<div dir="ltr"><div class="gmail_default" style="font-family:verdana,sans-serif;color:#000000">Both Rules* (typo in last mail)</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Jun 27, 2014 at 8:19 PM, Anurag Rana <span dir="ltr"><<a href="mailto:anuragrana31189@gmail.com" target="_blank">anuragrana31189@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_default" style="font-family:verdana,sans-serif;color:#000000">I added bot rules TCP as well as UDP. Still not working.</div>
<div class="gmail_default" style="font-family:verdana,sans-serif;color:#000000">
<br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#000000">How changing SIP listen port will prevent it. Please explain.</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#000000">
<br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:#000000">I will try fail2band.</div></div><div class="gmail_extra"><div><div class="h5"><br><br><div class="gmail_quote">On Fri, Jun 27, 2014 at 8:16 PM, Prakash N <span dir="ltr"><<a href="mailto:prakash.n@tevatel.com" target="_blank">prakash.n@tevatel.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div>
<div style="FONT-SIZE:11pt;FONT-FAMILY:Calibri,sans-serif">Hi,<br><br>Install fail2band and change sip listen port to avoid attack<br><br>With regards <br><span><font color="#888888"><br>N.Prakash</font></span></div>
</div><span><font color="#888888">
<div dir="ltr">
<hr>
<span style="FONT-SIZE:11pt;FONT-FAMILY:Calibri,sans-serif;FONT-WEIGHT:bold">From: </span><span style="FONT-SIZE:11pt;FONT-FAMILY:Calibri,sans-serif"><a href="mailto:anuragrana31189@gmail.com" target="_blank">Anurag Rana</a></span><br>
<span style="FONT-SIZE:11pt;FONT-FAMILY:Calibri,sans-serif;FONT-WEIGHT:bold">Sent: </span><span style="FONT-SIZE:11pt;FONT-FAMILY:Calibri,sans-serif">27-06-2014 08:07 PM</span><br>
<span style="FONT-SIZE:11pt;FONT-FAMILY:Calibri,sans-serif;FONT-WEIGHT:bold">To: </span><span style="FONT-SIZE:11pt;FONT-FAMILY:Calibri,sans-serif"><a href="mailto:asterisk-users@lists.digium.com" target="_blank">Asterisk Users Mailing List - Non-Commercial Discussion</a></span><br>
<span style="FONT-SIZE:11pt;FONT-FAMILY:Calibri,sans-serif;FONT-WEIGHT:bold">Subject: </span><span style="FONT-SIZE:11pt;FONT-FAMILY:Calibri,sans-serif">[asterisk-users] Attack on Sip server.</span><br><br></div></font></span></div>
<div><div>
<div dir="ltr"><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(0,0,0)"><br clear="all"></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(0,0,0)">Hi All.</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(0,0,0)">
<br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(0,0,0)">Someone is attacking on my SIP server.</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(0,0,0)">
There are lot of requests coming in and I am not able to stop it because I am unable to detect the IP address. </div>
<div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(0,0,0)">I used wireshark to capture the packets.</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(0,0,0)"><br></div>
<div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(0,0,0)">Although I am using very strong password for my SIP users but still is there any way to drop these packets and stop this attack.</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(0,0,0)">
<br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(0,0,0)">I tried dropping packet after matching some string (most of the packets from attacker contains string 'VaxSIPUserAgent/3.1' ) but it failed. Packets are still flowing in. </div>
<div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(0,0,0)"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif"><pre style="font-size:medium"><font color="#0000ff">iptables -I INPUT 1 -p tcp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm -j DROP</font></pre>
</div><div><br></div><div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(0,0,0)">Its something like this</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(0,0,0)">
<br></div><div class="gmail_default" style="font-family:verdana,sans-serif"><font color="#0000ff">Registration from '"30" <sp:30@my_public_ip:5060> failed for '192.168.xxx.xxx:6373' - Wrong Password</font></div>
<br></div><div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(0,0,0)">and there are approx 10 request per minute of this type.</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(0,0,0)">
<br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(0,0,0)">Please suggest some way to stop this.</div><br></div><div><br></div>-- <br><div dir="ltr"><span style="background-color:rgb(255,255,255)"><font style="font-family:georgia,serif" face="garamond,serif"><font size="4"><font size="4"><font face="verdana,sans-serif"><font>Anurag Rana <br>
<font size="1"><span style="color:rgb(56,118,29)"><a href="http://newbie42.blogspot.in/" target="_blank">http://newbie42.blogspot.in/</a></span><br><span style="color:rgb(106,168,79)">On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences.</span></font><br>
</font><br></font></font></font></font></span><div><span style="background-color:rgb(255,255,255)"><font style="font-family:georgia,serif" face="garamond,serif"><br></font></span></div></div>
</div>
</div></div></blockquote></div><br><br clear="all"><div><br></div></div></div><span class="HOEnZb"><font color="#888888">-- <br><div dir="ltr"><span style="background-color:rgb(255,255,255)"><font style="font-family:georgia,serif" face="garamond,serif"><font size="4"><font size="4"><font face="verdana,sans-serif"><font>Anurag Rana <br>
<font size="1"><span style="color:rgb(56,118,29)"><a href="http://newbie42.blogspot.in/" target="_blank">http://newbie42.blogspot.in/</a></span><br><span style="color:rgb(106,168,79)">On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences.</span></font><br>
</font><br></font></font></font></font></span><div><span style="background-color:rgb(255,255,255)"><font style="font-family:georgia,serif" face="garamond,serif"><br></font></span></div></div>
</font></span></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr"><span style="background-color:rgb(255,255,255)"><font style="font-family:georgia,serif" face="garamond,serif"><font size="4"><font size="4"><font face="verdana,sans-serif"><font>Anurag Rana <br>
<font size="1"><span style="color:rgb(56,118,29)"><a href="http://newbie42.blogspot.in/" target="_blank">http://newbie42.blogspot.in/</a></span><br><span style="color:rgb(106,168,79)">On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences.</span></font><br>
</font><br></font></font></font></font></span><div><span style="background-color:rgb(255,255,255)"><font style="font-family:georgia,serif" face="garamond,serif"><br></font></span></div></div>
</div>