We have recently come accross 2 sip scanning scenarios not currently covered by fail2ban regex.
Both issues happen (I think) if you allow anonymous sip calls on your system (which is not advised) but nevertheless done when home users have sip extensions. In that scenario a hacker will try to find a valid extension by sending unknown sip calls into your system. This can be caught by fail2ban by adding failregex:
WARNING.* .: Channel 'SIP/-. sent into invalid extension .*
The second issue is much more troublesome as sip extensions do not need to register to make a call on your system. It’s enough to send an authenticated SIP INVITE to initiate the call and currently Asterisk logs do not include the IP address of the attacker when the SIP authentication fails. This obviously means that fail2ban cannot block the IP address.
The log simply shows:
[2011-10-30 18:23:11] NOTICE[11167] chan_sip.c: Failed to authenticate device sip:[email protected];tag=OVYdddxsgyaL-oFfDOjuggggdddqqfhR
I am not familiar on how to submit feature requests to Asterisk so maybe someone in the community could ask them to include the IP address in the log for the above statement. It certainly makes sense to include the IP address when a device fails to authenticate and they do it everywhere else.
The only way to get the IP address is to set debug level 2. Then you get something like this which could be used to build a failregex statement but debug level 2 creates pretty large files.
[2011-10-30 18:35:15] DEBUG[12155] chan_sip.c: Trying to put ‘SIP/2.0 403’ onto TCP socket destined for xxx.xxx.xxx.xxx:51799
BTW I am by no means an expert on this so please double check my logic. I take no responsibility for any problems on your system and I am only pointing out issues we encountered on our side.