Summary:ASTERISK-13105: on excessive registraton failures: security feature to lockout the IP
Reporter:jperry (jperry999)Labels:
Date Opened:2008-11-22 13:20:44.000-0600Date Closed:2011-06-07 14:03:06
Versions:Frequency of
Description:I found out the hard way that if the SIP port (5060) is available to the public Internet on the Asterisk box that it is VERY easy for someone out there to find your extensions then scan for the valid "secret" password. With that, they simply "Register" as the extension and Asterisk now thinks they ARE the internal extension!

Since the only way they can discover passwords is with running hundreds or thousands of attempts to see what grants access to a Register command (all which can be done in a matter of minutes, since computers are so fast), what I would like is something in Asterisk to detect a REGISTER password failure, note the IP address attempting access, and after TWO unsuccessful tries within an hour, to block that IP address from ANY access for at least an hour. After a dozen unsuccessful tries from an IP over a day, block that IP until a human releases it. Also, to give a log-file for unsuccessful Register attempts, without having to have the other dozens of traffic that a Debug log level gives.


See my full posting here

Although "fail2ban" might work, it does not work for everyone, per these posts:
Although there are some who have had trouble getting it to work:

Comments:By: Leif Madsen (lmadsen) 2008-11-24 09:39:12.000-0600

This type of thing was discussed at AstriDevCon this year (as part of greater tools to add layers of security to asterisk). However, this is not the appropriate place te request features. You may bring this discussion up on the asterisk-users mailing list for discussion and if any code results from that discussion, then you can open up a bug and attach the code to that.

Feature requests are not kept open on the bug tracker unless code is submitted with it.