<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">+1 fail2ban<br>
Very easy and very effective. <br>
On 27/06/2014 10:52 AM, Anurag Rana wrote:<br>
</div>
<blockquote
cite="mid:CAFjUrj4Cen8M7QafamHzt-w5d1STO00Xwn_OgLZ+HZuWcpw_pA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_default"
style="font-family:verdana,sans-serif;color:#000000">Both
Rules* (typo in last mail)</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Fri, Jun 27, 2014 at 8:19 PM, Anurag
Rana <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:anuragrana31189@gmail.com" target="_blank">anuragrana31189@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div class="gmail_default"
style="font-family:verdana,sans-serif;color:#000000">I
added bot rules TCP as well as UDP. Still not working.</div>
<div class="gmail_default"
style="font-family:verdana,sans-serif;color:#000000">
<br>
</div>
<div class="gmail_default"
style="font-family:verdana,sans-serif;color:#000000">How
changing SIP listen port will prevent it. Please
explain.</div>
<div class="gmail_default"
style="font-family:verdana,sans-serif;color:#000000">
<br>
</div>
<div class="gmail_default"
style="font-family:verdana,sans-serif;color:#000000">I
will try fail2band.</div>
</div>
<div class="gmail_extra">
<div>
<div class="h5"><br>
<br>
<div class="gmail_quote">On Fri, Jun 27, 2014 at 8:16
PM, Prakash N <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:prakash.n@tevatel.com"
target="_blank">prakash.n@tevatel.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div>
<div
style="FONT-SIZE:11pt;FONT-FAMILY:Calibri,sans-serif">Hi,<br>
<br>
Install fail2band and change sip listen port
to avoid attack<br>
<br>
With regards <br>
<span><font color="#888888"><br>
N.Prakash</font></span></div>
</div>
<span><font color="#888888">
<div dir="ltr">
<hr>
<span
style="FONT-SIZE:11pt;FONT-FAMILY:Calibri,sans-serif;FONT-WEIGHT:bold">From:
</span><span
style="FONT-SIZE:11pt;FONT-FAMILY:Calibri,sans-serif"><a
moz-do-not-send="true"
href="mailto:anuragrana31189@gmail.com"
target="_blank">Anurag Rana</a></span><br>
<span
style="FONT-SIZE:11pt;FONT-FAMILY:Calibri,sans-serif;FONT-WEIGHT:bold">Sent:
</span><span
style="FONT-SIZE:11pt;FONT-FAMILY:Calibri,sans-serif">27-06-2014
08:07 PM</span><br>
<span
style="FONT-SIZE:11pt;FONT-FAMILY:Calibri,sans-serif;FONT-WEIGHT:bold">To:
</span><span
style="FONT-SIZE:11pt;FONT-FAMILY:Calibri,sans-serif"><a
moz-do-not-send="true"
href="mailto:asterisk-users@lists.digium.com"
target="_blank">Asterisk Users Mailing
List - Non-Commercial Discussion</a></span><br>
<span
style="FONT-SIZE:11pt;FONT-FAMILY:Calibri,sans-serif;FONT-WEIGHT:bold">Subject:
</span><span
style="FONT-SIZE:11pt;FONT-FAMILY:Calibri,sans-serif">[asterisk-users]
Attack on Sip server.</span><br>
<br>
</div>
</font></span></div>
<div>
<div>
<div dir="ltr">
<div class="gmail_default"
style="font-family:verdana,sans-serif;color:rgb(0,0,0)"><br
clear="all">
</div>
<div class="gmail_default"
style="font-family:verdana,sans-serif;color:rgb(0,0,0)">Hi
All.</div>
<div class="gmail_default"
style="font-family:verdana,sans-serif;color:rgb(0,0,0)">
<br>
</div>
<div class="gmail_default"
style="font-family:verdana,sans-serif;color:rgb(0,0,0)">Someone
is attacking on my SIP server.</div>
<div class="gmail_default"
style="font-family:verdana,sans-serif;color:rgb(0,0,0)">
There are lot of requests coming in and I
am not able to stop it because I am unable
to detect the IP address. </div>
<div class="gmail_default"
style="font-family:verdana,sans-serif;color:rgb(0,0,0)">I
used wireshark to capture the packets.</div>
<div class="gmail_default"
style="font-family:verdana,sans-serif;color:rgb(0,0,0)"><br>
</div>
<div class="gmail_default"
style="font-family:verdana,sans-serif;color:rgb(0,0,0)">Although
I am using very strong password for my SIP
users but still is there any way to drop
these packets and stop this attack.</div>
<div class="gmail_default"
style="font-family:verdana,sans-serif;color:rgb(0,0,0)">
<br>
</div>
<div class="gmail_default"
style="font-family:verdana,sans-serif;color:rgb(0,0,0)">I
tried dropping packet after matching some
string (most of the packets from attacker
contains string 'VaxSIPUserAgent/3.1' )
but it failed. Packets are still flowing
in. </div>
<div class="gmail_default"
style="font-family:verdana,sans-serif;color:rgb(0,0,0)"><br>
</div>
<div class="gmail_default"
style="font-family:verdana,sans-serif">
<pre style="font-size:medium"><font color="#0000ff">iptables -I INPUT 1 -p tcp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm -j DROP</font></pre>
</div>
<div><br>
</div>
<div>
<div class="gmail_default"
style="font-family:verdana,sans-serif;color:rgb(0,0,0)">
Its something like this</div>
<div class="gmail_default"
style="font-family:verdana,sans-serif;color:rgb(0,0,0)">
<br>
</div>
<div class="gmail_default"
style="font-family:verdana,sans-serif"><font
color="#0000ff">Registration from
'"30" <sp:30@my_public_ip:5060>
failed for '192.168.xxx.xxx:6373' -
Wrong Password</font></div>
<br>
</div>
<div>
<div class="gmail_default"
style="font-family:verdana,sans-serif;color:rgb(0,0,0)">
and there are approx 10 request per
minute of this type.</div>
<div class="gmail_default"
style="font-family:verdana,sans-serif;color:rgb(0,0,0)">
<br>
</div>
<div class="gmail_default"
style="font-family:verdana,sans-serif;color:rgb(0,0,0)">Please
suggest some way to stop this.</div>
<br>
</div>
<div><br>
</div>
-- <br>
<div dir="ltr"><span
style="background-color:rgb(255,255,255)"><font
style="font-family:georgia,serif"
face="garamond,serif"><font size="4"><font
size="4"><font
face="verdana,sans-serif"><font>Anurag
Rana <br>
<font size="1"><span
style="color:rgb(56,118,29)"><a
moz-do-not-send="true"
href="http://newbie42.blogspot.in/"
target="_blank">http://newbie42.blogspot.in/</a></span><br>
<span
style="color:rgb(106,168,79)">On
the trampoline of life's
experiences, Striving
towards a saintly life in
the midst of these
materialistic turbulences.</span></font><br>
</font><br>
</font></font></font></font></span>
<div><span
style="background-color:rgb(255,255,255)"><font
style="font-family:georgia,serif"
face="garamond,serif"><br>
</font></span></div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
</div>
</div>
<span class="HOEnZb"><font color="#888888">-- <br>
<div dir="ltr"><span
style="background-color:rgb(255,255,255)"><font
style="font-family:georgia,serif"
face="garamond,serif"><font size="4"><font
size="4"><font face="verdana,sans-serif"><font>Anurag
Rana <br>
<font size="1"><span
style="color:rgb(56,118,29)"><a
moz-do-not-send="true"
href="http://newbie42.blogspot.in/"
target="_blank">http://newbie42.blogspot.in/</a></span><br>
<span style="color:rgb(106,168,79)">On
the trampoline of life's
experiences, Striving towards a
saintly life in the midst of these
materialistic turbulences.</span></font><br>
</font><br>
</font></font></font></font></span>
<div><span style="background-color:rgb(255,255,255)"><font
style="font-family:georgia,serif"
face="garamond,serif"><br>
</font></span></div>
</div>
</font></span></div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div dir="ltr"><span style="background-color:rgb(255,255,255)"><font
style="font-family:georgia,serif" face="garamond,serif"><font
size="4"><font size="4"><font face="verdana,sans-serif"><font>Anurag
Rana <br>
<font size="1"><span style="color:rgb(56,118,29)"><a
moz-do-not-send="true"
href="http://newbie42.blogspot.in/"
target="_blank">http://newbie42.blogspot.in/</a></span><br>
<span style="color:rgb(106,168,79)">On the
trampoline of life's experiences, Striving
towards a saintly life in the midst of these
materialistic turbulences.</span></font><br>
</font><br>
</font></font></font></font></span>
<div><span style="background-color:rgb(255,255,255)"><font
style="font-family:georgia,serif" face="garamond,serif"><br>
</font></span></div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Ron Wheeler
President
Artifact Software Inc
email: <a class="moz-txt-link-abbreviated" href="mailto:rwheeler@artifact-software.com">rwheeler@artifact-software.com</a>
skype: ronaldmwheeler
phone: 866-970-2435, ext 102</pre>
</body>
</html>