[asterisk-users] Attack on Sip server.
Anurag Rana
anuragrana31189 at gmail.com
Fri Jun 27 12:43:47 CDT 2014
Ok. Thanks. :)
On Fri, Jun 27, 2014 at 11:05 PM, Mitul Limbani <mitul at enterux.in> wrote:
> No way out. Fix ur gateway which is masquerading out to in traffic.
>
> And do some research as others mentioned instead of expecting quick fix.
>
> Mitul
> On 27-Jun-2014 10:45 PM, "Anurag Rana" <anuragrana31189 at gmail.com> wrote:
>
>> Can't use anything which block IP addresses because my system is behind a
>> gateway and attacker gets the address of that gateway. In this way I will
>> end up blocking myself.
>>
>> Please suggest something else.
>>
>>
>> On Fri, Jun 27, 2014 at 10:24 PM, Anurag Rana <anuragrana31189 at gmail.com>
>> wrote:
>>
>>> Right Mitul. System is behind some gateway.
>>>
>>>
>>> On Fri, Jun 27, 2014 at 10:06 PM, Mitul Limbani <mitul at enterux.in>
>>> wrote:
>>>
>>>> I think your asterisk server is behind firewall or some sort of NAT
>>>> where the out to in packets are getting masqueraded with local or DMZ IP
>>>> of your firewall / gateway box.
>>>>
>>>> Fix this first to get fail2ban detect the correct public IP.
>>>>
>>>> Otherwise fail2ban will ban your local GW IP due to which you won't be
>>>> able to access the box even from your local network for ssh.
>>>>
>>>> Hope u know how to fix the firewall snat.
>>>>
>>>> Mitul
>>>> On 27-Jun-2014 9:51 PM, "Jai Rangi" <jprangi at didforsale.com> wrote:
>>>>
>>>>> Anurag,
>>>>>
>>>>> Here is small script, that will check your logs and will block the
>>>>> IPs.
>>>>>
>>>>> http://www.didforsale.com/blog/is-your-asterisk-system-under-heavy-attack
>>>>>
>>>>> This is good if you dont expect any registration. If you do have some
>>>>> valid registration, you might want to add some counter to see how time IP
>>>>> need to fail or how many different users IP is trying to register on before
>>>>> blocking the IP.
>>>>>
>>>>> Jai Rangi
>>>>> www.didforslae.com
>>>>>
>>>>>
>>>>>
>>>>> On Fri, Jun 27, 2014 at 7:37 AM, Anurag Rana <
>>>>> anuragrana31189 at gmail.com> wrote:
>>>>>
>>>>>>
>>>>>> Hi All.
>>>>>>
>>>>>> Someone is attacking on my SIP server.
>>>>>> There are lot of requests coming in and I am not able to stop it
>>>>>> because I am unable to detect the IP address.
>>>>>> I used wireshark to capture the packets.
>>>>>>
>>>>>> Although I am using very strong password for my SIP users but still
>>>>>> is there any way to drop these packets and stop this attack.
>>>>>>
>>>>>> I tried dropping packet after matching some string (most of the
>>>>>> packets from attacker contains string 'VaxSIPUserAgent/3.1' ) but it
>>>>>> failed. Packets are still flowing in.
>>>>>>
>>>>>> iptables -I INPUT 1 -p tcp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm -j DROP
>>>>>>
>>>>>>
>>>>>> Its something like this
>>>>>>
>>>>>> Registration from '"30" <sp:30 at my_public_ip:5060> failed for
>>>>>> '192.168.xxx.xxx:6373' - Wrong Password
>>>>>>
>>>>>> and there are approx 10 request per minute of this type.
>>>>>>
>>>>>> Please suggest some way to stop this.
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Anurag Rana
>>>>>> http://newbie42.blogspot.in/
>>>>>> On the trampoline of life's experiences, Striving towards a saintly
>>>>>> life in the midst of these materialistic turbulences.
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> _____________________________________________________________________
>>>>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>>>>> New to Asterisk? Join us for a live introductory webinar every Thurs:
>>>>>> http://www.asterisk.org/hello
>>>>>>
>>>>>> asterisk-users mailing list
>>>>>> To UNSUBSCRIBE or update options visit:
>>>>>> http://lists.digium.com/mailman/listinfo/asterisk-users
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> _____________________________________________________________________
>>>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>>>> New to Asterisk? Join us for a live introductory webinar every Thurs:
>>>>> http://www.asterisk.org/hello
>>>>>
>>>>> asterisk-users mailing list
>>>>> To UNSUBSCRIBE or update options visit:
>>>>> http://lists.digium.com/mailman/listinfo/asterisk-users
>>>>>
>>>>
>>>> --
>>>> _____________________________________________________________________
>>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>>> New to Asterisk? Join us for a live introductory webinar every Thurs:
>>>> http://www.asterisk.org/hello
>>>>
>>>> asterisk-users mailing list
>>>> To UNSUBSCRIBE or update options visit:
>>>> http://lists.digium.com/mailman/listinfo/asterisk-users
>>>>
>>>
>>>
>>>
>>> --
>>> Anurag Rana
>>> http://newbie42.blogspot.in/
>>> On the trampoline of life's experiences, Striving towards a saintly life
>>> in the midst of these materialistic turbulences.
>>>
>>>
>>>
>>
>>
>> --
>> Anurag Rana
>> http://newbie42.blogspot.in/
>> On the trampoline of life's experiences, Striving towards a saintly life
>> in the midst of these materialistic turbulences.
>>
>>
>>
>> --
>> _____________________________________________________________________
>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>> New to Asterisk? Join us for a live introductory webinar every Thurs:
>> http://www.asterisk.org/hello
>>
>> asterisk-users mailing list
>> To UNSUBSCRIBE or update options visit:
>> http://lists.digium.com/mailman/listinfo/asterisk-users
>>
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
> http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-users
>
--
Anurag Rana
http://newbie42.blogspot.in/
On the trampoline of life's experiences, Striving towards a saintly life in
the midst of these materialistic turbulences.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20140627/120cda65/attachment.html>
More information about the asterisk-users
mailing list