Hello there,
I got Asterisk 16.8.0 with fail2ban in place, which works great for the usual authenticate attack-scheme.
When I go to asterisk -rvc console I see a lot of Invite attacks like this:
Hello,
There is no single method to repel unneeded invites, but here is the one I use: An invite will produce a ‘ChallengeSent’ line in security log, like this:
[Apr 4 22:07:12] SECURITY[3935] res_security_log.c: SecurityEvent=“ChallengeSent”,EventTV=“2020-04-04T22:07:12.775-0400”,Severity=“Informational”,Service=“SIP”,EventVersion=“1”,AccountID=“101”**,SessionID=“0x7fe460022080”,LocalAddress=“IPV4/UDP/67.212.64.197/5060”,RemoteAddress=“IPV4/UDP/207.180.198.168/60725”,Challenge=“4a765ad0”
So, someone wants to register as extension 101 - he is actually checking if that extension exists with ‘ChallengeSent’. You can not block ‘ChallengeSent’ transactions, as your telephones will fail to register. What I did is to have all my accounts follow a format - they look like ‘AF1234567890’ - and now I block with fail2ban anyone sending ‘ChallengeSent’, but have following in the filter:
ignoreregex =AccountID=“AF\d\d\d\d\d\d\d\d\d\d”
So, all Invites for an account not following that format get a ban, and the asterisk is quite happy.