Fail2Ban and unauthorized invites

Someone is trying to place calls from my Asterisk box. They are trying to brute-force extensions.

Example log:

Code:

<--- SIP read from UDP:155.94.64.250:5078 --->
INVITE sip:999900972595183136@MY_ASTERISK SIP/2.0
To: 999900972595183136<sip:999900972595183136@MY_ASTERISK>
From: 100<sip:100@MY_ASTERISK>;tag=5e3e6e24
Via: SIP/2.0/UDP 155.94.64.250:5078;branch=z9hG4bK-8bbc1963772ea7d4e0e9b53028509008;rport
Call-ID: 8bbc1963772ea7d4e0e9b53028509008
CSeq: 1 INVITE
Contact: <sip:100@155.94.64.250:5078>
Max-Forwards: 70
Allow: INVITE, ACK, CANCEL, BYE
User-Agent: sipcli/v1.8
Content-Type: application/sdp
Content-Length: 283

v=0
o=sipcli-Session 1486506575 1460040688 IN IP4 155.94.64.250
s=sipcli
c=IN IP4 155.94.64.250
t=0 0
m=audio 5079 RTP/AVP 18 0 8 101
a=fmtp:101 0-15
a=rtpmap:18 G729/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=ptime:20
a=sendrecv
<------------->
--- (12 headers 13 lines) ---
Sending to 155.94.64.250:5078 (no NAT)
Sending to 155.94.64.250:5078 (no NAT)
Using INVITE request as basis request - 8bbc1963772ea7d4e0e9b53028509008
No matching peer for '100' from '155.94.64.250:5078'

<--- Reliably Transmitting (no NAT) to 155.94.64.250:5078 --->
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 155.94.64.250:5078;branch=z9hG4bK-8bbc1963772ea7d4e0e9b53028509008;received=155.94.64.250;rport=5078
From: 100<sip:100@MY_ASTERISK>;tag=5e3e6e24
To: 999900972595183136<sip:999900972595183136@MY_ASTERISK>;tag=as74036dec
Call-ID: 8bbc1963772ea7d4e0e9b53028509008
CSeq: 1 INVITE
Server: Asterisk PBX 11.16.0
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
WWW-Authenticate: Digest algorithm=MD5, realm="MY_ASTERISK", nonce="7ca35cf2"
Content-Length: 0


<------------>
Scheduling destruction of SIP dialog '8bbc1963772ea7d4e0e9b53028509008' in 32000 ms (Method: INVITE)
Retransmitting #1 (no NAT) to 155.94.64.250:5078:
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 155.94.64.250:5078;branch=z9hG4bK-8bbc1963772ea7d4e0e9b53028509008;received=155.94.64.250;rport=5078
From: 100<sip:100@MY_ASTERISK>;tag=5e3e6e24
To: 999900972595183136<sip:999900972595183136@MY_ASTERISK>;tag=as74036dec
Call-ID: 8bbc1963772ea7d4e0e9b53028509008
CSeq: 1 INVITE
Server: Asterisk PBX 11.16.0
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
WWW-Authenticate: Digest algorithm=MD5, realm="MY_ASTERISK", nonce="7ca35cf2"
Content-Length: 0

However, this does not get logged very well in security/notice/warning. Best I can see is this:

Code:

SECURITY[3465] res_security_log.c: SecurityEvent="ChallengeSent",EventTV="1431085132-271760",Severity="Informational",Service="SIP",EventVersion="1",AccountID="sip:100@MY_ASTERISK",SessionID="0x7ff2c8030a78",LocalAddress="IPV4/UDP/MY_ASTERISK/5060",RemoteAddress="IPV4/UDP/155.94.64.250/5071",Challenge="54fbbac8"

WARNING[3853] chan_sip.c: Timeout on 00c515da631bbb644a6c5c056dcb0f8c on non-critical invite transaction.

How would I go about catching IP (and others to come) automatically with Fail2Ban? Thanks for any help in advance.

Statistics : Posted by genobe • on Fri May 08, 2015 5:47 am • Replies 15 • Views 1929

---