[asterisk-users] Detecting DoS attacks via SIP

tirveni yadav yadav.tirveni at gmail.com
Thu Aug 17 10:01:11 CDT 2017 

I shall recommend fail2ban. We have been using fail2ban successfully for
our Asterisk servers (Debian).

Help on using fail2ban with Asterisk server:
https://www.voip-info.org/wiki/view/Fail2Ban+%28with+iptables%29+And+Asterisk


On Thu, Aug 17, 2017 at 10:10 AM, Kseniya Blashchuk <ksyblast at gmail.com>
wrote:
> Well, correct me if I'm wrong, but I would say this conversation you have
> posted is a bit outdated, now fail2ban can be used with asterisk security
> log
> https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Event+Logger.
>
>
> On Thu, Aug 17, 2017, 4:53 AM Telium Technical Support <support at telium.ca>
> wrote:
>>
>> Keep in mind that the attacks you are seeing in the log are ONLY the ones
>> that Asterisk is detecting and rejecting.  All other attacks aren't even
>> showing up!
>>
>> There's a good discussion of how to secure your PBX here:
>> https://www.voip-info.org/wiki/view/asterisk+security
>>
>> In general, don't let the malevolent traffic get as far as the PBX (block
>> at
>> the firewall).  Also, Digium regularly warns users that fail2ban is NOT a
>> security system: http://forums.asterisk.org/viewtopic.php?p=159984
>>
>> -----Original Message-----
>> From: asterisk-users-bounces at lists.digium.com
>> [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of mdiehl
>> Sent: Tuesday, August 15, 2017 3:38 PM
>> To: asterisk-users at lists.digium.com
>> Subject: [asterisk-users] Detecting DoS attacks via SIP
>>
>> Hi all,
>>
>> Lately, I've seen an increase in the number of attacks against my system
>> from the so-called "Friendly Scanner."  When one of these script kiddies
>> targets my server, all I see for symptoms is a few of my trunks become
>> lagged due to server load and a stream of messages on the console that
>> resemble this:
>>
>> [Aug  2 20:27:50]   == Using SIP VIDEO CoS mark 6
>> [Aug  2 20:27:50]   == Using SIP RTP TOS bits 24
>> [Aug  2 20:27:50]   == Using SIP RTP CoS mark 5
>> [Aug  2 20:32:47]   == Using SIP VIDEO TOS bits 24
>> [Aug  2 20:32:47]   == Using SIP VIDEO CoS mark 6
>> [Aug  2 20:32:47]   == Using SIP RTP TOS bits 24
>> [Aug  2 20:32:47]   == Using SIP RTP CoS mark 5
>> [Aug  2 20:34:26]   == Using SIP VIDEO TOS bits 24
>> [Aug  2 20:34:26]   == Using SIP VIDEO CoS mark 6
>>
>>
>> I have to turn on sip debugging to find out who's hitting me.  However, I
>> can't just leave it on because it would kill my logging system.
>>
>> So, how are other people handling this?  Is there an AMI event I want
>> watch
>> for?  I watch for PeerStatus, but since there's no actual peer in the
>> attack, I don't seem to get an event from AMI.
>>
>> Any ideas?
>>
>> Mike Diehl.
>>
>> --
>> _____________________________________________________________________
>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>
>> Check out the new Asterisk community forum at:
>> https://community.asterisk.org/
>>
>> New to Asterisk? Start here:
>>       https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>>
>> asterisk-users mailing list
>> To UNSUBSCRIBE or update options visit:
>>    http://lists.digium.com/mailman/listinfo/asterisk-users
>>
>>
>> --
>> _____________________________________________________________________
>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>
>> Check out the new Asterisk community forum at:
>> https://community.asterisk.org/
>>
>> New to Asterisk? Start here:
>>       https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>>
>> asterisk-users mailing list
>> To UNSUBSCRIBE or update options visit:
>>    http://lists.digium.com/mailman/listinfo/asterisk-users
>
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> Check out the new Asterisk community forum at:
> https://community.asterisk.org/
>
> New to Asterisk? Start here:
>       https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users



-- 
Regards,

Tirveni Yadav

www.bael.io

What is this Universe ? From what it arises ? Into what does it go?
In freedom it arises, In freedom it rests and into freedom it melts away.
Upanishads.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20170817/66c36288/attachment.html>

More information about the asterisk-users mailing list