Skip to content

Crowdsec: SIP bruteforce traffic not banned #7481

Description

@nrauso

On NS8 with active NethVoice modules, you can observe log entries like the following:

May 21 14:53:33 VoipTest freepbx[349589]: [2025-05-21 14:53:33] #033[1;33mNOTICE#033[0m[150]: #033[1;37mchan_sip.c#033[0m:#033[1;37m29058#033[0m #033[1;37mhandle_request_register#033[0m: Registration from '<sip:1951@99.88.77.66>' failed for '137.184.125.78:50527' - Wrong password
May 21 14:53:33 VoipTest freepbx[349589]: [2025-05-21 14:53:33] #033[1;33mNOTICE#033[0m[150]: #033[1;37mchan_sip.c#033[0m:#033[1;37m29058#033[0m #033[1;37mhandle_request_register#033[0m: Registration from '<sip:5829@99.88.77.66>' failed for '137.184.125.78:51309' - Wrong password
May 21 14:53:35 VoipTest freepbx[349589]: [2025-05-21 14:53:35] #033[1;33mNOTICE#033[0m[150]: #033[1;37mchan_sip.c#033[0m:#033[1;37m29058#033[0m #033[1;37mhandle_request_register#033[0m: Registration from '<sip:9224@99.88.77.66>' failed for '137.184.125.78:53068' - Wrong password
May 21 14:53:35 VoipTest freepbx[349589]: [2025-05-21 14:53:35] #033[1;33mNOTICE#033[0m[150]: #033[1;37mchan_sip.c#033[0m:#033[1;37m29058#033[0m #033[1;37mhandle_request_register#033[0m: Registration from '<sip:14405@99.88.77.66>' failed for '137.184.125.78:53268' - Wrong password

These are illegitimate SIP registration attempts and should be blocked by CrowdSec.
However, they are currently not detected or banned.
While the Asterisk collection is available for CrowdSec, it is not enabled by default, even after enabling it, these log lines still do not trigger any ban.

Components

crowdsec:1.0.14

mattermost conversation

Metadata

Metadata

Assignees

Labels

nethvoiceBug or features releted to the NethVoice project

Type

Fields

No fields configured for Bug.

Projects

Status
In Progress
Status
In Progress

Relationships

None yet

Development

No branches or pull requests

Issue actions