I looking through my logs, I found that people where probing my SIP
accounts looking for passwords. Asterisk was helping them out by processing hundreds of requests per minute. I did a bit of Googling and this seems to be a frequent knock against Asterisk’s security.
It would seem pretty simple to add a configuration setting to sip.conf to delay the response to a bad account or password.
There is a half measure to confuse the probe by sending the same error return for either error. It appears that many people have complained that this should be the default setting only changed if your are debugging a problem.
There is no reason for a working system to ever have bad passwords so this is clearly an attack in almost every case.
A simple delay would solve the problem for most people who use reasonable passwords.
I had to install fail2ban which is a PITA but thanks to someone’s clear recipe, I was able to get it working.
I hope that this can be worked into a release soon.