Security - Blocking IPs of SIP hackers!

Hi All,
This is a security related post regarding SIP hackers IPs addresses.

I don’t know if the community has a facility where admins can report IPs that were trying to SIP hack their systems or not(??) but if not I do recommend creating one.

I have been operating a couple of asterisk systems in the past few years, more or less no big security incident, but in the past year or so there was an increase in the number of SIP hacking attacks, these are mostly in the form of incoming anonymous/unknown SIP connections which often can be defeated by a (security wise) properly configured asterisk (read more on the net if you are new).

These attacks often been logged as: “… Warning, Rejecting unknown SIP Connection From …” in the asterisk logs.

_How to check: _
cd /var/log/asterisk
grep “Rejecting unknown SIP Connection From” full > Rejected_IPs.txt

I have made a list of my own & blocked them by firewall, but like I said it would be very beneficial for all admins to share & report such IP addresses so others can block them too.

IP addresses which tried to hack my system since mid-2015:

P.S. if you are using CentOS 7 you can use firewalld command to permanently drop the packets from these IPs.
firewall-cmd --permanent --zone=public --add-rich-rule=‘rule family=“ipv4” source address=“” reject’
and at the end restart firewall service:
systemctl restart firewalld

Hope it helps,

After I block a IP, I am getting calls by that IP.

please more info config files console files etc

Hi I will post it. Before that like to know
after making rule in firewall. will asterisk override the rule causing any of the config?

no if configured correctly did you reload iptables ? fail2ban set up properly you might try to add GeoIP/Fail2Ban

Yes, I configured correctly and reload it as well. the same rule works for TCP connection such as ssh!
what needed to do by that? I will look on that :slight_smile:

if you have any reference please share.

Thank you.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.