Our server is being slammed with bogus authentication tries for extensions. How can I get logs of attackers IPs so I can setup iptables rules to reject them?
You could use tcpdump
tcpdump -s 2048 -w /root/sip.dump udp and port 5060
We use fail2ban to block those attempts. See below link for a guide.
[quote=“bwilks”]You could use tcpdump
tcpdump -s 2048 -w /root/sip.dump udp and port 5060[/quote]
Great tool. I think we should all run these together on machines and see where people are trying to get in from.