fail2ban failregex and sip scanning attacks

We have recently come accross 2 sip scanning scenarios not currently covered by fail2ban regex.

Both issues happen (I think) if you allow anonymous sip calls on your system (which is not advised) but nevertheless done when home users have sip extensions. In that scenario a hacker will try to find a valid extension by sending unknown sip calls into your system. This can be caught by fail2ban by adding failregex:
WARNING.* .: Channel 'SIP/-. sent into invalid extension .*

The second issue is much more troublesome as sip extensions do not need to register to make a call on your system. It’s enough to send an authenticated SIP INVITE to initiate the call and currently Asterisk logs do not include the IP address of the attacker when the SIP authentication fails. This obviously means that fail2ban cannot block the IP address.

The log simply shows:
[2011-10-30 18:23:11] NOTICE[11167] chan_sip.c: Failed to authenticate device sip:[email protected];tag=OVYdddxsgyaL-oFfDOjuggggdddqqfhR

I am not familiar on how to submit feature requests to Asterisk so maybe someone in the community could ask them to include the IP address in the log for the above statement. It certainly makes sense to include the IP address when a device fails to authenticate and they do it everywhere else.

The only way to get the IP address is to set debug level 2. Then you get something like this which could be used to build a failregex statement but debug level 2 creates pretty large files.
[2011-10-30 18:35:15] DEBUG[12155] chan_sip.c: Trying to put ‘SIP/2.0 403’ onto TCP socket destined for

BTW I am by no means an expert on this so please double check my logic. I take no responsibility for any problems on your system and I am only pointing out issues we encountered on our side.

Discussed already on asterisk forum:

Too bad they didn’t do anything about it.
Someone should write a patch to list the HOST info in the log for failed authentications.

While tedious, it can be found in the access_log for your web server. /var/log/httpd for CentOS probably /var.log/apache2 in Debian

And take a look at this: