[asterisk-users] Playing with sipvicious ..
hh174
olivier.taylor at gmail.com
Thu Jun 2 11:43:07 CDT 2011
Well,
About sipvicious, just put a kamailio in front of asterisk and just drop
all messages with user agents corrreponding to these messages.
Spivicious first send options messages, read the user agent and drop if
it's corresponding to one of the user agents well known to be used.
In Kamailio (to be updtaed) I have :
### Country check
if (is_method("OPTIONS") || is_method("REGISTER"))
{
avp_db_query("SELECT sql_cache country FROM ip_country inner
join GeoLiteCity on GeoLiteCity.locId = ip_country.locId WHERE
MBRCONTAINS(ip_poly, POINTFROMWKB(POINT(INET_ATON('$si'), 0))) limit 1;"
, "$avp(s:countryCode)");
if ($avp(s:countryCode) !="BE" && $avp(s:countryCode) !="FR" &&
$avp(s:countryCode) !="LU" && $avp(s:countryCode) !="MA" &&
$avp(s:countryCode) !="ES" && $avp(s:countryCode) !="IT" &&
$avp(s:countryCode) !="DE" )
{
xlog("L_NOTICE", "------------------> Probable Attack
attempt from countrycode : $avp(s:countryCode) - $si - $fu - $ua - $rm" );
}
}
### Hackers check
if($ua=="friendly-scanner"){
xlog("L_NOTICE", "------------------> Attack attempt from
countrycode : $avp(s:countryCode) - $si - $fu - $ua - $rm - DROP" );
drop();
}
if($ua=="sundayddr"){
xlog("L_NOTICE", "------------------> Attack attempt from
countrycode : $avp(s:countryCode) - $si - $fu - $ua - $rm - DROP" );
drop();
}
if($ua=="sip-scan"){
xlog("L_NOTICE", "------------------> Attack attempt from
countrycode : $avp(s:countryCode) - $si - $fu - $ua - $rm - DROP" );
drop();
}
if($ua=="iWar"){
xlog("L_NOTICE", "------------------> Attack attempt from
countrycode : $avp(s:countryCode) - $si - $fu - $ua - $rm - DROP" );
drop();
}
if($ua=="sipsak"){
xlog("L_NOTICE", "------------------> Attack attempt from
countrycode : $avp(s:countryCode) - $si - $fu - $ua - $rm - DROP" );
drop();
}
When sipvicious doesn't receive answer, it stops scanning the server :)
Best regards,
Olivier
Le 2/06/11 17:06, Paul Hayes a écrit :
> On 01/06/11 16:13, Allen David Niven wrote:
>> what does ossec give u that fail2ban does not ?
>> thx and cheers
>>
>>
>
> Replied to list so others can find this in the future if they want to.
>
> I haven't spent a lot of time investigating fail2ban as I was already
> using ossec before I saw much talk about fail2ban with Asterisk.
>
> Anyway as far as I can see my main advantage is that OSSEC has
> multiple levels of incidents. So I can create rules to send emails
> out for unusual activity that might not necessarily require an IP
> block but needs checking out.
>
> My fear with something that just watches Asterisk logs for a very
> specific known attack metric and then blocks IP(s) based on that is
> what happens when the attackers start doing something different?
>
> Fail2ban may well do all this as well, I don't know but I find OSSEC
> does it very well and the XML rules and log decoders are very versatile.
>
> cheers,
> Paul.
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
> http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-users
>
More information about the asterisk-users
mailing list