Thanks to fail2ban (with correct new “security” log and regex enabled on asterisk 1.8+ (they don’t try to register any more!)), I collect IP addresses of people attempting to hack/fraud SIP systems. I then block the closest, widest IP subnet. I don’t care if I’m blocking a continent at a time. As and when my handful of external users report problems (overlap of bad/good IP addresses), I will correct, but for now my block list at the router looks like this. Fail2ban blocks using iptables on the Asterisk box itself, but I then kill connections and add to my Mikrotik address-list on the router, after whois’ing the IP and looking if the provider has a wider netblock – then I go for that, otherwise I go for what looks like a good fit the for culprit. Thankfully we also pay for fraud insurance. Ideally, the external handsets would have VPN clients inbuilt, but alas this is not the case. I have configured small mikrotiks to travel with the handset but this seems like a cumbersome offering.
To begin with, this list was called “PlusServer”, because the majority of attacks were coming from PlusServer AG. Next in line was RedStation.com. This killed off the most severe attacks, but since then I’ve had everything from Denmark to Palastine (twice) and Russia. Anyway here’s the list, from my Mikrotik address-list.
0 SipAttack 5.1.120.0/21
1 SipAttack 46.19.152.0/21
2 SipAttack 46.22.32.0/20
3 SipAttack 46.231.88.0/21
4 SipAttack 62.75.128.0/17
5 SipAttack 62.138.0.0/19
6 SipAttack 77.236.96.0/21
7 SipAttack 80.86.80.0/20
8 SipAttack 80.242.128.0/19
9 SipAttack 83.142.128.0/21
10 SipAttack 85.25.0.0/16
11 SipAttack 85.93.80.0/24
12 SipAttack 85.93.88.0/21
13 SipAttack 89.19.224.0/19
14 SipAttack 89.207.248.0/21
15 SipAttack 109.234.248.0/21
16 SipAttack 188.138.0.0/17
17 SipAttack 194.150.228.0/23
18 SipAttack 195.66.102.0/24
19 SipAttack 195.137.212.0/23
20 SipAttack 195.149.74.0/24
21 SipAttack 212.40.160.0/24
22 SipAttack 212.40.163.0/24
23 SipAttack 212.40.164.0/24
24 SipAttack 212.40.166.0/23
25 SipAttack 212.40.168.0/24
26 SipAttack 212.40.171.0/24
27 SipAttack 212.40.172.0/23
28 SipAttack 212.40.174.0/24
29 SipAttack 212.40.176.0/21
30 SipAttack 212.40.185.0/24
31 SipAttack 212.40.189.0/24
32 SipAttack 212.48.74.0/24
33 SipAttack 212.48.90.0/24
34 SipAttack 212.48.93.0/24
35 SipAttack 213.174.32.0/19
36 SipAttack 217.118.16.0/20
37 SipAttack 217.119.49.0/24
38 SipAttack 217.119.50.0/23
39 SipAttack 217.119.52.0/24
40 SipAttack 217.119.54.0/23
41 SipAttack 217.119.56.0/22
42 SipAttack 217.172.160.0/19
43 SipAttack 195.154.0.0/16
44 SipAttack 188.227.170.0/24
45 SipAttack 199.168.136.0/21
46 SipAttack 88.150.240.0/23
47 SipAttack 199.48.160.0/21
48 SipAttack 194.63.143.0/24
49 SipAttack 150.174.0.0/16
50 SipAttack 74.91.0.0/20
51 SipAttack 23.239.64.0/19
52 SipAttack 188.214.128.0/21
53 SipAttack 88.150.252.0/23
54 SipAttack 23.239.0.0/16
55 SipAttack 5.135.0.0/16
56 SipAttack 69.64.32.0/19
57 SipAttack 37.220.0.0/19
58 SipAttack 209.133.192.0/19
59 SipAttack 209.239.112.0/20
60 SipAttack 199.217.112.0/21
61 SipAttack 5.196.0.0/16
62 SipAttack 203.67.0.0/16
63 SipAttack 62.210.246.67
64 SipAttack 62.210.0.0/16
65 SipAttack 207.244.64.0/18
66 SipAttack 192.187.96.0/19
67 SipAttack 107.150.0.0/16
68 SipAttack 85.114.121.0/24
69 SipAttack 46.166.160.0/21
70 SipAttack 89.163.128.0/19
71 SipAttack 50.30.0.0/16
72 SipAttack 85.114.123.0/24
73 SipAttack 198.7.56.0/21
74 SipAttack 158.255.0.0/16
75 SipAttack 85.114.124.0/24
76 SipAttack 82.205.0.0/16
77 SipAttack 77.66.0.0/16