ID’ing failed auth IPs

Home » Asterisk Users » ID’ing failed auth IPs
Asterisk Users No Comments

On Mon, Nov 29, 2010 at 2:01 PM, Hose wrote:
> So when someone’s brute forcing your server is there a way to identify
> the originating IPs without using a tcpdump?  When I get a failed auth
> on the console it shows ‘account@asteriskserver’ then tag=as25ca5023 (or
> some random string, though it’s a bit odd as alwaysauthreject = yes is
> on in sip.conf).  Anyway, the logs don’t show anything more useful
> either.  Is there something obvious I’m missing?  Cranking up verbosity
> on the console doesn’t seem to do anything.
>
> hose

You can use IPTABLES to log all traffic on a port for you. Instead of
ACCEPT or DROP use LOG.