[asterisk-users] Attack on Sip server.

Jai Rangi jprangi at didforsale.com
Fri Jun 27 11:21:14 CDT 2014 

Anurag,

Here is small script, that will check your logs and will block the IPs.
http://www.didforsale.com/blog/is-your-asterisk-system-under-heavy-attack

This is good if you dont expect any registration. If you do have some valid
registration, you might want to add some counter to see how time IP need to
fail or how many different users IP is trying to register on before
blocking the IP.

Jai Rangi
www.didforslae.com



On Fri, Jun 27, 2014 at 7:37 AM, Anurag Rana <anuragrana31189 at gmail.com>
wrote:

>
> Hi All.
>
> Someone is attacking on my SIP server.
> There are lot of requests coming in and I am not able to stop it because I
> am unable to detect the IP address.
> I used wireshark to capture the packets.
>
> Although I am using very strong password for my SIP users but still is
> there any way to drop these packets and stop this attack.
>
> I tried dropping packet after matching some string (most of the packets
> from attacker contains string 'VaxSIPUserAgent/3.1' ) but it failed.
> Packets are still flowing in.
>
> iptables -I INPUT 1 -p tcp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm -j DROP
>
>
> ​Its something like this
>
> Registration from '"30" <sp:30 at my_public_ip:5060> failed for
> '192.168.xxx.xxx:6373' - Wrong Password​
>
> ​and there are approx 10 request per minute of this type.
>
> Please suggest some way to stop this.​
>
>
> --
> Anurag Rana
> http://newbie42.blogspot.in/
> On the trampoline of life's experiences, Striving towards a saintly life
> in the midst of these materialistic turbulences.
>
>
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>                http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20140627/bd746762/attachment.html>

More information about the asterisk-users mailing list