Hi. I have Fail2Ban on a system and works great stopping attacks on SIP registrations and SSH brute force attempts but, I have recently noticed a bunch of SIP registration attempts where the other side doesn’t seem to offer a password when asked and so I just keep getting the following constant records in the “security” log…
[2019-05-21 12:03:55] SECURITY[100431] res_security_log.c: SecurityEvent=“ChallengeSent”,EventTV=“2019-05-21T12:03:55.417+0100”,Severity=“Informational”,Service=“SIP”,EventVersion=“1”,AccountID="sip:100@1.1.1.1",SessionID=“0x804cf1820”,LocalAddress=“IPV4/UDP/MY_PUBLIC_IP_REMOVED/5060”,RemoteAddress=“IPV4/UDP/77.247.109.219/5063”,Challenge=“7e8ada93”
I get them from different sources, some don’t have a route back to them and so I can understand why they might not get the challenge event for them to respond with a password but some do and so, likely they just have badly configured scripts.
Anyway, I need to stop them. It seems they are not going to get anywhere on my system but, they do fill up the logs and i’d like to just drop their IP. I use FreeBSD and IPFW and use a table which bans the IPs when Fail2Ban spots something.
I understand these challenge events are normal and so I can’t just ban them when they are seen because this would also ban legitimate users. I am wondering if there is a threshold I could apply, ie, if there are 60 of these ChallengeSent from a particular IP within 30 minutes or something like that could I then ban the IP? Basically, what would be acceptable from a legitimate user and what wouldn’t be and I can maybe set up a rule based on that?