[asterisk-users] Attack on Sip server.

Prakash N prakash.n at tevatel.com
Fri Jun 27 11:54:44 CDT 2014


  Fail2band installation
http://striker24x7.blogspot.in/2011/07/fail2ban-in-asterisk.html?m=1

Iptables
http://striker24x7.blogspot.in/2014/03/simple-iptables-script.html?m=1
With regards

N.Prakash
 ------------------------------
From: Anurag Rana <anuragrana31189 at gmail.com>
Sent: ‎27-‎06-‎2014 08:22 PM
To: Prakash N <prakash.n at tevatel.com>
Cc: Asterisk Users Mailing List - Non-Commercial Discussion
<asterisk-users at lists.digium.com>
Subject: Re: [asterisk-users] Attack on Sip server.

Both Rules* (typo in last mail)


On Fri, Jun 27, 2014 at 8:19 PM, Anurag Rana <anuragrana31189 at gmail.com>
wrote:

> I added bot rules TCP as well as UDP.  Still not working.
>
> How changing SIP listen port will prevent it. Please explain.
>
> I will try fail2band.
>
>
> On Fri, Jun 27, 2014 at 8:16 PM, Prakash N <prakash.n at tevatel.com> wrote:
>
>>  Hi,
>>
>> Install fail2band and change sip listen port to avoid attack
>>
>> With regards
>>
>> N.Prakash
>>  ------------------------------
>> From: Anurag Rana <anuragrana31189 at gmail.com>
>> Sent: ‎27-‎06-‎2014 08:07 PM
>> To: Asterisk Users Mailing List - Non-Commercial Discussion
>> <asterisk-users at lists.digium.com>
>> Subject: [asterisk-users] Attack on Sip server.
>>
>>
>> Hi All.
>>
>> Someone is attacking on my SIP server.
>> There are lot of requests coming in and I am not able to stop it because
>> I am unable to detect the IP address.
>> I used wireshark to capture the packets.
>>
>> Although I am using very strong password for my SIP users but still is
>> there any way to drop these packets and stop this attack.
>>
>> I tried dropping packet after matching some string (most of the packets
>> from attacker contains string 'VaxSIPUserAgent/3.1' ) but it failed.
>> Packets are still flowing in.
>>
>> iptables -I INPUT 1 -p tcp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm -j DROP
>>
>>
>> ​Its something like this
>>
>> Registration from '"30" <sp:30 at my_public_ip:5060> failed for
>> '192.168.xxx.xxx:6373' - Wrong Password​
>>
>> ​and there are approx 10 request per minute of this type.
>>
>> Please suggest some way to stop this.​
>>
>>
>> --
>> Anurag Rana
>> http://newbie42.blogspot.in/
>> On the trampoline of life's experiences, Striving towards a saintly life
>> in the midst of these materialistic turbulences.
>>
>>
>>
>
>
> --
> Anurag Rana
> http://newbie42.blogspot.in/
> On the trampoline of life's experiences, Striving towards a saintly life
> in the midst of these materialistic turbulences.
>
>
>


-- 
Anurag Rana
http://newbie42.blogspot.in/
On the trampoline of life's experiences, Striving towards a saintly life in
the midst of these materialistic turbulences.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20140627/a1deaa0d/attachment.html>


More information about the asterisk-users mailing list