I’m trying to understand if I’m the one and only with this problem: installed Openfire 3.10 with ofmeeting two days ago and everything was fine.
Soon yesterday I’ve found many records on Openfire’s logs, showing MANY attempts coming from several IP’s trying to get registered with Openfire (ofmeeting) SIP ports (5000-6000). Lately I discovered that this is made with a script called sipvicious.
Soon these registration attempts becomed a flood, which rised the server’s CPU to 100%, so Openfire was not working anymore (a real DDoS…) and barely reachable via ssh. As I closed these ports on firewall, the situation returned to normal with CPU slow down to 2-10% and no more garbage on the logs, BUT ofmeeting stopped to work (clients were unable to see each other), so I guess that these ports should remain open from the net.
I thought I should try something like fail2ban, but googling around I can’t find how to setup that tool to read SIP records on Openfire’s logs. Anyway I’ve found that Asterisk’s logs are now crafted in a format that is useful for fail2ban, but I’m not sure that Openfire logs comply with such a format, especially for these SIP records (I’ve found them both in error.log and info.log).
Anybody around is having this problem? And how should I try to solve this?
Thank you very much!