[asterisk-users] Attack on Sip server.

Mitul Limbani mitul at enterux.in
Fri Jun 27 11:36:34 CDT 2014 

I think your asterisk server is behind firewall or some sort of NAT where
the out to in packets are getting masqueraded with local or DMZ  IP of your
firewall / gateway box.

Fix this first to get fail2ban detect the correct public IP.

Otherwise fail2ban will ban your local GW IP due to which you won't be able
to access the box even from your local network for ssh.

Hope u know how to fix the firewall snat.

Mitul
On 27-Jun-2014 9:51 PM, "Jai Rangi" <jprangi at didforsale.com> wrote:

> Anurag,
>
> Here is small script, that will check your logs and will block the IPs.
> http://www.didforsale.com/blog/is-your-asterisk-system-under-heavy-attack
>
> This is good if you dont expect any registration. If you do have some
> valid registration, you might want to add some counter to see how time IP
> need to fail or how many different users IP is trying to register on before
> blocking the IP.
>
> Jai Rangi
> www.didforslae.com
>
>
>
> On Fri, Jun 27, 2014 at 7:37 AM, Anurag Rana <anuragrana31189 at gmail.com>
> wrote:
>
>>
>> Hi All.
>>
>> Someone is attacking on my SIP server.
>> There are lot of requests coming in and I am not able to stop it because
>> I am unable to detect the IP address.
>> I used wireshark to capture the packets.
>>
>> Although I am using very strong password for my SIP users but still is
>> there any way to drop these packets and stop this attack.
>>
>> I tried dropping packet after matching some string (most of the packets
>> from attacker contains string 'VaxSIPUserAgent/3.1' ) but it failed.
>> Packets are still flowing in.
>>
>> iptables -I INPUT 1 -p tcp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm -j DROP
>>
>>
>> ​Its something like this
>>
>> Registration from '"30" <sp:30 at my_public_ip:5060> failed for
>> '192.168.xxx.xxx:6373' - Wrong Password​
>>
>> ​and there are approx 10 request per minute of this type.
>>
>> Please suggest some way to stop this.​
>>
>>
>> --
>> Anurag Rana
>> http://newbie42.blogspot.in/
>> On the trampoline of life's experiences, Striving towards a saintly life
>> in the midst of these materialistic turbulences.
>>
>>
>>
>> --
>> _____________________________________________________________________
>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>> New to Asterisk? Join us for a live introductory webinar every Thurs:
>>                http://www.asterisk.org/hello
>>
>> asterisk-users mailing list
>> To UNSUBSCRIBE or update options visit:
>>    http://lists.digium.com/mailman/listinfo/asterisk-users
>>
>
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>                http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20140627/ce356207/attachment.html>

More information about the asterisk-users mailing list