2010-10-20
Another heavy hitter SIP scan attack:
[ ...
Another heavy hitter SIP scan attack:[2010-10-20 16:36:31] NOTICE[1516] chan_sip.c: Registration from '"2758977752"<sip:2758977752@mm.nn.oo.pp>' failed for '62.48.49.40' - No matching peer found [2010-10-20 16:36:31] NOTICE[1516] chan_sip.c: Registration from '"717551073"<sip:717551073@mm.nn.oo.pp>' failed for '62.48.49.40' - No matching peer found [2010-10-20 16:36:31] NOTICE[1516] chan_sip.c: Registration from '"100"<sip:100@mm.nn.oo.pp>' failed for '62.48.49.40' - No matching peer found [2010-10-20 16:36:31] NOTICE[1516] chan_sip.c: Registration from '"101"<sip:101@mm.nn.oo.pp>' failed for '62.48.49.40' - No matching peer found [2010-10-20 16:36:31] NOTICE[1516] chan_sip.c: Registration from '"102"<sip:102@mm.nn.oo.pp>' failed for '62.48.49.40' - No matching peer found .. [2010-10-20 19:33:56] NOTICE[1516] chan_sip.c: Registration from '"5616" <sip:5616@mm.nn.oo.pp>' failed for '62.48.49.40' - No matching peer found [2010-10-20 19:33:56] NOTICE[1516] chan_sip.c: Registration from '"5616" <sip:5616@mm.nn.oo.pp>' failed for '62.48.49.40' - No matching peer foundCausing (until now) 108704 log entries like these. The downside is that I have to stop these by hand (the 'rejected' SIP messages are filling the ADSL upstream). Somehow fail2ban fails to ban these. The test says nicely they are seen:# fail2ban-regex /var/log/asterisk/messages /etc/fail2ban/filter.d/asterisk.conf 62.48.49.40 (Wed Oct 20 19:33:55 2010) 62.48.49.40 (Wed Oct 20 19:33:55 2010) 62.48.49.40 (Wed Oct 20 19:33:56 2010) 62.48.49.40 (Wed Oct 20 19:33:56 2010)But somehow, the running fail2ban doesn't notice the messages or doesn't act on them. Since fail2ban is in python and multithreaded I can't debug it. All I see is a failure to regularly scan /var/log/asterisk/messages for new messages.
Update: Lots of debugging later: I made a typo in the ignoreip option in the general fail2ban config, and the code which parses this only runs as part of a python thread and the error gets ignored. Fixed that and now it works:[Fail2Ban] ASTERISK: banned 62.48.49.40