Fail2ban is a daemon that you can install to control the intrusion attempts to your systems, we can adapt it to ban attackers after they have tried to login with wrong authentication credentials.

[+Opensips configuration+]

To make opensips work with fail2ban, you will have to send the logs to a different file than /var/log/syslog

Change from:
[@log_facility=LOG_LOCAL0@]

To:
[@log_facility=LOG_LOCAL7@]

And from:

[@ if (!www_authorize("", "subscriber")) {
www_challenge("", "0");
exit;
}@]

To:

[@
$var(auth_code) = www_authorize("", "subscriber");
if ( $var(auth_code) == -1 || $var(auth_code) == -2 ) {
xlog("L_NOTICE","Auth error for $fU@$fd from $si cause $var(auth_code)");
}
if ( $var(auth_code) < 0 ) {
www_challenge("", "0");
exit;
}
@]

[+rsyslog configuration+]

Add to /etc/rsyslog.conf

[@ local7.* /var/log/opensips.log @]




[+Fail2ban configuration+]

Install fail2ban

[@ apt-get install fail2ban @]


Add to the end of /etc/fail2ban/jail.conf this content:

[@
[opensips]
enabled = true
filter = opensips
action = iptables-allports[name=opensips, protocol=all]
sendmail-whois[name=opensips, dest=destination@example.com, sender=source@example.com]
logpath = /var/log/opensips.log
maxretry = 5
bantime = 3600
@]

Create a file in /etc/fail2ban/filter.d/opensips.conf with the content:
[@
# Fail2Ban configuration file
#
#
# $Revision: 250 $
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf


[Definition]

#_daemon = opensips

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#

failregex = Auth error for .* from <HOST> cause -[0-9]

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
@]

Restart fail2ban
[@ /etc/init.d/fail2ban restart @]