[asterisk-users] Attack on Sip server.

Anurag Rana anuragrana31189 at gmail.com
Fri Jun 27 12:15:37 CDT 2014 

Can't use anything which block IP addresses because my system is behind a
gateway and attacker gets the address of that gateway. In this way I will
end up blocking myself.

Please suggest something else.


On Fri, Jun 27, 2014 at 10:24 PM, Anurag Rana <anuragrana31189 at gmail.com>
wrote:

> Right Mitul. System is behind some gateway.
>
>
> On Fri, Jun 27, 2014 at 10:06 PM, Mitul Limbani <mitul at enterux.in> wrote:
>
>> I think your asterisk server is behind firewall or some sort of NAT where
>> the out to in packets are getting masqueraded with local or DMZ  IP of your
>> firewall / gateway box.
>>
>> Fix this first to get fail2ban detect the correct public IP.
>>
>> Otherwise fail2ban will ban your local GW IP due to which you won't be
>> able to access the box even from your local network for ssh.
>>
>> Hope u know how to fix the firewall snat.
>>
>> Mitul
>> On 27-Jun-2014 9:51 PM, "Jai Rangi" <jprangi at didforsale.com> wrote:
>>
>>> Anurag,
>>>
>>> Here is small script, that will check your logs and will block the IPs.
>>> http://www.didforsale.com/blog/is-your-asterisk-system-under-heavy-attack
>>>
>>> This is good if you dont expect any registration. If you do have some
>>> valid registration, you might want to add some counter to see how time IP
>>> need to fail or how many different users IP is trying to register on before
>>> blocking the IP.
>>>
>>> Jai Rangi
>>> www.didforslae.com
>>>
>>>
>>>
>>> On Fri, Jun 27, 2014 at 7:37 AM, Anurag Rana <anuragrana31189 at gmail.com>
>>> wrote:
>>>
>>>>
>>>> Hi All.
>>>>
>>>> Someone is attacking on my SIP server.
>>>> There are lot of requests coming in and I am not able to stop it
>>>> because I am unable to detect the IP address.
>>>> I used wireshark to capture the packets.
>>>>
>>>> Although I am using very strong password for my SIP users but still is
>>>> there any way to drop these packets and stop this attack.
>>>>
>>>> I tried dropping packet after matching some string (most of the packets
>>>> from attacker contains string 'VaxSIPUserAgent/3.1' ) but it failed.
>>>> Packets are still flowing in.
>>>>
>>>> iptables -I INPUT 1 -p tcp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm -j DROP
>>>>
>>>>
>>>> ​Its something like this
>>>>
>>>> Registration from '"30" <sp:30 at my_public_ip:5060> failed for
>>>> '192.168.xxx.xxx:6373' - Wrong Password​
>>>>
>>>> ​and there are approx 10 request per minute of this type.
>>>>
>>>> Please suggest some way to stop this.​
>>>>
>>>>
>>>> --
>>>> Anurag Rana
>>>> http://newbie42.blogspot.in/
>>>> On the trampoline of life's experiences, Striving towards a saintly
>>>> life in the midst of these materialistic turbulences.
>>>>
>>>>
>>>>
>>>> --
>>>> _____________________________________________________________________
>>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>>> New to Asterisk? Join us for a live introductory webinar every Thurs:
>>>>                http://www.asterisk.org/hello
>>>>
>>>> asterisk-users mailing list
>>>> To UNSUBSCRIBE or update options visit:
>>>>    http://lists.digium.com/mailman/listinfo/asterisk-users
>>>>
>>>
>>>
>>> --
>>> _____________________________________________________________________
>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>> New to Asterisk? Join us for a live introductory webinar every Thurs:
>>>                http://www.asterisk.org/hello
>>>
>>> asterisk-users mailing list
>>> To UNSUBSCRIBE or update options visit:
>>>    http://lists.digium.com/mailman/listinfo/asterisk-users
>>>
>>
>> --
>> _____________________________________________________________________
>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>> New to Asterisk? Join us for a live introductory webinar every Thurs:
>>                http://www.asterisk.org/hello
>>
>> asterisk-users mailing list
>> To UNSUBSCRIBE or update options visit:
>>    http://lists.digium.com/mailman/listinfo/asterisk-users
>>
>
>
>
> --
> Anurag Rana
> http://newbie42.blogspot.in/
> On the trampoline of life's experiences, Striving towards a saintly life
> in the midst of these materialistic turbulences.
>
>
>


-- 
Anurag Rana
http://newbie42.blogspot.in/
On the trampoline of life's experiences, Striving towards a saintly life in
the midst of these materialistic turbulences.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20140627/f7774b29/attachment.html>

More information about the asterisk-users mailing list