[asterisk-users] Attack on Sip server.

Mitul Limbani mitul at enterux.in
Fri Jun 27 12:35:09 CDT 2014 

No way out. Fix ur gateway which is masquerading out to in traffic.

And do some research as others mentioned instead of expecting quick fix.

Mitul
On 27-Jun-2014 10:45 PM, "Anurag Rana" <anuragrana31189 at gmail.com> wrote:

> Can't use anything which block IP addresses because my system is behind a
> gateway and attacker gets the address of that gateway. In this way I will
> end up blocking myself.
>
> Please suggest something else.
>
>
> On Fri, Jun 27, 2014 at 10:24 PM, Anurag Rana <anuragrana31189 at gmail.com>
> wrote:
>
>> Right Mitul. System is behind some gateway.
>>
>>
>> On Fri, Jun 27, 2014 at 10:06 PM, Mitul Limbani <mitul at enterux.in> wrote:
>>
>>> I think your asterisk server is behind firewall or some sort of NAT
>>> where the out to in packets are getting masqueraded with local or DMZ  IP
>>> of your firewall / gateway box.
>>>
>>> Fix this first to get fail2ban detect the correct public IP.
>>>
>>> Otherwise fail2ban will ban your local GW IP due to which you won't be
>>> able to access the box even from your local network for ssh.
>>>
>>> Hope u know how to fix the firewall snat.
>>>
>>> Mitul
>>> On 27-Jun-2014 9:51 PM, "Jai Rangi" <jprangi at didforsale.com> wrote:
>>>
>>>> Anurag,
>>>>
>>>> Here is small script, that will check your logs and will block the IPs.
>>>>
>>>> http://www.didforsale.com/blog/is-your-asterisk-system-under-heavy-attack
>>>>
>>>> This is good if you dont expect any registration. If you do have some
>>>> valid registration, you might want to add some counter to see how time IP
>>>> need to fail or how many different users IP is trying to register on before
>>>> blocking the IP.
>>>>
>>>> Jai Rangi
>>>> www.didforslae.com
>>>>
>>>>
>>>>
>>>> On Fri, Jun 27, 2014 at 7:37 AM, Anurag Rana <anuragrana31189 at gmail.com
>>>> > wrote:
>>>>
>>>>>
>>>>> Hi All.
>>>>>
>>>>> Someone is attacking on my SIP server.
>>>>> There are lot of requests coming in and I am not able to stop it
>>>>> because I am unable to detect the IP address.
>>>>> I used wireshark to capture the packets.
>>>>>
>>>>> Although I am using very strong password for my SIP users but still is
>>>>> there any way to drop these packets and stop this attack.
>>>>>
>>>>> I tried dropping packet after matching some string (most of the
>>>>> packets from attacker contains string 'VaxSIPUserAgent/3.1' ) but it
>>>>> failed. Packets are still flowing in.
>>>>>
>>>>> iptables -I INPUT 1 -p tcp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm -j DROP
>>>>>
>>>>>
>>>>> ​Its something like this
>>>>>
>>>>> Registration from '"30" <sp:30 at my_public_ip:5060> failed for
>>>>> '192.168.xxx.xxx:6373' - Wrong Password​
>>>>>
>>>>> ​and there are approx 10 request per minute of this type.
>>>>>
>>>>> Please suggest some way to stop this.​
>>>>>
>>>>>
>>>>> --
>>>>> Anurag Rana
>>>>> http://newbie42.blogspot.in/
>>>>> On the trampoline of life's experiences, Striving towards a saintly
>>>>> life in the midst of these materialistic turbulences.
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> _____________________________________________________________________
>>>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>>>> New to Asterisk? Join us for a live introductory webinar every Thurs:
>>>>>                http://www.asterisk.org/hello
>>>>>
>>>>> asterisk-users mailing list
>>>>> To UNSUBSCRIBE or update options visit:
>>>>>    http://lists.digium.com/mailman/listinfo/asterisk-users
>>>>>
>>>>
>>>>
>>>> --
>>>> _____________________________________________________________________
>>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>>> New to Asterisk? Join us for a live introductory webinar every Thurs:
>>>>                http://www.asterisk.org/hello
>>>>
>>>> asterisk-users mailing list
>>>> To UNSUBSCRIBE or update options visit:
>>>>    http://lists.digium.com/mailman/listinfo/asterisk-users
>>>>
>>>
>>> --
>>> _____________________________________________________________________
>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>> New to Asterisk? Join us for a live introductory webinar every Thurs:
>>>                http://www.asterisk.org/hello
>>>
>>> asterisk-users mailing list
>>> To UNSUBSCRIBE or update options visit:
>>>    http://lists.digium.com/mailman/listinfo/asterisk-users
>>>
>>
>>
>>
>> --
>> Anurag Rana
>> http://newbie42.blogspot.in/
>> On the trampoline of life's experiences, Striving towards a saintly life
>> in the midst of these materialistic turbulences.
>>
>>
>>
>
>
> --
> Anurag Rana
> http://newbie42.blogspot.in/
> On the trampoline of life's experiences, Striving towards a saintly life
> in the midst of these materialistic turbulences.
>
>
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>                http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20140627/8ab57ee2/attachment.html>

More information about the asterisk-users mailing list