i’ve been receiving several sip registration probes in the last month,
and as this server is a testing site (no external lines, no nothing) i
have no fail2ban and still not planning to install. Whenever i have
nagios telling me that there is another ‘guest’, i go and edit iptables
manually and that’s it.
Recently i discovered that these attacks start with some kind of
dictionary, and try to guess valid peer names to use one by one.
Apparently after quarter million tries, they do find a legitim sip peer
name and from that point they stick to that peer name and the attack
continues to guess only passwords. Of course, they can not guess
passwords like p(F9j43/Qgrhjv*&^3 so i’m still not worried, but this
made me believe that asterisk responds differently when probing a valid
sip peer name.
So i was wondering through the sip.conf and found ‘alwaysauthreject’
which was set to default (commented out). I now set its value to yes
(which i thought was the default setting).
Does this setting makes the attacker believe that the first try of sip
peer name was valid, but only the password was incorrect? So in this
case should they stick to the first name tried whatever it was?