[asterisk-users] Interesting attack tonight & fail2ban them
Michelle Dupuis
mdupuis at ocg.ca
Wed Dec 28 22:26:55 CST 2011
Yes fail2ban is working fine. I did NOT have a filter for the "rejected because extension not found" line yet (I'm still working on it). Hoping for input on the regex.
Thanks
________________________________
From: asterisk-users-bounces at lists.digium.com [asterisk-users-bounces at lists.digium.com] On Behalf Of Carlos Rojas [crt.rojas at gmail.com]
Sent: Wednesday, December 28, 2011 11:11 PM
To: Asterisk Users List
Subject: Re: [asterisk-users] Interesting attack tonight & fail2ban them
Hello,
Do you set up, your logrotate in /etc/asterisk ?
Do you test that your fail2ban work fine?
Regards
On Wed, Dec 28, 2011 at 11:07 PM, Michelle Dupuis <mdupuis at ocg.ca<mailto:mdupuis at ocg.ca>> wrote:
I happened to be in the cli tonight as some (208.122.57.58) initiated a simple attack - just trying to make long distance calls from outside context. Although harmless, this went on for several minutes as the idiot just used up my bandwidth with SIP messages. Here's and example:
[2011-12-28<tel:%5B2011-12-28> 22:53:42] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: Call from '' to extension '6442032987219' rejected because extension not found.
[2011-12-28<tel:%5B2011-12-28> 22:53:44] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: Call from '' to extension '7442032987216' rejected because extension not found.
[2011-12-28<tel:%5B2011-12-28> 22:53:46] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: Call from '' to extension '8442032987216' rejected because extension not found.
[2011-12-28<tel:%5B2011-12-28> 22:53:48] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: Call from '' to extension '008442032987215' rejected because extension not found.
[2011-12-28<tel:%5B2011-12-28> 22:53:50] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: Call from '' to extension '007442032987218' rejected because extension not found.
[2011-12-28<tel:%5B2011-12-28> 22:53:52] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: Call from '' to extension '006442032987219' rejected because extension not found.
[2011-12-28<tel:%5B2011-12-28> 22:53:54] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: Call from '' to extension '005442032987216' rejected because extension not found.
[2011-12-28<tel:%5B2011-12-28> 22:53:56] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: Call from '' to extension '004442032987250' rejected because extension not found.
I thought that it might be worth adding a line to my fail2ban filter, but am looking for a hand with the regex. I have come up with:
NOTICE.* .*: Call from '' to extension '.*' rejected because extension not found
but I realize that anyone misdialling a valid extension a few times gets cut off. Can someone suggest an improvement? (How could I limit this to 4 or more digits dialled for example?)
Thanks!
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20111228/fcdea041/attachment.htm>
More information about the asterisk-users
mailing list