Home arrow Linux arrow Asterisk arrow Detecting brute force SIP attacks
Detecting brute force SIP attacks Print E-mail
Written by Jason   
Dec 02, 2010 at 08:16 AM

Running a publicly accessible SIP server is not a task for the faint of heart since brute force SIP attacks are commonplace. It's usually a good idea to know when they're happening and from where, so here's a simple automated script I put together to parse the Asterisk log files and pull out the relevant data.

The following script assumes an installation directory of /scripts and is ran from cron, like this:

0 23 * * *      /scripts/daily_attack.sh

Then mailed to the recipient a short time later:

30 23 * * *     /usr/bin/mail -s "Daily Attacks on $HOSTNAME" < /scripts/daily_attack.txt

The following script runs well on SuSE, but YMMV.

# daily_attack.sh
# A script put together in a hurry by
# For licensing purposes this script should be considered GPLv3.
# Script should be ran from cron around 11pm then email
# the result file (/scripts/daily_attack.txt) through another
# cron job right after this script is ran.
td=$(date |  awk '{print $2,$3}')
# Create the file
echo "Attacks for the day of:" > /scripts/daily_attack.txt
date >> /scripts/daily_attack.txt
echo " " >> /scripts/daily_attack.txt
# Fetch the data
echo "Unknown users:" >> /scripts/daily_attack.txt
cat /var/log/asterisk/full | grep "$td" | grep "No matching peer found" >> /scripts/daily_attack.txt
echo " " >> /scripts/daily_attack.txt
echo "Wrong passwords:" >> /scripts/daily_attack.txt
cat /var/log/asterisk/full | grep "$td" | grep "Wrong password" >> /scripts/daily_attack.txt

Comments? Improvements? Contact .

Last Updated ( Dec 02, 2010 at 08:51 AM )
� http://www.roboguys.com, Mambo and Designed by Siteground