As a suggestion, this is how I handle unauthorized attempts to place a call.
In sip.conf:
…
allowguest=yes
context=unauthenticated
…
In extensions.conf:
…
[unauthenticated]
;; Incomming calls from unauthenticated caller -> Fail2Ban
exten => _X.,1,Log(WARNING,fail2ban=’${CHANNEL(peerip)}’)
exten => _X.,2,Set(CDR(UserField)=SIP PEER IP: ${CHANNEL(peerip)})
exten => _X.,3,HangUp()
exten => _+X.,1,Log(WARNING,fail2ban=’${CHANNEL(peerip)}’)
exten => _+X.,2,Set(CDR(UserField)=SIP PEER IP: ${CHANNEL(peerip)})
exten => _+X.,3,HangUp()
…
For Fail2Ban configuration
In jail.conf
…
[asterisk]
filter = asterisk
action = iptables-allports[name=ASTERISK]
logpath = /var/log/asterisk/messages
maxretry = 1
findtime = 86400
bantime = 864000
enabled = true
…
In dilter.d/asterisk.conf:
Fail2Ban configuration file
$Revision: 250 $
[INCLUDES]
Read common prefixes. If any customizations available – read them from
common.local
#before = common.conf
[Definition]
#_daemon = asterisk
Option: failregex
Notes.: regex to match the password failures messages in the logfile. The
host must be matched by a group named “host”. The tag “” can
be used for standard IP/hostname matching and is only an alias for
(?:::f{4,6}:)?(?P\S+)
Values: TEXT
failregex = NOTICE.* .: Registration from '.’ failed for ‘:.’ - Wrong password
NOTICE. .: Call from '.’ ((:[0-9]{1,5})?) to extension ‘.’ rejected because extension not found in context ‘unauthenticated’
NOTICE. chan_sip.c: Call from ‘.’ ((:[0-9]{1,5})?) to extension '.’ rejected because extension not found in context ‘unauthenticated’
NOTICE.* .: Registration from '.’ failed for ‘:.’ - Username/auth name mismatch
NOTICE. .: Registration from '.’ failed for ‘:.’ - No matching peer found
NOTICE. .: Registration from '.’ failed for ‘:.’ - Not a local domain
NOTICE. .: Registration from '.’ failed for ‘:.’ - Peer is not supposed to register
NOTICE. .: Registration from '.’ failed for ‘:.’ - Device does not match ACL
NOTICE. .: Registration from '.’ failed for ‘:.’ - Device not configured to use this transport type
NOTICE. .: No registration for peer '.’ (from )
NOTICE.* .: Host failed MD5 authentication for '.’ (.)
NOTICE. .: Host denied access to register peer '.’
NOTICE.* .: Host did not provide proper plaintext password for '.’
NOTICE.* .: Registration of '.’ rejected: ‘.’ from: ‘’
NOTICE. .: Peer '.’ is not dynamic (from )
NOTICE.* .: Host denied access to register peer '.’
SECURITY.* .: SecurityEvent=“InvalidAccountID”.,Severity=“Error”,Service=“SIP”.,RemoteAddress=“IPV[46]/(UDP|TCP|TLS)//[0-9]+”
SECURITY. .: SecurityEvent=“FailedACL”.,Severity=“Error”,Service=“SIP”.,RemoteAddress=“IPV[46]/(UDP|TCP|TLS)//[0-9]+”
SECURITY. .: SecurityEvent=“InvalidPassword”.,Severity=“Error”,Service=“SIP”.,RemoteAddress=“IPV[46]/(UDP|TCP|TLS)//[0-9]+”
SECURITY. .: SecurityEvent=“ChallengeResponseFailed”.,Severity=“Error”,Service=“SIP”.,RemoteAddress=“IPV[46]/(UDP|TCP|TLS)//[0-9]+”
VERBOSE. logger.c: – .IP/-. Playing ‘ss-noservice’ (language ‘.’)
SECURITY. .: SecurityEvent=“ChallengeSent”.,Severity=“Informational”,Service=“SIP”.,AccountID="sip:.@93.94.247.123".,RemoteAddress="IPV[46]/(UDP|TCP|TLS)//[0-9]+
WARNING. .*: fail2ban=’’
Option: ignoreregex
Notes.: regex to ignore. If this regex matches, the line is ignored.
Values: TEXT
ignoreregex =