[asterisk-users] Attack on Sip server.

Ron Wheeler rwheeler at artifact-software.com
Fri Jun 27 10:27:48 CDT 2014


+1 fail2ban
Very easy and very effective.
On 27/06/2014 10:52 AM, Anurag Rana wrote:
> Both Rules* (typo in last mail)
>
>
> On Fri, Jun 27, 2014 at 8:19 PM, Anurag Rana 
> <anuragrana31189 at gmail.com <mailto:anuragrana31189 at gmail.com>> wrote:
>
>     I added bot rules TCP as well as UDP.  Still not working.
>
>     How changing SIP listen port will prevent it. Please explain.
>
>     I will try fail2band.
>
>
>     On Fri, Jun 27, 2014 at 8:16 PM, Prakash N <prakash.n at tevatel.com
>     <mailto:prakash.n at tevatel.com>> wrote:
>
>         Hi,
>
>         Install fail2band and change sip listen port to avoid attack
>
>         With regards
>
>         N.Prakash
>         ------------------------------------------------------------------------
>         From: Anurag Rana <mailto:anuragrana31189 at gmail.com>
>         Sent: ?27-?06-?2014 08:07 PM
>         To: Asterisk Users Mailing List - Non-Commercial Discussion
>         <mailto:asterisk-users at lists.digium.com>
>         Subject: [asterisk-users] Attack on Sip server.
>
>
>         Hi All.
>
>         Someone is attacking on my SIP server.
>         There are lot of requests coming in and I am not able to stop
>         it because I am unable to detect the IP address.
>         I used wireshark to capture the packets.
>
>         Although I am using very strong password for my SIP users but
>         still is there any way to drop these packets and stop this attack.
>
>         I tried dropping packet after matching some string (most of
>         the packets from attacker contains string
>         'VaxSIPUserAgent/3.1' ) but it failed. Packets are still
>         flowing in.
>
>         iptables -I INPUT 1 -p tcp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm -j DROP
>
>
>         Its something like this
>
>         Registration from '"30" <sp:30 at my_public_ip:5060> failed for
>         '192.168.xxx.xxx:6373' - Wrong Password
>
>         and there are approx 10 request per minute of this type.
>
>         Please suggest some way to stop this.
>
>
>         -- 
>         Anurag Rana
>         http://newbie42.blogspot.in/
>         On the trampoline of life's experiences, Striving towards a
>         saintly life in the midst of these materialistic turbulences.
>
>
>
>
>
>     -- 
>     Anurag Rana
>     http://newbie42.blogspot.in/
>     On the trampoline of life's experiences, Striving towards a
>     saintly life in the midst of these materialistic turbulences.
>
>
>
>
>
> -- 
> Anurag Rana
> http://newbie42.blogspot.in/
> On the trampoline of life's experiences, Striving towards a saintly 
> life in the midst of these materialistic turbulences.
>
>
>
>


-- 
Ron Wheeler
President
Artifact Software Inc
email: rwheeler at artifact-software.com
skype: ronaldmwheeler
phone: 866-970-2435, ext 102

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20140627/2c447d1e/attachment.html>


More information about the asterisk-users mailing list