Flooded by INVITE requests

Hi there,

I have noticed recently that my VItalPBX instance is flooded with INVITE requests that seem to be attempting brute force to find a working extension.


the intrusion detection didn’t seem to pick them up so I added them to the ban list by doing the below commands.

fail2ban-client set asterisk-vpbx banip
fail2ban-client set asterisk-vpbx banip

The IPs now show I the ban list on the VitalPBX Firewall page, I have also tried to DROP the connections in iptables, as the firewall won’t block anything that is already connected. that being said I have restarted the server instance too for good measure. and the attempts still persist.

I have seen a forum post here where similar activity was reported and it was suggested to install the geofirewall, I have done this now also and blocked where these ips are reported to be coming from on the abuseipdb website, and yet the connections persist.


Is there anything that can be done to block this kind of activity?

How is your firewall setup? Do you allow any traffic? What is your find and ban time?

Finally, one big misconception. Even if you drop everything in iptables, you will still see SIP attempts in sngrep. To see if they are actually dropped, open the dialog and see if there’s a response. If there’s no response, then the IP is blocked.

Want to see it for yourself. Take a bare Linux install (make sure it does not have any service that listens for 5060) and expose it to the WWW. Open sngrep and give it an hour…

Hi @PitzKey,

Thank you I have included my EC2 firewall configuration and a screenshot of my VitalPBX Firewall settings. I have enabled the GEO firewall and allowed only the UK, as these connections are coming from France and Canada apparently.

Type Protocol Port range Source Description
Custom UDP UDP 5060 - 5063 PJSIP UDP - Open port(s)
Custom TCP TCP 5060 - 5063 PJSIP TPC - Open port(s)
Custom TCP TCP 8088 - 8089 Webrtc
Custom UDP UDP 10000 - 20000 RTP - Open port(s)
HTTPS TCP 443 HTTPS - Open port(s)
Custom TCP TCP 3000 VPBX HTTP Dashboard - Open port(s)
Custom TCP TCP 3005 VPBX HTTPS Dashboard - Open port(s)
HTTP TCP 80 HTTP - Open port(s)
All traffic All All VitalPBX Push Server - US
All traffic All All Sessiontalk Push Server - UK1
All traffic All All Sessiontalk Push Server - UK1
SSH TCP 22 $$.$$.$$.$$/32 SSH from the Office
All traffic All All $$.$$.$$.$$/32 SIP TRUNK - Signalling UDP port 5060 - Fully Open egress/ingress
All traffic All All $$.$$.$$.$$/32 SIP TRUNK- Media UDP ports 6000 - 40000 egress/ingress - Fully Open


This is a snipit of just a few minutes on sngrep, as you can see they are sequentially trying to do something. :thinking:


If I go into one of the attempts on sngrep, all that is there is an invite and nothing else:

INVITE sip:+6498899893@...:5060;transport=UDP SIP/2.0
Via: SIP/2.0/UDP;branch=z9hG4bK-524287-1—qwjvy3c19ska2ci0
Max-Forwards: 70
Contact: sip:16536@;transport=UDP
To: sip:+6498899893@**.**.**.**;transport=UDP
From: sip:16536@**.**.**.**;transport=UDP;tag=mt2akhip
Call-ID: yARtLrgZRY4Y3iiZw8Zupn…
Content-Type: application/sdp
User-Agent: Z 3.14.38765 rv2.8.3
Allow-Events: presence, kpml, talk
Content-Length: 284

o=Z 0 0 IN IP4
c=IN IP4
t=0 0
m=audio 8000 RTP/AVP 18 3 110 8 0 97 101
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:110 speex/8000
a=rtpmap:97 iLBC/8000
a=fmtp:97 mode=30
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16

I have had this instance up for about three-4 months now, and this is the most activity I have seen, so far everything is blocked by the intrusion detection and it stops pretty quickly, this, has stuck around for a few days and the intrusion detection didn’t pick it up, I manually added to fail2ban and attempted to drop it in iptables. When you suggest opening the dialogue, which dialogue are you referring to exactly I am interested to learn more.


Do you see any response? If not, then the IP is blocked.

Can you post a screenshot of the SIP dialogue?

Also, you seem to allow SIP and RTP from anywhere, yet you also have a couple of other addresses allowed. It’s kinda duplicate.

Try the following and let us know the results.

firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p udp --dport 5060 -m string --string "YOUR_DOMAIN.COM" --algo bm -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -p udp --dport 5060 -m string --string "INVITE sip:" --algo bm -j DROP
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 2 -p udp --dport 5060 -m string --string "REGISTER sip:" --algo bm -j DROP
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 3 -p udp --dport 5060 -m state --state ESTABLISHED,RELATED -j ACCEPT

To apply the rules, do a firewall reload.

firewall-cmd --reload

You can remove the flag “–permanent,” if you want to avoid the rule being persistent after a reboot.

Hi @PitzKey

My PBX is meant for use by remote workers so there have to be some pots that are open to the world so that their various mobile dives and desk phones can work. Are you able to suggest refinements at all? Also here is a screenshot of one of the offending INVITES


Hi @miguel

Thank you, I have tried the commands as you have suggested and replaced YOUR_DOMAIN.com with the FQDN of my instance, was I meant to do anything with the INVITE sip: and the REGISTER sip: entries, as I have not seen any change, there are still at least 100 invites a minute coming in.


Piece a Kamailio in front of the PBX, there you can do domain security, UA security and much more to secure your PBX.

As you can see, there’s no response, which indicates that this IP is blocked.

Again, you have to look in the dialogue if Asterisk is sending a response. If not, then it’s blocked.


Hi @PitzKey

Amazing! I seek and crave understanding of things, this all makes sense. Thank you. I will look into the Kamilio Idea too.

Thank you all

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.