someone suggest an improvement?  (How could I limit this to 4 or more
digits dialled for example?)

Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20111228/6cfc00b7/attachment.htm>

Hello,

Do you set up, your logrotate in /etc/asterisk ?
Do you test that your fail2ban work fine?

Regards

On Wed, Dec 28, 2011 at 11:07 PM, Michelle Dupuis <mdupuis at ocg.ca>
wrote:
>  I happened to be in the cli tonight as some (208.122.57.58) initiated a
> simple attack - just trying to make long distance calls from outside
> context.  Although harmless, this went on for several minutes as the idiot
> just used up my bandwidth with SIP messages.  Here's and example:
>
> [2011-12-28 22:53:42] NOTICE[9635]: chan_sip.c:14035
> handle_request_invite: Call from '' to extension
'6442032987219' rejected
> because extension not found.
> [2011-12-28 22:53:44] NOTICE[9635]: chan_sip.c:14035
> handle_request_invite: Call from '' to extension
'7442032987216' rejected
> because extension not found.
> [2011-12-28 22:53:46] NOTICE[9635]: chan_sip.c:14035
> handle_request_invite: Call from '' to extension
'8442032987216' rejected
> because extension not found.
> [2011-12-28 22:53:48] NOTICE[9635]: chan_sip.c:14035
> handle_request_invite: Call from '' to extension
'008442032987215' rejected
> because extension not found.
> [2011-12-28 22:53:50] NOTICE[9635]: chan_sip.c:14035
> handle_request_invite: Call from '' to extension
'007442032987218' rejected
> because extension not found.
> [2011-12-28 22:53:52] NOTICE[9635]: chan_sip.c:14035
> handle_request_invite: Call from '' to extension
'006442032987219' rejected
> because extension not found.
> [2011-12-28 22:53:54] NOTICE[9635]: chan_sip.c:14035
> handle_request_invite: Call from '' to extension
'005442032987216' rejected
> because extension not found.
> [2011-12-28 22:53:56] NOTICE[9635]: chan_sip.c:14035
> handle_request_invite: Call from '' to extension
'004442032987250' rejected
> because extension not found.
>
> I thought that it might be worth adding a line to my fail2ban filter, but
> am looking for a hand with the regex.  I have come up with:
>             NOTICE.* .*: Call from '' to extension '.*'
rejected because
> extension not found
>
> but I realize that anyone misdialling a valid extension a few times gets
> cut off. Can someone suggest an improvement?  (How could I limit this to 4
> or more digits dialled for example?)
>
> Thanks!
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>               http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20111228/af394850/attachment.htm>

On 29 December 2011 12:07, Michelle Dupuis <mdupuis at ocg.ca>
wrote:
> I thought that it might be worth adding a line to my fail2ban filter, but
am
> looking for a hand with the regex.? I have come up with:
> ??????????? NOTICE.* .*: Call from '' to extension '.*'
rejected because
> extension not found
>
> but I realize that anyone misdialling a valid extension a few times gets
cut
> off. Can someone suggest an improvement?? (How could I limit this to 4 or
> more digits dialled for example?)
[ Caveat - I have never used fail2ban ]

If it supports Perl-style regexps, you could do:

NOTICE.* .*: Call from '' to extension '[0-9]{4,}' rejected
because
extension not found

That will do "at least 4 digits".

Or the long way (Bash-style etc):

NOTICE.* .*: Call from '' to extension
'[0-9][0-9][0-9][0-9][0-9]*'
rejected because extension not found

HTH,
Andrew

-- 
Linux supports the notion of a command line or a shell for the same
reason that only children read books with only pictures in them.
Language, be it English or something else, is the only tool flexible
enough to accomplish a sufficiently broad range of tasks.
? ? ? ? ? ? ? ? ? ? ? ? ? -- Bill Garrett