[asterisk-users] Attack on Sip server.
Andres
andres at telesip.net
Sun Jun 29 19:09:08 CDT 2014
> iptables -I INPUT 1 -p tcp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm -j DROP
>
> Its something like this
>
> Registration from '"30" <sp:30 at my_public_ip:5060> failed for
> '192.168.xxx.xxx:6373' - Wrong Password
>
> and there are approx 10 request per minute of this type.
>
> Please suggest some way to stop this.
In my experience you need to do 2 things to fix your problem.
#1) Get the real IP address of the attacker.
First you will need to recompile Asterisk to enable the log that shows
the IP of the attacker. It apparently is only set for debug so you need
to edit chan_sip.c
In chan_sip.c
if (!peer) {
if (debug) *** <--- delete this line
ast_verbose("No matching peer for '%s' from
'%s'\n",
of, ast_sockaddr_stringify(&p->recv));
} *** <--- delete this line
This will enable logs like:
VERBOSE[24693] chan_sip.c: No matching peer for '1000' from
'104.14.190.14:5080
#2) Now that you have the IP of the attacker, just use fail2ban to block
him automatically. Make sure you test out your rules. For example the
above log is detected with fail2ban rule:
VERBOSE%(__pid_re)s [^:]+: No matching peer for '[^']*' from
'<HOST>(:[0-9]+)?'$
>
>
> --
> Anurag Rana
> http://newbie42.blogspot.in/
> On the trampoline of life's experiences, Striving towards a saintly
> life in the midst of these materialistic turbulences.
>
>
>
>
--
Technical Support
http://www.cellroute.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20140629/1dc7f522/attachment.html>
More information about the asterisk-users
mailing list