I am looking for ideas how to improve asterisk and fail2ban integration.
I have used this guide for fail2ban setup:
This works fine with some kinds of SIP attacks, but the problem is that I can easily simulate SIP attacks which fail2ban cannot possibly ban - because asterisk’s logs don’t mention the ip address where the attack comes from. Maybe some of you have an idea of how to improve the setup:
Two examples of SIP attacks without ip addresses in the logs: (trixbox 220.127.116.11 / asterisk 18.104.22.168)
Example #1 - An X-Lite phone, which is not registered with the domain, trying to make a call through mypbx.com from an extension number which does NOT exist:
full.log shows this entry, but without ip address, so we can’t know where it came from and fail2ban can’t do anything about it:
– Executing [123456@from-sip-external:1] NoOp(“SIP/mypbx.com-00000751”, “Received incoming SIP connection from unknown peer to 123456”) in new stack
messages.log (syslog): has no log entry
Example #2 - An X-Lite phone, which is not registered with the domain, trying to make a call through mypbx.com from an extension number which DOES exist, but with a wrong password:
full.log: has no log entry
messages.log (syslog): shows this entry, but without ip address, so we can’t know where it came from and fail2ban can’t do anything about it:
Aug 7 20:04:27 mypbx asterisk: NOTICE: chan_sip.c:18047 in handle_request_invite: Failed to authenticate user sip:firstname.lastname@example.org;tag=6719422d
Is the any way to get asterisk to show the ip addresses in these cases?
Or any other ideas?
(I know asterisk should not be exposed to the internet, but in this case it is simply nessesary!)