<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<blockquote
cite="mid:CAFjUrj5mgwGZ+itpnrfgHqE_w6TVRX=_3i1uPvWk8YWD50-3FA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_default"
style="font-family:verdana,sans-serif">
<pre style="font-size:medium"><font color="#0000ff">iptables -I INPUT 1 -p tcp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm -j DROP</font></pre>
</div>
<div><br>
</div>
<div>
<div class="gmail_default"
style="font-family:verdana,sans-serif;color:rgb(0,0,0)">Its
something like this</div>
<div class="gmail_default"
style="font-family:verdana,sans-serif;color:rgb(0,0,0)">
<br>
</div>
<div class="gmail_default"
style="font-family:verdana,sans-serif"><font color="#0000ff">Registration
from '"30" <sp:30@my_public_ip:5060> failed for
'192.168.xxx.xxx:6373' - Wrong Password</font></div>
<br>
</div>
<div>
<div class="gmail_default"
style="font-family:verdana,sans-serif;color:rgb(0,0,0)">and
there are approx 10 request per minute of this type.</div>
<div class="gmail_default"
style="font-family:verdana,sans-serif;color:rgb(0,0,0)">
<br>
</div>
<div class="gmail_default"
style="font-family:verdana,sans-serif;color:rgb(0,0,0)">Please
suggest some way to stop this.</div>
</div>
</div>
</blockquote>
In my experience you need to do 2 things to fix your problem.<br>
<br>
#1) Get the real IP address of the attacker.<br>
First you will need to recompile Asterisk to enable the log that
shows the IP of the attacker. It apparently is only set for debug
so you need to edit chan_sip.c<br>
<br>
In chan_sip.c<br>
<br>
if (!peer) {<br>
if (debug) *** <--- delete this line<br>
ast_verbose("No matching peer for '%s' from
'%s'\n",<br>
of,
ast_sockaddr_stringify(&p->recv));<br>
} *** <--- delete this line<br>
<br>
<br>
<br>
This will enable logs like:<br>
VERBOSE[24693] chan_sip.c: No matching peer for '1000' from
'104.14.190.14:5080<br>
<br>
#2) Now that you have the IP of the attacker, just use fail2ban to
block him automatically. Make sure you test out your rules. For
example the above log is detected with fail2ban rule:<br>
VERBOSE%(__pid_re)s [^:]+: No matching peer for '[^']*' from
'<HOST>(:[0-9]+)?'$<br>
<br>
<br>
<br>
<blockquote
cite="mid:CAFjUrj5mgwGZ+itpnrfgHqE_w6TVRX=_3i1uPvWk8YWD50-3FA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
</div>
<div><br>
</div>
-- <br>
<div dir="ltr"><span style="background-color:rgb(255,255,255)"><font
style="font-family:georgia,serif" face="garamond,serif"><font
size="4"><font size="4"><font face="verdana,sans-serif"><font>Anurag
Rana <br>
<font size="1"><span style="color:rgb(56,118,29)"><a
moz-do-not-send="true"
href="http://newbie42.blogspot.in/"
target="_blank">http://newbie42.blogspot.in/</a></span><br>
<span style="color:rgb(106,168,79)">On the
trampoline of life's experiences, Striving
towards a saintly life in the midst of these
materialistic turbulences.</span></font><br>
</font><br>
</font></font></font></font></span>
<div><span style="background-color:rgb(255,255,255)"><font
style="font-family:georgia,serif" face="garamond,serif"><br>
</font></span></div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Technical Support
<a class="moz-txt-link-freetext" href="http://www.cellroute.net">http://www.cellroute.net</a></pre>
</body>
</html>