On Thu, May 17, 2018 at 12:27:17PM -0400, sean darcy wrote: > > WARNING.* .*: fail2ban='<HOST>' > > > ># Option: ignoreregex > ># Notes.: regex to ignore. If this regex matches, the line is ignored. > ># Values: TEXT > ># > >ignoreregex = > > > > > Thanks. Very useful as a tutorial for fail2ban. > > But I don't think it covers this SIP hack. This guy isn't trying to > register.
His filter doesn't only trigger on REGISTERs, see the last line of the matches and the context for guests (which logs the pattern of the last line of the filter on an INVITE). > That why I find it puzzling. What is he trying to do ? There are sip servers publicly reachable that will relay INVITEs, make sure yours aren't. And there are only 2 kinds of operators of sip server: -those that have been the victim of toll fraud -those that will be the victim of toll fraud You can do nothing to stop this kind of traffic. The only thing you can do is block it, either using only a whitelist (cumbersome) or generate a blacklist with for example fail2ban or a more elaborate honeypot setup. Or setup a proxy that will filter patterns you discover from BTW this is not a person, this is an automated script, running most likely on compromised machines and sending spoofed ips. These scripts care about generating a ring on a phone (again most an abuseable/hacked account (or purchased with CC fraud)). If they find a server that does, it will be targetted for all kind of fraud. -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users