<p dir="ltr">Well, correct me if I'm wrong, but I would say this conversation you have posted is a bit outdated, now fail2ban can be used with asterisk security log <a href="https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Event+Logger">https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Event+Logger</a>.</p>
<br><div class="gmail_quote"><div dir="ltr">On Thu, Aug 17, 2017, 4:53 AM Telium Technical Support <<a href="mailto:support@telium.ca">support@telium.ca</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Keep in mind that the attacks you are seeing in the log are ONLY the ones<br>
that Asterisk is detecting and rejecting. All other attacks aren't even<br>
showing up!<br>
<br>
There's a good discussion of how to secure your PBX here:<br>
<a href="https://www.voip-info.org/wiki/view/asterisk+security" rel="noreferrer" target="_blank">https://www.voip-info.org/wiki/view/asterisk+security</a><br>
<br>
In general, don't let the malevolent traffic get as far as the PBX (block at<br>
the firewall). Also, Digium regularly warns users that fail2ban is NOT a<br>
security system: <a href="http://forums.asterisk.org/viewtopic.php?p=159984" rel="noreferrer" target="_blank">http://forums.asterisk.org/viewtopic.php?p=159984</a><br>
<br>
-----Original Message-----<br>
From: <a href="mailto:asterisk-users-bounces@lists.digium.com" target="_blank">asterisk-users-bounces@lists.digium.com</a><br>
[mailto:<a href="mailto:asterisk-users-bounces@lists.digium.com" target="_blank">asterisk-users-bounces@lists.digium.com</a>] On Behalf Of mdiehl<br>
Sent: Tuesday, August 15, 2017 3:38 PM<br>
To: <a href="mailto:asterisk-users@lists.digium.com" target="_blank">asterisk-users@lists.digium.com</a><br>
Subject: [asterisk-users] Detecting DoS attacks via SIP<br>
<br>
Hi all,<br>
<br>
Lately, I've seen an increase in the number of attacks against my system<br>
from the so-called "Friendly Scanner." When one of these script kiddies<br>
targets my server, all I see for symptoms is a few of my trunks become<br>
lagged due to server load and a stream of messages on the console that<br>
resemble this:<br>
<br>
[Aug 2 20:27:50] == Using SIP VIDEO CoS mark 6<br>
[Aug 2 20:27:50] == Using SIP RTP TOS bits 24<br>
[Aug 2 20:27:50] == Using SIP RTP CoS mark 5<br>
[Aug 2 20:32:47] == Using SIP VIDEO TOS bits 24<br>
[Aug 2 20:32:47] == Using SIP VIDEO CoS mark 6<br>
[Aug 2 20:32:47] == Using SIP RTP TOS bits 24<br>
[Aug 2 20:32:47] == Using SIP RTP CoS mark 5<br>
[Aug 2 20:34:26] == Using SIP VIDEO TOS bits 24<br>
[Aug 2 20:34:26] == Using SIP VIDEO CoS mark 6<br>
<br>
<br>
I have to turn on sip debugging to find out who's hitting me. However, I<br>
can't just leave it on because it would kill my logging system.<br>
<br>
So, how are other people handling this? Is there an AMI event I want watch<br>
for? I watch for PeerStatus, but since there's no actual peer in the<br>
attack, I don't seem to get an event from AMI.<br>
<br>
Any ideas?<br>
<br>
Mike Diehl.<br>
<br>
--<br>
_____________________________________________________________________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" rel="noreferrer" target="_blank">http://www.api-digital.com</a> --<br>
<br>
Check out the new Asterisk community forum at:<br>
<a href="https://community.asterisk.org/" rel="noreferrer" target="_blank">https://community.asterisk.org/</a><br>
<br>
New to Asterisk? Start here:<br>
<a href="https://wiki.asterisk.org/wiki/display/AST/Getting+Started" rel="noreferrer" target="_blank">https://wiki.asterisk.org/wiki/display/AST/Getting+Started</a><br>
<br>
asterisk-users mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-users" rel="noreferrer" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-users</a><br>
<br>
<br>
--<br>
_____________________________________________________________________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" rel="noreferrer" target="_blank">http://www.api-digital.com</a> --<br>
<br>
Check out the new Asterisk community forum at: <a href="https://community.asterisk.org/" rel="noreferrer" target="_blank">https://community.asterisk.org/</a><br>
<br>
New to Asterisk? Start here:<br>
<a href="https://wiki.asterisk.org/wiki/display/AST/Getting+Started" rel="noreferrer" target="_blank">https://wiki.asterisk.org/wiki/display/AST/Getting+Started</a><br>
<br>
asterisk-users mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-users" rel="noreferrer" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-users</a><br>
</blockquote></div>