Maybe your logger is not setup properly?! You should get the IP in logs. I can't think of when you won't get the IP in your logs unless the SIP packets are manipulated. That IP is from Voxel.net. You don't have a VPS or service from them do you?<br>
<br><div class="gmail_quote">2011/12/29 Michelle Dupuis <span dir="ltr"><<a href="mailto:mdupuis@ocg.ca">mdupuis@ocg.ca</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div dir="ltr"><font color="#000000" face="Tahoma">1. I checked the log and I don't see any registration attempt, so I *assume* they simply send an invite, and so they are in the external/outside context of my dialplan. So they are trying to reach
extensions which don't exist. If they succesfully registered they would be on the internal context, and their calls would have succeeded. (Or am I missing something?). I actually see nothing in the log but the notice (and nothing on the CLI but the notice)...so
I assume it is only an invite?</font></div>
<div dir="ltr"><font face="tahoma"></font> </div>
<div dir="ltr"><font face="tahoma">2. I got their IP by turning on SIP DEBUG while they were attacking.</font></div>
<div dir="ltr"><font face="tahoma"></font> </div>
<div dir="ltr"><font face="tahoma">3. The NOTICE showed a call from '' - what normally goes there? I can't reproduce this NOTICE so I'm not sure what causes it to be recorded. Normal calls show "Accepting AUTHENTICATED call from x.x.x.x"</font></div>
<div dir="ltr"><font face="tahoma"></font> </div>
<div dir="ltr"><font face="tahoma">I'm thinking of using SIPCHANINFO and LOG to log the bad attempts, and let fail2ban takeover from there.</font></div>
<div dir="ltr"><font face="tahoma"></font> </div>
<div dir="ltr"><font face="tahoma">Thanks</font></div>
<div dir="ltr"><font face="tahoma"></font> </div>
<div style="DIRECTION:ltr">
<hr>
<font face="Tahoma"><b>From:</b> <a href="mailto:asterisk-users-bounces@lists.digium.com" target="_blank">asterisk-users-bounces@lists.digium.com</a> [<a href="mailto:asterisk-users-bounces@lists.digium.com" target="_blank">asterisk-users-bounces@lists.digium.com</a>] On Behalf Of Mikhail Lischuk [<a href="mailto:mlischuk@itx.com.ua" target="_blank">mlischuk@itx.com.ua</a>]<br>
<b>Sent:</b> Thursday, December 29, 2011 4:14 AM<div class="im"><br>
<b>To:</b> Asterisk Users List<br>
<b>Subject:</b> Re: [asterisk-users] Interesting attack tonight & fail2ban them<br>
</div></font><br>
</div><div><div></div><div class="h5">
<div></div>
<div>
<p>Jeroen Eeuwes писал 29.12.2011 07:29:</p>
<blockquote style="BORDER-LEFT:#1010ff 2px solid;PADDING-LEFT:5px;WIDTH:100%;MARGIN-LEFT:5px" type="cite">
<pre> </pre>
<pre>Probably my understanding is limited, but it seems to me that they
have already 'access' to your Asterisk for them to be able to try to
make outgoing calls. Wouldn't it be better to make sure they get the
"usual" errors like "Registration from failed - no matching peer
found"?
In other words, how did they get this far in the first place?
Best regards,
Jeroen Eeuwes
</pre>
</blockquote>
<p>Agreed. If you didn't get the "Failed to authenticate on INVITE" (or whatever error should Asterisk log for not authenticated user trying to place a call, I might be wrong here) - your problem is way more serious.</p>
<p>As I can advice you from my wast (despite not always successfull) intruders fighting experience - banning by useragent can help. I always dreamed of Asterisk to implement that, but until then - if all your users are like "Linksys blablabla" or "eyeBeam blablabla"
and you see any other agent on the Asterisk log - just ban it. Ofcourse, there are 2 limitations:</p>
<p>1) If he doesnt register, Asterisk wont show his useragent in log. And as for yor issue - neither will it show IP. I think we might ask devs to correct that some day</p>
<p>2) if you dont have some standard for user sip devices and they use whatever they want to, it wont help either</p>
<div>
<pre><span><span style="COLOR:#999999">-- </span><br><span style="COLOR:#999999">With Best Regards</span><br><span style="COLOR:#999999"><a title="mailto:mlischuk@itx.com.ua" href="mailto:mlischuk@itx.com.ua" target="_blank">Mikhail Lischuk</a></span><br>
<br><span style="COLOR:#999999">ITX Ukraine</span></span></pre>
<pre><span><br></span></pre>
</div>
</div>
</div></div></div>
<br>--<br>
_____________________________________________________________________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --<br>
New to Asterisk? Join us for a live introductory webinar every Thurs:<br>
<a href="http://www.asterisk.org/hello" target="_blank">http://www.asterisk.org/hello</a><br>
<br>
asterisk-users mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-users" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-users</a><br></blockquote></div><br>