With COVID forcing our workers remote. We have opened up SIP. However, we are getting some malicious attempts to login as a sip user for IP office. While they are not succeding, we would like to blacklist the repeated ones. The IPO is provides lockout for 300 seconds, and that will show the IP in system status. But is there a way to setup the filter on Monitor to see and obtain the IPs?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
How can I trace malicious SIP traffic
- Thread starter danisrael
- Start date
Best way to avoid it is to use TLS when allowing external SIP devices, it's also good to use encryption so you don't send authentication details in clear view over the internet.
It's also rare that SIP scanners try to connect over TLS.
In later R11 you can also blacklist all non-Avaya User Agents, or whitelist specific User Agents etc.
Blocking IPs are usually pointless since they constantly change which IP they originate from.
"Trying is the first step to failure..." - Homer
It's also rare that SIP scanners try to connect over TLS.
In later R11 you can also blacklist all non-Avaya User Agents, or whitelist specific User Agents etc.
Blocking IPs are usually pointless since they constantly change which IP they originate from.
"Trying is the first step to failure..." - Homer
- Thread starter
- #5
- Status
