[asterisk-users] Interesting attack tonight & fail2ban them

Carlos Rojas crt.rojas at gmail.com
Wed Dec 28 22:11:10 CST 2011 

Hello,

Do you set up, your logrotate in /etc/asterisk ?
Do you test that your fail2ban work fine?

Regards

On Wed, Dec 28, 2011 at 11:07 PM, Michelle Dupuis <mdupuis at ocg.ca> wrote:

>  I happened to be in the cli tonight as some (208.122.57.58) initiated a
> simple attack - just trying to make long distance calls from outside
> context.  Although harmless, this went on for several minutes as the idiot
> just used up my bandwidth with SIP messages.  Here's and example:
>
> [2011-12-28 22:53:42] NOTICE[9635]: chan_sip.c:14035
> handle_request_invite: Call from '' to extension '6442032987219' rejected
> because extension not found.
> [2011-12-28 22:53:44] NOTICE[9635]: chan_sip.c:14035
> handle_request_invite: Call from '' to extension '7442032987216' rejected
> because extension not found.
> [2011-12-28 22:53:46] NOTICE[9635]: chan_sip.c:14035
> handle_request_invite: Call from '' to extension '8442032987216' rejected
> because extension not found.
> [2011-12-28 22:53:48] NOTICE[9635]: chan_sip.c:14035
> handle_request_invite: Call from '' to extension '008442032987215' rejected
> because extension not found.
> [2011-12-28 22:53:50] NOTICE[9635]: chan_sip.c:14035
> handle_request_invite: Call from '' to extension '007442032987218' rejected
> because extension not found.
> [2011-12-28 22:53:52] NOTICE[9635]: chan_sip.c:14035
> handle_request_invite: Call from '' to extension '006442032987219' rejected
> because extension not found.
> [2011-12-28 22:53:54] NOTICE[9635]: chan_sip.c:14035
> handle_request_invite: Call from '' to extension '005442032987216' rejected
> because extension not found.
> [2011-12-28 22:53:56] NOTICE[9635]: chan_sip.c:14035
> handle_request_invite: Call from '' to extension '004442032987250' rejected
> because extension not found.
>
> I thought that it might be worth adding a line to my fail2ban filter, but
> am looking for a hand with the regex.  I have come up with:
>             NOTICE.* .*: Call from '' to extension '.*' rejected because
> extension not found
>
> but I realize that anyone misdialling a valid extension a few times gets
> cut off. Can someone suggest an improvement?  (How could I limit this to 4
> or more digits dialled for example?)
>
> Thanks!
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>               http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20111228/af394850/attachment.htm>

More information about the asterisk-users mailing list