similar to: Fail2ban integration issues with Asterisk 1.4.21 under Debian Lenny

... using it as a tool and understanding what it does... So one part of it's toolset identifys valid SIP accounts - and I was under the impression that alwaysauthreject=yes was supposed to stop this... However, it sends a request for a highly probably non-existent account, then sends requests for probably existing accounts and I guess compares the results - account not found vs. bad

Greetings all, I have been seeing a lot of [Jan 2 16:36:31] NOTICE[7519]: chan_sip.c:23149 handle_request_invite: Sending fake auth rejection for device 100<sip:100 at 108.161.145.18>;tag=2e921697 in my logs lately. Is there a way to automatically ban IP address from attackers within asterisk ? Thank you

Hi, Got some great news a few days ago from Sandro Gauci (@SandroGauci) and we'll be talking about this with him this Friday at 1PM. SIPVicious, the free security tools for SIP scanning, now include a new tool: svcrash. It is aimed at helping system administrators stop bandwidth consuming scans making use of svwar and svcrack. Here is the announcement on SIPViscious blog:

Hello all. I was recently the victim of a SIP flood attack. I'm wondering what is the best method to prevent such things in the future. Many thanks Greg -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20101003/2e254523/attachment.htm

Hey, I'm going thru logs, and I see some very common and interesting things that the hackers are looking for. In a whole bunch of scans, I've noticed that the first guess or two for sip accounts is usually a 10-digit number. I'm asking myself, why these numbers? Are they looking for a voip trunk? Or is it just like a serial number for the scan? What? Here's some examples:

Hi, Given the recent increase in SIP brute force attacks, I've had a little idea. The standard scripts that block after X attempts work well to prevent you actually being compromised, but once you've been 'found' then the attempts seem to keep coming for quite some time. Older versions of sipvicious don't appear to stop once you start sending un-reachables (or straight

Is there a way to drop a ip connection to asterisk after a number of register attempts. I have been having issues with hackers doing registration scanning against our server. We block their address at the fire wall but since asterisk does not force a drop of the connect after so many bad reg attempts I can't enforce the block until they drop and try again. This allows them to run the box

An attacker is scanning my Asterisk Switch to gain illegitimate access to VoIP call functionality. Using a sip scanning tool, *it* sends REGISTERs with random identities. And when it discovers one identity subscribed in my switch, it tries to authenticate with random passwords using this user name. For the moment, I have replaced this account. And also blocked the IP it has used but each time

Dear mailing list, I've a Asterisk 1.4.21.2~dfsg-3+lenny1 package installed on my debian and I've a strange behavior. After some days running normally, my asterisk is under heavy attack, however, there is nothing logged in the console (logging from debug -> error) or file (level from notice ->error) I can see that there is also a peak on the network traffic. My first guess is that

Hi List, i've been receiving several sip registration probes in the last month, and as this server is a testing site (no external lines, no nothing) i have no fail2ban and still not planning to install. Whenever i have nagios telling me that there is another 'guest', i go and edit iptables manually and that's it. Recently i discovered that these attacks start with some kind

Say, I just picked this up on my messages! There are a whole host of these requests! Anyone know whow there people are? Is there a way to report them? Any suggestions as to how to block them? [Aug 23 10:34:16] NOTICE[1010] chan_sip.c: Registration from '"912" <sip:1 at 41.1.1.1>' failed for '184.106.217.112' - Wrong password [Aug 23 10:34:16] NOTICE[1010]

Hi all, Lately, I've seen an increase in the number of attacks against my system from the so-called "Friendly Scanner." When one of these script kiddies targets my server, all I see for symptoms is a few of my trunks become lagged due to server load and a stream of messages on the console that resemble this: [Aug 2 20:27:50] == Using SIP VIDEO CoS mark 6 [Aug 2 20:27:50] ==

My firewall and asterisk pjsip config only has "permit" options for my ITSP's (SIP trunk) IPs. Here's the script that sets it up. -------------------------------------------------- #!/bin/bash EXIF="eth0" /sbin/iptables --flush /sbin/iptables --policy INPUT DROP /sbin/iptables --policy OUTPUT ACCEPT /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A INPUT -m

Hi, Embarrassed as I am to write this, I am hoping for some advice. One of our very first PBX installs, now six years old, was "taken advantage of" over the past few weeks. A victim of sipvicious, I assume, that managed to guess one of the SIP passwords. 4000 calls to various middle eastern destinations have been placed, which ended up being sent over our customer's PSTN

I've just posted this to another list where we were talking about the same old issues we've been plagues with recently - I'd already posted some iptables rules, but added more to it for this... This script probably isn't compatable with anything else, but I don't run anything else. It's also designed to act on the incoming interface, not to run in a router, but

Why do attacks from the Internet get shown in the Asterisk logs with myAsteriskServerIP instead of the attacker's IP?! Really useful for blocking them, that is... Example: [Mar 6 00:00:00] NOTICE[1926] chan_sip.c: Failed to authenticate user 5550000<sip:5550000 at myAsteriskServerIP>;tag=ab8537ae (I replaced our IP address with myAsteriskServerIP. The attacks are not coming from

Asterisk Project Security Advisory - AST-2011-013 Product Asterisk Summary Possible remote enumeration of SIP endpoints with differing NAT settings Nature of Advisory Unauthorized data disclosure Susceptibility Remote

I have fail2ban working for EVERYTHING else except dovecot. I have tried using my own custom regex in conjunction with the regex on the dovecot.org site. Neither are picked up by fail2ban and I'm trying to use an imminent attack agaist dovecot, going on now, to my advantage to see when I get the right regexp. Here are my current ones: failregex = .*dovecot: (?:pop3-login|imap-login):

My server is being attached all day and fail2ban is not stopping the attack. I updated stamstamp to match fail2ban requirements. [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830 handle_request_register: Registration from '"7002" <sip:7002 at x.x.x.x>' failed for '38.108.40.94' - No matching peer found [2010-12-25 18:54:34] NOTICE[15415]: chan_sip.c:21830

Hello, We had been seeing SIP-guessing attacks on our Asterisk server here. While it wasn't that hard to write a once-a-minute cron job to spank the lusers, that runs once a minute and creates little spikes in the usage and I/O graphs, and is slower to respond than I'd really prefer. I felt that it'd be much cooler to get something more comprehensive put together. We don't use