Skip to content

Crowdsec: SIP bruteforce traffic not banned #7481

Description

@nrauso

On NS8 with active NethVoice modules, you can observe log entries like the following:

May 21 14:53:33 VoipTest freepbx[349589]: [2025-05-21 14:53:33] #033[1;33mNOTICE#033[0m[150]: #033[1;37mchan_sip.c#033[0m:#033[1;37m29058#033[0m #033[1;37mhandle_request_register#033[0m: Registration from '<sip:1951@99.88.77.66>' failed for '137.184.125.78:50527' - Wrong password
May 21 14:53:33 VoipTest freepbx[349589]: [2025-05-21 14:53:33] #033[1;33mNOTICE#033[0m[150]: #033[1;37mchan_sip.c#033[0m:#033[1;37m29058#033[0m #033[1;37mhandle_request_register#033[0m: Registration from '<sip:5829@99.88.77.66>' failed for '137.184.125.78:51309' - Wrong password
May 21 14:53:35 VoipTest freepbx[349589]: [2025-05-21 14:53:35] #033[1;33mNOTICE#033[0m[150]: #033[1;37mchan_sip.c#033[0m:#033[1;37m29058#033[0m #033[1;37mhandle_request_register#033[0m: Registration from '<sip:9224@99.88.77.66>' failed for '137.184.125.78:53068' - Wrong password
May 21 14:53:35 VoipTest freepbx[349589]: [2025-05-21 14:53:35] #033[1;33mNOTICE#033[0m[150]: #033[1;37mchan_sip.c#033[0m:#033[1;37m29058#033[0m #033[1;37mhandle_request_register#033[0m: Registration from '<sip:14405@99.88.77.66>' failed for '137.184.125.78:53268' - Wrong password

These are illegitimate SIP registration attempts and should be blocked by CrowdSec.
However, they are currently not detected or banned.
While the Asterisk collection is available for CrowdSec, it is not enabled by default, even after enabling it, these log lines still do not trigger any ban.

Components

crowdsec:1.0.14

mattermost conversation

Metadata

Metadata

Assignees

No one assigned

    Labels

    nethvoiceBug or features releted to the NethVoice projecttestingPackages are available from testing repositories

    Type

    Fields

    No fields configured for Bug.

    Projects

    Status
    Testing
    Status
    Testing

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions