Another heavy hitter SIP scan attack: [ ... / 2010-10-20

Koos van den Hout

2010-10-20 Another heavy hitter SIP scan attack: [ ... 9 years ago
Another heavy hitter SIP scan attack: 
[2010-10-20 16:36:31] NOTICE[1516] chan_sip.c: Registration from '"2758977752"<sip:2758977752@mm.nn.oo.pp>' failed for '62.48.49.40' - No matching peer found
[2010-10-20 16:36:31] NOTICE[1516] chan_sip.c: Registration from '"717551073"<sip:717551073@mm.nn.oo.pp>' failed for '62.48.49.40' - No matching peer found
[2010-10-20 16:36:31] NOTICE[1516] chan_sip.c: Registration from '"100"<sip:100@mm.nn.oo.pp>' failed for '62.48.49.40' - No matching peer found
[2010-10-20 16:36:31] NOTICE[1516] chan_sip.c: Registration from '"101"<sip:101@mm.nn.oo.pp>' failed for '62.48.49.40' - No matching peer found
[2010-10-20 16:36:31] NOTICE[1516] chan_sip.c: Registration from '"102"<sip:102@mm.nn.oo.pp>' failed for '62.48.49.40' - No matching peer found

..

[2010-10-20 19:33:56] NOTICE[1516] chan_sip.c: Registration from '"5616" <sip:5616@mm.nn.oo.pp>' failed for '62.48.49.40' - No matching peer found
[2010-10-20 19:33:56] NOTICE[1516] chan_sip.c: Registration from '"5616" <sip:5616@mm.nn.oo.pp>' failed for '62.48.49.40' - No matching peer found
Causing (until now) 108704 log entries like these. The downside is that I have to stop these by hand (the 'rejected' SIP messages are filling the ADSL upstream). Somehow fail2ban fails to ban these. The test says nicely they are seen: 
# fail2ban-regex /var/log/asterisk/messages /etc/fail2ban/filter.d/asterisk.conf

    62.48.49.40 (Wed Oct 20 19:33:55 2010)
    62.48.49.40 (Wed Oct 20 19:33:55 2010)
    62.48.49.40 (Wed Oct 20 19:33:56 2010)
    62.48.49.40 (Wed Oct 20 19:33:56 2010)
But somehow, the running fail2ban doesn't notice the messages or doesn't act on them. Since fail2ban is in python and multithreaded I can't debug it. All I see is a failure to regularly scan /var/log/asterisk/messages for new messages.
Update: Lots of debugging later: I made a typo in the ignoreip option in the general fail2ban config, and the code which parses this only runs as part of a python thread and the error gets ignored. Fixed that and now it works: 
[Fail2Ban] ASTERISK: banned 62.48.49.40
Tags: , ,
, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred.

PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers pgp key statistics for 0x5BA9368BE6F334E4 Koos van den Hout
RSS
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated in 0.004214 seconds.