hi,today morning i saw asterisk log file containing a suspicious logs like given below
013-05-09 11:36:45] NOTICE[26304] chan_sip.c: Sending fake auth rejection for device 5008sip:5008@x.x.x.x;tag=xxxxx
this log repleted like 100 lines.is this some kind of brute force sip attack,pls help
All SIP servers visible to the internet are continually under attack.
Either device 5008 is misconfigured (using 5008 as a device name is not best practice), or you are are seeing one of the many attacks.
Note the correct forum for support questions on Asterisk itself (e.g. not FreePBX) is Asterisk Support.
If you’re using FreePBX, try to make practice of using permit and deny options. Also you can use
iptables -A INPUT -s x.x.x.x -j DROP
where x.x.x.x is the IP trying to connect from outside.
You could try create a filter in fail2ban. Just have to test to make sure it doesn’t ban legitimate things.
I have found that trying to ban IP’s manually is useless. These scans are automated and often designed switch to a different IP if blocked. They could have hundreds if not thousands of IP’s.
Yes, fail2ban is recommend solution to secure asterisk server
Install Webmin & CSF Firewall. Better than relying on fail2ban and secures your server better. Easy to set up and manage. I suggest this to all my clients.