Re: [Fail2ban-users] Fail2ban Asterisk "spam calls"

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On Thu, 28 Mar 2013 18:25:29 +0100
Patrick <pg...@op...> wrote:

> Hey everyone,
> 
> im running a few Asterisk installations which are visible to the web
> via 5060.
> 
> On a regular basis i see stuff like this in the logfiles:
> 
> > [Mar 28 17:55:13] NOTICE[29227]: chan_sip.c:22461
> > handle_request_invite: Call from '' (91.121.89.80:5070) to
> > extension '00972597524668' rejected because extension not found in
> > context 'peerdefault'. == Using SIP RTP CoS mark 5 [Mar 28
> > 17:55:13] NOTICE[29227]: chan_sip.c:22461 handle_request_invite:
> > Call from '' (91.121.89.80:5070) to extension '000972597524668'
> > rejected because extension not found in context 'peerdefault'. ==
> > Using SIP RTP CoS mark 5 [Mar 28 17:55:14] NOTICE[29227]:
> > chan_sip.c:22461 handle_request_invite: Call from
> > '' (91.121.89.80:5076) to extension '900972597524668' rejected
> > because extension not found in context 'peerdefault'.
> 
> 
> This is an external user trying to use my box to dialout to a certain
> number, trying through a few of what could be "Dialout Prefixes" like
> "00" "000" "900".
> 
> I would really like a fail2ban rule that scans the asterisk full log
> for these unknown extension tries that bans after 2 misplaced calles.
> 
> How do I go about fixing something like that?

There is a page with some good information about using fail2ban with
Asterisk at
http://www.voip-info.org/wiki/view/Fail2Ban+(with+iptables)+And+Asterisk
(including a warning about limitations). It doesn't directly address
the log entries you're seeing, but hopefully you can add a new pattern
yourself.