I appreciate the discussion on the question I asked. I currently listen for failed registration attempts via AMI and automatically block the offending IP address at the firewall. I was hoping to find another AMI event that would be the magic bullet I need, but it doesn't sound like that's going to happen.
I understand that fail2ban is probably not what I want and probably wouldn't detect the attacks I'm seeing. It turns out that not all of the attacks are from the "friendly scanner," but enough of them are that it's a good start. So, I really like the idea of the IP geo location firewall rules coupled with the "friendly scanner" filter, as provided by a few of you guys. It was mentioned that this is a broad hammer, but I'm kinda looking for a broad hammer! ;^) Looks like I need to do some research, but I think I have what I need. Thanks again, Mike Diehl. On Sat, Aug 19, 2017 at 4:36 PM, Telium Technical Support <supp...@telium.ca > wrote: > I think you missed the point of the Digium post. Fail2ban can ONLY ban > IP’s if Asterisk records a failure to register. Asterisk does not detect > malformed SIP packets, buffer overflow attacks, suspicious dialing > patterns, connection attempts outside geofenced areas, use of stolen > credentials (rapid ramp of calls using one set of credentials), etc. > > > > Asterisk only gives you a rudimentary “failed” message for a failure to > register / wrong credentials. And of course fail2ban only responds to > Asterisk log messages, so it does little more than ban the annoying script > kiddies. > > > > Have a good look at that Voip-Info page and read what actual SIP security > systems do. Then compare that to fail2ban and it’s night & day > difference. People still think fail2ban is a security system, and Digium > is very clear that it is NOT. > > > > > > *From:* asterisk-users-boun...@lists.digium.com [mailto:asterisk-users- > boun...@lists.digium.com] *On Behalf Of *Kseniya Blashchuk > *Sent:* Thursday, August 17, 2017 12:41 AM > *To:* Asterisk Users Mailing List - Non-Commercial Discussion < > asterisk-users@lists.digium.com> > *Subject:* Re: [asterisk-users] Detecting DoS attacks via SIP > > > > Well, correct me if I'm wrong, but I would say this conversation you have > posted is a bit outdated, now fail2ban can be used with asterisk security > log https://wiki.asterisk.org/wiki/display/AST/Asterisk+ > Security+Event+Logger. > > > > On Thu, Aug 17, 2017, 4:53 AM Telium Technical Support <supp...@telium.ca> > wrote: > > Keep in mind that the attacks you are seeing in the log are ONLY the ones > that Asterisk is detecting and rejecting. All other attacks aren't even > showing up! > > There's a good discussion of how to secure your PBX here: > https://www.voip-info.org/wiki/view/asterisk+security > > In general, don't let the malevolent traffic get as far as the PBX (block > at > the firewall). Also, Digium regularly warns users that fail2ban is NOT a > security system: http://forums.asterisk.org/viewtopic.php?p=159984 > > -----Original Message----- > From: asterisk-users-boun...@lists.digium.com > [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of mdiehl > Sent: Tuesday, August 15, 2017 3:38 PM > To: asterisk-users@lists.digium.com > Subject: [asterisk-users] Detecting DoS attacks via SIP > > Hi all, > > Lately, I've seen an increase in the number of attacks against my system > from the so-called "Friendly Scanner." When one of these script kiddies > targets my server, all I see for symptoms is a few of my trunks become > lagged due to server load and a stream of messages on the console that > resemble this: > > [Aug 2 20:27:50] == Using SIP VIDEO CoS mark 6 > [Aug 2 20:27:50] == Using SIP RTP TOS bits 24 > [Aug 2 20:27:50] == Using SIP RTP CoS mark 5 > [Aug 2 20:32:47] == Using SIP VIDEO TOS bits 24 > [Aug 2 20:32:47] == Using SIP VIDEO CoS mark 6 > [Aug 2 20:32:47] == Using SIP RTP TOS bits 24 > [Aug 2 20:32:47] == Using SIP RTP CoS mark 5 > [Aug 2 20:34:26] == Using SIP VIDEO TOS bits 24 > [Aug 2 20:34:26] == Using SIP VIDEO CoS mark 6 > > > I have to turn on sip debugging to find out who's hitting me. However, I > can't just leave it on because it would kill my logging system. > > So, how are other people handling this? Is there an AMI event I want watch > for? I watch for PeerStatus, but since there's no actual peer in the > attack, I don't seem to get an event from AMI. > > Any ideas? > > Mike Diehl. > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Check out the new Asterisk community forum at: > https://community.asterisk.org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Check out the new Asterisk community forum at: https://community.asterisk. > org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Check out the new Asterisk community forum at: https://community.asterisk. > org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users