No way out. Fix ur gateway which is masquerading out to in traffic. And do some research as others mentioned instead of expecting quick fix.
Mitul On 27-Jun-2014 10:45 PM, "Anurag Rana" <anuragrana31...@gmail.com> wrote: > Can't use anything which block IP addresses because my system is behind a > gateway and attacker gets the address of that gateway. In this way I will > end up blocking myself. > > Please suggest something else. > > > On Fri, Jun 27, 2014 at 10:24 PM, Anurag Rana <anuragrana31...@gmail.com> > wrote: > >> Right Mitul. System is behind some gateway. >> >> >> On Fri, Jun 27, 2014 at 10:06 PM, Mitul Limbani <mi...@enterux.in> wrote: >> >>> I think your asterisk server is behind firewall or some sort of NAT >>> where the out to in packets are getting masqueraded with local or DMZ IP >>> of your firewall / gateway box. >>> >>> Fix this first to get fail2ban detect the correct public IP. >>> >>> Otherwise fail2ban will ban your local GW IP due to which you won't be >>> able to access the box even from your local network for ssh. >>> >>> Hope u know how to fix the firewall snat. >>> >>> Mitul >>> On 27-Jun-2014 9:51 PM, "Jai Rangi" <jpra...@didforsale.com> wrote: >>> >>>> Anurag, >>>> >>>> Here is small script, that will check your logs and will block the IPs. >>>> >>>> http://www.didforsale.com/blog/is-your-asterisk-system-under-heavy-attack >>>> >>>> This is good if you dont expect any registration. If you do have some >>>> valid registration, you might want to add some counter to see how time IP >>>> need to fail or how many different users IP is trying to register on before >>>> blocking the IP. >>>> >>>> Jai Rangi >>>> www.didforslae.com >>>> >>>> >>>> >>>> On Fri, Jun 27, 2014 at 7:37 AM, Anurag Rana <anuragrana31...@gmail.com >>>> > wrote: >>>> >>>>> >>>>> Hi All. >>>>> >>>>> Someone is attacking on my SIP server. >>>>> There are lot of requests coming in and I am not able to stop it >>>>> because I am unable to detect the IP address. >>>>> I used wireshark to capture the packets. >>>>> >>>>> Although I am using very strong password for my SIP users but still is >>>>> there any way to drop these packets and stop this attack. >>>>> >>>>> I tried dropping packet after matching some string (most of the >>>>> packets from attacker contains string 'VaxSIPUserAgent/3.1' ) but it >>>>> failed. Packets are still flowing in. >>>>> >>>>> iptables -I INPUT 1 -p tcp --dport 5060 -m string --string >>>>> "VaxSIPUserAgent" --algo bm -j DROP >>>>> >>>>> >>>>> Its something like this >>>>> >>>>> Registration from '"30" <sp:30@my_public_ip:5060> failed for >>>>> '192.168.xxx.xxx:6373' - Wrong Password >>>>> >>>>> and there are approx 10 request per minute of this type. >>>>> >>>>> Please suggest some way to stop this. >>>>> >>>>> >>>>> -- >>>>> Anurag Rana >>>>> http://newbie42.blogspot.in/ >>>>> On the trampoline of life's experiences, Striving towards a saintly >>>>> life in the midst of these materialistic turbulences. >>>>> >>>>> >>>>> >>>>> -- >>>>> _____________________________________________________________________ >>>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- >>>>> New to Asterisk? Join us for a live introductory webinar every Thurs: >>>>> http://www.asterisk.org/hello >>>>> >>>>> asterisk-users mailing list >>>>> To UNSUBSCRIBE or update options visit: >>>>> http://lists.digium.com/mailman/listinfo/asterisk-users >>>>> >>>> >>>> >>>> -- >>>> _____________________________________________________________________ >>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- >>>> New to Asterisk? Join us for a live introductory webinar every Thurs: >>>> http://www.asterisk.org/hello >>>> >>>> asterisk-users mailing list >>>> To UNSUBSCRIBE or update options visit: >>>> http://lists.digium.com/mailman/listinfo/asterisk-users >>>> >>> >>> -- >>> _____________________________________________________________________ >>> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- >>> New to Asterisk? Join us for a live introductory webinar every Thurs: >>> http://www.asterisk.org/hello >>> >>> asterisk-users mailing list >>> To UNSUBSCRIBE or update options visit: >>> http://lists.digium.com/mailman/listinfo/asterisk-users >>> >> >> >> >> -- >> Anurag Rana >> http://newbie42.blogspot.in/ >> On the trampoline of life's experiences, Striving towards a saintly life >> in the midst of these materialistic turbulences. >> >> >> > > > -- > Anurag Rana > http://newbie42.blogspot.in/ > On the trampoline of life's experiences, Striving towards a saintly life > in the midst of these materialistic turbulences. > > > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users