If your SIP server is exposed to internet. Then you need to take some measure even if you have fail2ban installed. Fail2Ban keep track of the logs while blocking the attacks and some of the attacks might occur while fail2ban start jump into it.
Following are the Tools used for that;
- sipsak
- sipvicious
- iWar
- sip-scan
- sipcli
- friendly-scanner
- VaxSIPUserAgent
- sundayddr
you can block these attacks by using IP Tables. Following is the example for one the attack to block;
iptables -I INPUT -j DROP -p udp –dport 5060 -m string –string "sip-scan" –algo bm
Ref: Haroon Javed
