Hi Mike,
On 15-08-17 21:37, mdiehl wrote:
Hi all,
Lately, I've seen an increase in the number of attacks against my system from the
so-called "Friendly Scanner." When one of these script kiddies targets my
server, all I see for symptoms is a few of my trunks become lagged due to server load and
a stream of messages on the console that resemble this:
[snip]
I have to turn on sip debugging to find out who's hitting me. However, I can't
just leave it on because it would kill my logging system.
So, how are other people handling this? Is there an AMI event I want watch
for? I watch for PeerStatus, but since there's no actual peer in the attack, I
don't seem to get an event from AMI.
Any ideas?
You can block sipvicious/friendly scanner in iptables with something like:
-A INPUT -p udp --dport 5060 -m string --string "friendly-scanner"
--algo bm -j DROP
You can also look at xtables with geoip to drop countries (per
destination port) that should not connect to your Asterisk box. It's a
big hammer but it works really well.
Or put a proxy like Kamailio or OpenSIPS in front of the Asterisk box.
That's what the telco's/service providers do.
HTH,
Patrick
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
Check out the new Asterisk community forum at: https://community.asterisk.org/
New to Asterisk? Start here:
https://wiki.asterisk.org/wiki/display/AST/Getting+Started
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
