<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <div class="moz-cite-prefix">+1 fail2ban<br>
      Very easy and very effective. <br>
      On 27/06/2014 10:52 AM, Anurag Rana wrote:<br>
    </div>
    <blockquote
cite="mid:CAFjUrj4Cen8M7QafamHzt-w5d1STO00Xwn_OgLZ+HZuWcpw_pA@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div class="gmail_default"
          style="font-family:verdana,sans-serif;color:#000000">Both
          Rules* (typo in last mail)</div>
      </div>
      <div class="gmail_extra"><br>
        <br>
        <div class="gmail_quote">On Fri, Jun 27, 2014 at 8:19 PM, Anurag
          Rana <span dir="ltr"><<a moz-do-not-send="true"
              href="mailto:anuragrana31189@gmail.com" target="_blank">anuragrana31189@gmail.com</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div dir="ltr">
              <div class="gmail_default"
                style="font-family:verdana,sans-serif;color:#000000">I
                added bot rules TCP as well as UDP.  Still not working.</div>
              <div class="gmail_default"
                style="font-family:verdana,sans-serif;color:#000000">
                <br>
              </div>
              <div class="gmail_default"
                style="font-family:verdana,sans-serif;color:#000000">How
                changing SIP listen port will prevent it. Please
                explain.</div>
              <div class="gmail_default"
                style="font-family:verdana,sans-serif;color:#000000">
                <br>
              </div>
              <div class="gmail_default"
                style="font-family:verdana,sans-serif;color:#000000">I
                will try fail2band.</div>
            </div>
            <div class="gmail_extra">
              <div>
                <div class="h5"><br>
                  <br>
                  <div class="gmail_quote">On Fri, Jun 27, 2014 at 8:16
                    PM, Prakash N <span dir="ltr"><<a
                        moz-do-not-send="true"
                        href="mailto:prakash.n@tevatel.com"
                        target="_blank">prakash.n@tevatel.com</a>></span>
                    wrote:<br>
                    <blockquote class="gmail_quote" style="margin:0 0 0
                      .8ex;border-left:1px #ccc solid;padding-left:1ex">
                      <div>
                        <div>
                          <div
                            style="FONT-SIZE:11pt;FONT-FAMILY:Calibri,sans-serif">Hi,<br>
                            <br>
                            Install fail2band and change sip listen port
                            to avoid attack<br>
                            <br>
                            With regards <br>
                            <span><font color="#888888"><br>
                                N.Prakash</font></span></div>
                        </div>
                        <span><font color="#888888">
                            <div dir="ltr">
                              <hr>
                              <span
                                style="FONT-SIZE:11pt;FONT-FAMILY:Calibri,sans-serif;FONT-WEIGHT:bold">From:
                              </span><span
                                style="FONT-SIZE:11pt;FONT-FAMILY:Calibri,sans-serif"><a
                                  moz-do-not-send="true"
                                  href="mailto:anuragrana31189@gmail.com"
                                  target="_blank">Anurag Rana</a></span><br>
                              <span
                                style="FONT-SIZE:11pt;FONT-FAMILY:Calibri,sans-serif;FONT-WEIGHT:bold">Sent:
                              </span><span
                                style="FONT-SIZE:11pt;FONT-FAMILY:Calibri,sans-serif">‎27-‎06-‎2014
                                08:07 PM</span><br>
                              <span
                                style="FONT-SIZE:11pt;FONT-FAMILY:Calibri,sans-serif;FONT-WEIGHT:bold">To:
                              </span><span
                                style="FONT-SIZE:11pt;FONT-FAMILY:Calibri,sans-serif"><a
                                  moz-do-not-send="true"
                                  href="mailto:asterisk-users@lists.digium.com"
                                  target="_blank">Asterisk Users Mailing
                                  List - Non-Commercial Discussion</a></span><br>
                              <span
                                style="FONT-SIZE:11pt;FONT-FAMILY:Calibri,sans-serif;FONT-WEIGHT:bold">Subject:
                              </span><span
                                style="FONT-SIZE:11pt;FONT-FAMILY:Calibri,sans-serif">[asterisk-users]
                                Attack on Sip server.</span><br>
                              <br>
                            </div>
                          </font></span></div>
                      <div>
                        <div>
                          <div dir="ltr">
                            <div class="gmail_default"
                              style="font-family:verdana,sans-serif;color:rgb(0,0,0)"><br
                                clear="all">
                            </div>
                            <div class="gmail_default"
                              style="font-family:verdana,sans-serif;color:rgb(0,0,0)">Hi
                              All.</div>
                            <div class="gmail_default"
                              style="font-family:verdana,sans-serif;color:rgb(0,0,0)">
                              <br>
                            </div>
                            <div class="gmail_default"
                              style="font-family:verdana,sans-serif;color:rgb(0,0,0)">Someone
                              is attacking on my SIP server.</div>
                            <div class="gmail_default"
                              style="font-family:verdana,sans-serif;color:rgb(0,0,0)">
                              There are lot of requests coming in and I
                              am not able to stop it because I am unable
                              to detect the IP address. </div>
                            <div class="gmail_default"
                              style="font-family:verdana,sans-serif;color:rgb(0,0,0)">I
                              used wireshark to capture the packets.</div>
                            <div class="gmail_default"
                              style="font-family:verdana,sans-serif;color:rgb(0,0,0)"><br>
                            </div>
                            <div class="gmail_default"
                              style="font-family:verdana,sans-serif;color:rgb(0,0,0)">Although
                              I am using very strong password for my SIP
                              users but still is there any way to drop
                              these packets and stop this attack.</div>
                            <div class="gmail_default"
                              style="font-family:verdana,sans-serif;color:rgb(0,0,0)">
                              <br>
                            </div>
                            <div class="gmail_default"
                              style="font-family:verdana,sans-serif;color:rgb(0,0,0)">I
                              tried dropping packet after matching some
                              string (most of the packets from attacker
                              contains string 'VaxSIPUserAgent/3.1' )
                              but it failed. Packets are still flowing
                              in. </div>
                            <div class="gmail_default"
                              style="font-family:verdana,sans-serif;color:rgb(0,0,0)"><br>
                            </div>
                            <div class="gmail_default"
                              style="font-family:verdana,sans-serif">
                              <pre style="font-size:medium"><font color="#0000ff">iptables -I INPUT 1 -p tcp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm -j DROP</font></pre>
                            </div>
                            <div><br>
                            </div>
                            <div>
                              <div class="gmail_default"
                                style="font-family:verdana,sans-serif;color:rgb(0,0,0)">​
                                Its something like this</div>
                              <div class="gmail_default"
                                style="font-family:verdana,sans-serif;color:rgb(0,0,0)">
                                <br>
                              </div>
                              <div class="gmail_default"
                                style="font-family:verdana,sans-serif"><font
                                  color="#0000ff">Registration from
                                  '"30" <sp:30@my_public_ip:5060>
                                  failed for '192.168.xxx.xxx:6373' -
                                  Wrong Password​</font></div>
                              <br>
                            </div>
                            <div>
                              <div class="gmail_default"
                                style="font-family:verdana,sans-serif;color:rgb(0,0,0)">​
                                and there are approx 10 request per
                                minute of this type.</div>
                              <div class="gmail_default"
                                style="font-family:verdana,sans-serif;color:rgb(0,0,0)">
                                <br>
                              </div>
                              <div class="gmail_default"
                                style="font-family:verdana,sans-serif;color:rgb(0,0,0)">Please
                                suggest some way to stop this.​</div>
                              <br>
                            </div>
                            <div><br>
                            </div>
                            -- <br>
                            <div dir="ltr"><span
                                style="background-color:rgb(255,255,255)"><font
                                  style="font-family:georgia,serif"
                                  face="garamond,serif"><font size="4"><font
                                      size="4"><font
                                        face="verdana,sans-serif"><font>Anurag
                                          Rana <br>
                                          <font size="1"><span
                                              style="color:rgb(56,118,29)"><a
                                                moz-do-not-send="true"
                                                href="http://newbie42.blogspot.in/"
                                                target="_blank">http://newbie42.blogspot.in/</a></span><br>
                                            <span
                                              style="color:rgb(106,168,79)">On
                                              the trampoline of life's
                                              experiences, Striving
                                              towards a saintly life in
                                              the midst of these
                                              materialistic turbulences.</span></font><br>
                                        </font><br>
                                      </font></font></font></font></span>
                              <div><span
                                  style="background-color:rgb(255,255,255)"><font
                                    style="font-family:georgia,serif"
                                    face="garamond,serif"><br>
                                  </font></span></div>
                            </div>
                          </div>
                        </div>
                      </div>
                    </blockquote>
                  </div>
                  <br>
                  <br clear="all">
                  <div><br>
                  </div>
                </div>
              </div>
              <span class="HOEnZb"><font color="#888888">-- <br>
                  <div dir="ltr"><span
                      style="background-color:rgb(255,255,255)"><font
                        style="font-family:georgia,serif"
                        face="garamond,serif"><font size="4"><font
                            size="4"><font face="verdana,sans-serif"><font>Anurag
                                Rana <br>
                                <font size="1"><span
                                    style="color:rgb(56,118,29)"><a
                                      moz-do-not-send="true"
                                      href="http://newbie42.blogspot.in/"
                                      target="_blank">http://newbie42.blogspot.in/</a></span><br>
                                  <span style="color:rgb(106,168,79)">On
                                    the trampoline of life's
                                    experiences, Striving towards a
                                    saintly life in the midst of these
                                    materialistic turbulences.</span></font><br>
                              </font><br>
                            </font></font></font></font></span>
                    <div><span style="background-color:rgb(255,255,255)"><font
                          style="font-family:georgia,serif"
                          face="garamond,serif"><br>
                        </font></span></div>
                  </div>
                </font></span></div>
          </blockquote>
        </div>
        <br>
        <br clear="all">
        <div><br>
        </div>
        -- <br>
        <div dir="ltr"><span style="background-color:rgb(255,255,255)"><font
              style="font-family:georgia,serif" face="garamond,serif"><font
                size="4"><font size="4"><font face="verdana,sans-serif"><font>Anurag
                      Rana <br>
                      <font size="1"><span style="color:rgb(56,118,29)"><a
                            moz-do-not-send="true"
                            href="http://newbie42.blogspot.in/"
                            target="_blank">http://newbie42.blogspot.in/</a></span><br>
                        <span style="color:rgb(106,168,79)">On the
                          trampoline of life's experiences, Striving
                          towards a saintly life in the midst of these
                          materialistic turbulences.</span></font><br>
                    </font><br>
                  </font></font></font></font></span>
          <div><span style="background-color:rgb(255,255,255)"><font
                style="font-family:georgia,serif" face="garamond,serif"><br>
              </font></span></div>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
    </blockquote>
    <br>
    <br>
    <pre class="moz-signature" cols="72">-- 
Ron Wheeler
President
Artifact Software Inc
email: <a class="moz-txt-link-abbreviated" href="mailto:rwheeler@artifact-software.com">rwheeler@artifact-software.com</a>
skype: ronaldmwheeler
phone: 866-970-2435, ext 102</pre>
  </body>
</html>