[asterisk-users] Attack on Sip server.

Andres andres at telesip.net
Sun Jun 29 19:09:08 CDT 2014

> iptables -I INPUT 1 -p tcp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm -j DROP
> Its something like this
> Registration from '"30" <sp:30 at my_public_ip:5060> failed for 
> '192.168.xxx.xxx:6373' - Wrong Password
> and there are approx 10 request per minute of this type.
> Please suggest some way to stop this.
In my experience you need to do 2 things to fix your problem.

#1) Get the real IP address of the attacker.
First you will need to recompile Asterisk to enable the log that shows 
the IP of the attacker.  It apparently is only set for debug so you need 
to edit chan_sip.c

In chan_sip.c

         if (!peer) {
                 if (debug) *** <--- delete this line
                         ast_verbose("No matching peer for '%s' from 
                                 of, ast_sockaddr_stringify(&p->recv));
     }  *** <--- delete this line

This will enable logs like:
VERBOSE[24693] chan_sip.c: No matching peer for '1000' from 

#2) Now that you have the IP of the attacker, just use fail2ban to block 
him automatically.  Make sure you test out your rules.  For example the 
above log is detected with fail2ban rule:
VERBOSE%(__pid_re)s [^:]+: No matching peer for '[^']*' from 

> -- 
> Anurag Rana
> http://newbie42.blogspot.in/
> On the trampoline of life's experiences, Striving towards a saintly 
> life in the midst of these materialistic turbulences.

Technical Support

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20140629/1dc7f522/attachment.html>

More information about the asterisk-users mailing list