Asterisk Attempted Break-In

I recently had my logs fill up with attacks on every server in my network. Looks like the source of the attack was a network in France… perhaps a college or something.

NOTICE[27253] chan_sip.c: Registration from '"8535"<sip:8535@XX.XX.XX.XX>' failed for '90.30.239.249' - No matching peer found
NOTICE[27253] chan_sip.c: Registration from '"8536"<sip:8536@XX.XX.XX.XX>' failed for '90.30.239.249' - No matching peer found
NOTICE[27253] chan_sip.c: Registration from '"8537"<sip:8537@XX.XX.XX.XX>' failed for '90.30.239.249' - No matching peer found
NOTICE[27253] chan_sip.c: Registration from '"8538"<sip:8538@XX.XX.XX.XX>' failed for '90.30.239.249' - No matching peer found
NOTICE[27253] chan_sip.c: Registration from '"8539"<sip:8539@XX.XX.XX.XX>' failed for '90.30.239.249' - No matching peer found
NOTICE[27253] chan_sip.c: Registration from '"8540"<sip:8540@XX.XX.XX.XX>' failed for '90.30.239.249' - No matching peer found

Anyway, I have some questions about how to deal with this type of issue. Is there anyway to have asterisk block a source IP after X number of failed registration attempts? (if not there should be!)

If that isn’t the answer… well what is?

Thanks,
Geoff

You can configure Snort and OSSEC to defend you against such things. Basically, you can make OSSEC monitor your Snort logs or your Asterisk logs for that type of activity, and then add a rule to your FW to block the offending address.

It’s non-trivial to do all that though. You’ll need to install those packages and also understand how to write rules for them.