[asterisk-users] Attack on Sip server.
Anurag Rana
anuragrana31189 at gmail.com
Fri Jun 27 11:54:55 CDT 2014
Right Mitul. System is behind some gateway.
On Fri, Jun 27, 2014 at 10:06 PM, Mitul Limbani <mitul at enterux.in> wrote:
> I think your asterisk server is behind firewall or some sort of NAT where
> the out to in packets are getting masqueraded with local or DMZ IP of your
> firewall / gateway box.
>
> Fix this first to get fail2ban detect the correct public IP.
>
> Otherwise fail2ban will ban your local GW IP due to which you won't be
> able to access the box even from your local network for ssh.
>
> Hope u know how to fix the firewall snat.
>
> Mitul
> On 27-Jun-2014 9:51 PM, "Jai Rangi" <jprangi at didforsale.com> wrote:
>
>> Anurag,
>>
>> Here is small script, that will check your logs and will block the IPs.
>> http://www.didforsale.com/blog/is-your-asterisk-system-under-heavy-attack
>>
>> This is good if you dont expect any registration. If you do have some
>> valid registration, you might want to add some counter to see how time IP
>> need to fail or how many different users IP is trying to register on before
>> blocking the IP.
>>
>> Jai Rangi
>> www.didforslae.com
>>
>>
>>
>> On Fri, Jun 27, 2014 at 7:37 AM, Anurag Rana <anuragrana31189 at gmail.com>
>> wrote:
>>
>>>
>>> Hi All.
>>>
>>> Someone is attacking on my SIP server.
>>> There are lot of requests coming in and I am not able to stop it because
>>> I am unable to detect the IP address.
>>> I used wireshark to capture the packets.
>>>
>>> Although I am using very strong password for my SIP users but still is
>>> there any way to drop these packets and stop this attack.
>>>
>>> I tried dropping packet after matching some string (most of the packets
>>> from attacker contains string 'VaxSIPUserAgent/3.1' ) but it failed.
>>> Packets are still flowing in.
>>>
>>> iptables -I INPUT 1 -p tcp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm -j DROP
>>>
>>>
>>> Its something like this
>>>
>>> Registration from '"30" <sp:30 at my_public_ip:5060> failed for
>>> '192.168.xxx.xxx:6373' - Wrong Password
>>>
>>> and there are approx 10 request per minute of this type.
>>>
>>> Please suggest some way to stop this.
>>>
>>>
>>> --
>>> Anurag Rana
>>> http://newbie42.blogspot.in/
>>> On the trampoline of life's experiences, Striving towards a saintly life
>>> in the midst of these materialistic turbulences.
>>>
>>>
>>>
>>> --
>>> _____________________________________________________________________
>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>> New to Asterisk? Join us for a live introductory webinar every Thurs:
>>> http://www.asterisk.org/hello
>>>
>>> asterisk-users mailing list
>>> To UNSUBSCRIBE or update options visit:
>>> http://lists.digium.com/mailman/listinfo/asterisk-users
>>>
>>
>>
>> --
>> _____________________________________________________________________
>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>> New to Asterisk? Join us for a live introductory webinar every Thurs:
>> http://www.asterisk.org/hello
>>
>> asterisk-users mailing list
>> To UNSUBSCRIBE or update options visit:
>> http://lists.digium.com/mailman/listinfo/asterisk-users
>>
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
> http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-users
>
--
Anurag Rana
http://newbie42.blogspot.in/
On the trampoline of life's experiences, Striving towards a saintly life in
the midst of these materialistic turbulences.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20140627/d71c601d/attachment.html>
More information about the asterisk-users
mailing list