I would not advise you to spend a lot of time looking at the log after freindyscanner. I assume that it is a regular enumeration areas or usernames and passwords.
And it is not discovery for people familiar with voip.
Decisions, as always, a great many.
I can little open my solution to the problem.
1. If your server is on the local network (behind NAT), then in addition to port forwarding on the router, you need to include rules limiting the number of connection attempts on port used for SIP.
2. On the server to activate iptables. Even if you have windows, I recommend SIP server to run on linux in virtual environment. And all the reasons mentioned below applies to Linux.
The list of rules goes like this:
#cat /etc/iptables/rules
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:FORVOIP - [0:0]
# input rules
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
...
-A INPUT -p udp -m udp --dport 5060 -j FORVOIP
-A INPUT -p udp -j ACCEPT
-A INPUT -j LOG --log-prefix "fw-drop="
# FORVOIP rules
-A FORVOIP -m string --string "friendly-scanner" --algo bm --to 65535 -j DROP
-A FORVOIP -m string --string "sipvicious" --algo bm --to 65535 -j DROP
-A FORVOIP -m string --string "sipsscuser" --algo bm --to 65535 -j DROP
-A FORVOIP -m string --string "sipcli" --algo bm --to 65535 -j DROP
-A FORVOIP -j RETURN
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A OUTPUT -p tcp -m tcp --sport 1720 -j DSCP --set-dscp 0x0a
-A OUTPUT -p tcp -m tcp --dport 1720 -j DSCP --set-dscp 0x0a
-A OUTPUT -p udp -m udp --sport 5060:5070 -j DSCP --set-dscp 0x0a
-A OUTPUT -p udp -m udp --sport 9000:16999 -j DSCP --set-dscp 0x2e
COMMIT
3. install fail2ban and create appropriate rules.
#cat /etc/fail2ban/jail.conf
[yate-iptables]
enabled = true
filter = yate
action = iptables[name=SIP, port=sip, protocol=udp]
logpath = /var/log/yate/yate.cdr
findtime = 60
maxretry = 10
bantime = 72000000
#cat /etc/fail12ban/filter.d/yate.conf
[Definition]
failregex= .*\t.*\t.*\t<HOST>:.*rejected
It is assumed that the module is included in Yate cdrfile:
#cat /etc/yate/cdrfile.conf
[general]
file=/var/log/yate/yate.cdr
tabs=true
4. Enable self-protection yate - banbrutes.
#cat /etc/yate/extmodule.conf
[scripts]
banbrutes.php=
Configured directly in the body of the script
#cat /usr/share/yate/scripts/banbrutes.php
$ban_failures = 4;
$clear_gray = 5;
$clear_black = 3600;
$cmd_ban = "iptables -I FORVOIP -s \$addr -j DROP";
$cmd_unban = "iptables -D FORVOIP -s \$addr -j DROP";
5. Probably the most reliable way, but I have not tried it. This change port 5060 to another.
And another recommendation
here.
Do not know if there are vulnerabilities Yate SIP stack, but 5 months uptime of my yate, hoping not.
Without mention of Yate
here , unlike * and its clones also gives some peace of mind :-)
Sorry my english ,
Best regard
PS:
The forum is really very few answers except the developers.
And, IMHO, this is because the user community of Yate does not already exist as such.
There is a small community of developers who are interesting bug reports.
And all the others who have mastered the Yate, use it for their own commercial projects and conduct educational program, certainly not in their interest.
And it is very sad.