Maybe your logger is not setup properly?! You should get the IP in logs. I can't think of when you won't get the IP in your logs unless the SIP packets are manipulated. That IP is from Voxel.net. You don't have a VPS or service from them do you?
2011/12/29 Michelle Dupuis <[email protected]> > 1. I checked the log and I don't see any registration attempt, so I > *assume* they simply send an invite, and so they are in the > external/outside context of my dialplan. So they are trying to reach > extensions which don't exist. If they succesfully registered they would be > on the internal context, and their calls would have succeeded. (Or am I > missing something?). I actually see nothing in the log but the notice (and > nothing on the CLI but the notice)...so I assume it is only an invite? > > 2. I got their IP by turning on SIP DEBUG while they were attacking. > > 3. The NOTICE showed a call from '' - what normally goes there? I can't > reproduce this NOTICE so I'm not sure what causes it to be recorded. > Normal calls show "Accepting AUTHENTICATED call from x.x.x.x" > > I'm thinking of using SIPCHANINFO and LOG to log the bad attempts, and let > fail2ban takeover from there. > > Thanks > > ------------------------------ > *From:* [email protected] [ > [email protected]] On Behalf Of Mikhail Lischuk [ > [email protected]] > *Sent:* Thursday, December 29, 2011 4:14 AM > > *To:* Asterisk Users List > *Subject:* Re: [asterisk-users] Interesting attack tonight & fail2ban them > > Jeroen Eeuwes писал 29.12.2011 07:29: > > > > Probably my understanding is limited, but it seems to me that they > have already 'access' to your Asterisk for them to be able to try to > make outgoing calls. Wouldn't it be better to make sure they get the > "usual" errors like "Registration from failed - no matching peer > found"? > > In other words, how did they get this far in the first place? > > Best regards, > Jeroen Eeuwes > > > Agreed. If you didn't get the "Failed to authenticate on INVITE" (or > whatever error should Asterisk log for not authenticated user trying to > place a call, I might be wrong here) - your problem is way more serious. > > As I can advice you from my wast (despite not always successfull) > intruders fighting experience - banning by useragent can help. I always > dreamed of Asterisk to implement that, but until then - if all your users > are like "Linksys blablabla" or "eyeBeam blablabla" and you see any other > agent on the Asterisk log - just ban it. Ofcourse, there are 2 limitations: > > 1) If he doesnt register, Asterisk wont show his useragent in log. And as > for yor issue - neither will it show IP. I think we might ask devs to > correct that some day > > 2) if you dont have some standard for user sip devices and they use > whatever they want to, it wont help either > > -- > With Best Regards > Mikhail Lischuk <[email protected]> > > ITX Ukraine > > > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
