Openfire 3.10 + ofmeeting flooded by SIP scanners. What to do?

Hi all,

I’m trying to understand if I’m the one and only with this problem: installed Openfire 3.10 with ofmeeting two days ago and everything was fine.
Soon yesterday I’ve found many records on Openfire’s logs, showing MANY attempts coming from several IP’s trying to get registered with Openfire (ofmeeting) SIP ports (5000-6000). Lately I discovered that this is made with a script called sipvicious.

Soon these registration attempts becomed a flood, which rised the server’s CPU to 100%, so Openfire was not working anymore (a real DDoS…) and barely reachable via ssh. As I closed these ports on firewall, the situation returned to normal with CPU slow down to 2-10% and no more garbage on the logs, BUT ofmeeting stopped to work (clients were unable to see each other), so I guess that these ports should remain open from the net.

I thought I should try something like fail2ban, but googling around I can’t find how to setup that tool to read SIP records on Openfire’s logs. Anyway I’ve found that Asterisk’s logs are now crafted in a format that is useful for fail2ban, but I’m not sure that Openfire logs comply with such a format, especially for these SIP records (I’ve found them both in error.log and info.log).

Anybody around is having this problem? And how should I try to solve this?

Thank you very much!

switch off your openfire meeting sip server by adding an openfire system property

org.jitsi.videobridge.ofmeet.sip.enabled = “false”

Go to openfire admin web page | system properties and add new property.

Restart server after change

1 Like

Dear Dele, thank you very much for your help and for your hard work on ofmeeting!

Your suggestion is working perfectly so far.

Thank you again!