<div dir="ltr"><div><div>Anurag,<br><br></div><div>Here is small script, that will check your logs and will block the IPs. <br></div><a href="http://www.didforsale.com/blog/is-your-asterisk-system-under-heavy-attack">http://www.didforsale.com/blog/is-your-asterisk-system-under-heavy-attack</a><br>
<br></div>This is good if you dont expect any registration. If you do have some valid registration, you might want to add some counter to see how time IP need to fail or how many different users IP is trying to register on before blocking the IP. <br>
<div><br></div><div>Jai Rangi<br></div><div><a href="http://www.didforslae.com">www.didforslae.com</a> <br></div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Jun 27, 2014 at 7:37 AM, Anurag Rana <span dir="ltr"><<a href="mailto:anuragrana31189@gmail.com" target="_blank">anuragrana31189@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(0,0,0)"><br clear="all"></div>
<div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(0,0,0)">Hi All.</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(0,0,0)">
<br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(0,0,0)">Someone is attacking on my SIP server.</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(0,0,0)">
There are lot of requests coming in and I am not able to stop it because I am unable to detect the IP address. </div>
<div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(0,0,0)">I used wireshark to capture the packets.</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(0,0,0)"><br></div>
<div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(0,0,0)">Although I am using very strong password for my SIP users but still is there any way to drop these packets and stop this attack.</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(0,0,0)">
<br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(0,0,0)">I tried dropping packet after matching some string (most of the packets from attacker contains string 'VaxSIPUserAgent/3.1' ) but it failed. Packets are still flowing in. </div>
<div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(0,0,0)"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif"><pre style="font-size:medium"><font color="#0000ff">iptables -I INPUT 1 -p tcp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm -j DROP</font></pre>
</div><div><br></div><div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(0,0,0)">Its something like this</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(0,0,0)">
<br></div><div class="gmail_default" style="font-family:verdana,sans-serif"><font color="#0000ff">Registration from '"30" <sp:30@my_public_ip:5060> failed for '192.168.xxx.xxx:6373' - Wrong Password</font></div>
<br></div><div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(0,0,0)">and there are approx 10 request per minute of this type.</div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(0,0,0)">
<br></div><div class="gmail_default" style="font-family:verdana,sans-serif;color:rgb(0,0,0)">Please suggest some way to stop this.</div><span class="HOEnZb"><font color="#888888"><br></font></span></div><span class="HOEnZb"><font color="#888888"><div>
<br></div>-- <br><div dir="ltr"><span style="background-color:rgb(255,255,255)"><font style="font-family:georgia,serif" face="garamond,serif"><font size="4"><font size="4"><font face="verdana,sans-serif"><font>Anurag Rana <br>
<font size="1"><span style="color:rgb(56,118,29)"><a href="http://newbie42.blogspot.in/" target="_blank">http://newbie42.blogspot.in/</a></span><br><span style="color:rgb(106,168,79)">On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences.</span></font><br>
</font><br></font></font></font></font></span><div><span style="background-color:rgb(255,255,255)"><font style="font-family:georgia,serif" face="garamond,serif"><br></font></span></div></div>
</font></span></div>
<br>--<br>
_____________________________________________________________________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --<br>
New to Asterisk? Join us for a live introductory webinar every Thurs:<br>
<a href="http://www.asterisk.org/hello" target="_blank">http://www.asterisk.org/hello</a><br>
<br>
asterisk-users mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-users" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-users</a><br></blockquote></div><br></div>