Re: [asterisk-users] Attack on Sip server.
On Fri, 2014-06-27 at 22:24 +0530, Anurag Rana wrote: iptables -I INPUT 1 -p tcp --dport 5060 -m string --string VaxSIPUserAgent --algo bm -j DROP You make a fundamental mistake here. Firewalls (both inline and hostbased) should drop everything by default. And you should specifically accept what you are expecting and capable of handling. Not the other way round. Above rule is something like: The front door is locked between 9:30 AM and 10:15 AM, as you expect burgers to come to your house. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Attack on Sip server.
If you have a small Asterisk installation install the free version of SecAst: http://www.voip-info.org/wiki/view/SecAst+(Asterisk+Intrusion+Detection+and+Prevention) For general Asterisk security info check this out: http://www.voip-info.org/wiki/view/Asterisk+security -=Michelle=- All opinions posted are my own, and do not necessarily reflect those of my employer. As an employee of GenerationD my opions are serious biased :) From: asterisk-users-boun...@lists.digium.com asterisk-users-boun...@lists.digium.com on behalf of Anurag Rana anuragrana31...@gmail.com Sent: Friday, June 27, 2014 10:49 AM To: Prakash N Cc: Asterisk Users List Subject: Re: [asterisk-users] Attack on Sip server. I added bot rules TCP as well as UDP. Still not working. How changing SIP listen port will prevent it. Please explain. I will try fail2band. On Fri, Jun 27, 2014 at 8:16 PM, Prakash N prakas...@tevatel.commailto:prakas...@tevatel.com wrote: Hi, Install fail2band and change sip listen port to avoid attack With regards N.Prakash From: Anurag Ranamailto:anuragrana31...@gmail.com Sent: ?27-?06-?2014 08:07 PM To: Asterisk Users Mailing List - Non-Commercial Discussionmailto:asterisk-users@lists.digium.com Subject: [asterisk-users] Attack on Sip server. Hi All. Someone is attacking on my SIP server. There are lot of requests coming in and I am not able to stop it because I am unable to detect the IP address. I used wireshark to capture the packets. Although I am using very strong password for my SIP users but still is there any way to drop these packets and stop this attack. I tried dropping packet after matching some string (most of the packets from attacker contains string 'VaxSIPUserAgent/3.1' ) but it failed. Packets are still flowing in. iptables -I INPUT 1 -p tcp --dport 5060 -m string --string VaxSIPUserAgent --algo bm -j DROP ?Its something like this Registration from '30 sp:30@my_public_ip:5060 failed for '192.168.xxx.xxx:6373' - Wrong Password? ?and there are approx 10 request per minute of this type. Please suggest some way to stop this.? -- Anurag Rana http://newbie42.blogspot.in/ On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences. -- Anurag Rana http://newbie42.blogspot.in/ On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Attack on Sip server.
iptables -I INPUT 1 -p tcp --dport 5060 -m string --string VaxSIPUserAgent --algo bm -j DROP Its something like this Registration from '30 sp:30@my_public_ip:5060 failed for '192.168.xxx.xxx:6373' - Wrong Password and there are approx 10 request per minute of this type. Please suggest some way to stop this. In my experience you need to do 2 things to fix your problem. #1) Get the real IP address of the attacker. First you will need to recompile Asterisk to enable the log that shows the IP of the attacker. It apparently is only set for debug so you need to edit chan_sip.c In chan_sip.c if (!peer) { if (debug) *** --- delete this line ast_verbose(No matching peer for '%s' from '%s'\n, of, ast_sockaddr_stringify(p-recv)); } *** --- delete this line This will enable logs like: VERBOSE[24693] chan_sip.c: No matching peer for '1000' from '104.14.190.14:5080 #2) Now that you have the IP of the attacker, just use fail2ban to block him automatically. Make sure you test out your rules. For example the above log is detected with fail2ban rule: VERBOSE%(__pid_re)s [^:]+: No matching peer for '[^']*' from 'HOST(:[0-9]+)?'$ -- Anurag Rana http://newbie42.blogspot.in/ On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences. -- Technical Support http://www.cellroute.net -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] Attack on Sip server.
Hi All. Someone is attacking on my SIP server. There are lot of requests coming in and I am not able to stop it because I am unable to detect the IP address. I used wireshark to capture the packets. Although I am using very strong password for my SIP users but still is there any way to drop these packets and stop this attack. I tried dropping packet after matching some string (most of the packets from attacker contains string 'VaxSIPUserAgent/3.1' ) but it failed. Packets are still flowing in. iptables -I INPUT 1 -p tcp --dport 5060 -m string --string VaxSIPUserAgent --algo bm -j DROP Its something like this Registration from '30 sp:30@my_public_ip:5060 failed for '192.168.xxx.xxx:6373' - Wrong Password and there are approx 10 request per minute of this type. Please suggest some way to stop this. -- Anurag Rana http://newbie42.blogspot.in/ On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Attack on Sip server.
Hi, Change the protocol from tcp to udp in iptables. ~Arun On 27 Jun 2014 20:07, Anurag Rana anuragrana31...@gmail.com wrote: Hi All. Someone is attacking on my SIP server. There are lot of requests coming in and I am not able to stop it because I am unable to detect the IP address. I used wireshark to capture the packets. Although I am using very strong password for my SIP users but still is there any way to drop these packets and stop this attack. I tried dropping packet after matching some string (most of the packets from attacker contains string 'VaxSIPUserAgent/3.1' ) but it failed. Packets are still flowing in. iptables -I INPUT 1 -p tcp --dport 5060 -m string --string VaxSIPUserAgent --algo bm -j DROP Its something like this Registration from '30 sp:30@my_public_ip:5060 failed for '192.168.xxx.xxx:6373' - Wrong Password and there are approx 10 request per minute of this type. Please suggest some way to stop this. -- Anurag Rana http://newbie42.blogspot.in/ On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Attack on Sip server.
Hi, Install fail2band and change sip listen port to avoid attack With regards N.Prakash -- From: Anurag Rana anuragrana31...@gmail.com Sent: 27-06-2014 08:07 PM To: Asterisk Users Mailing List - Non-Commercial Discussion asterisk-users@lists.digium.com Subject: [asterisk-users] Attack on Sip server. Hi All. Someone is attacking on my SIP server. There are lot of requests coming in and I am not able to stop it because I am unable to detect the IP address. I used wireshark to capture the packets. Although I am using very strong password for my SIP users but still is there any way to drop these packets and stop this attack. I tried dropping packet after matching some string (most of the packets from attacker contains string 'VaxSIPUserAgent/3.1' ) but it failed. Packets are still flowing in. iptables -I INPUT 1 -p tcp --dport 5060 -m string --string VaxSIPUserAgent --algo bm -j DROP Its something like this Registration from '30 sp:30@my_public_ip:5060 failed for '192.168.xxx.xxx:6373' - Wrong Password and there are approx 10 request per minute of this type. Please suggest some way to stop this. -- Anurag Rana http://newbie42.blogspot.in/ On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Attack on Sip server.
I added bot rules TCP as well as UDP. Still not working. How changing SIP listen port will prevent it. Please explain. I will try fail2band. On Fri, Jun 27, 2014 at 8:16 PM, Prakash N prakas...@tevatel.com wrote: Hi, Install fail2band and change sip listen port to avoid attack With regards N.Prakash -- From: Anurag Rana anuragrana31...@gmail.com Sent: 27-06-2014 08:07 PM To: Asterisk Users Mailing List - Non-Commercial Discussion asterisk-users@lists.digium.com Subject: [asterisk-users] Attack on Sip server. Hi All. Someone is attacking on my SIP server. There are lot of requests coming in and I am not able to stop it because I am unable to detect the IP address. I used wireshark to capture the packets. Although I am using very strong password for my SIP users but still is there any way to drop these packets and stop this attack. I tried dropping packet after matching some string (most of the packets from attacker contains string 'VaxSIPUserAgent/3.1' ) but it failed. Packets are still flowing in. iptables -I INPUT 1 -p tcp --dport 5060 -m string --string VaxSIPUserAgent --algo bm -j DROP Its something like this Registration from '30 sp:30@my_public_ip:5060 failed for '192.168.xxx.xxx:6373' - Wrong Password and there are approx 10 request per minute of this type. Please suggest some way to stop this. -- Anurag Rana http://newbie42.blogspot.in/ On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences. -- Anurag Rana http://newbie42.blogspot.in/ On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Attack on Sip server.
Both Rules* (typo in last mail) On Fri, Jun 27, 2014 at 8:19 PM, Anurag Rana anuragrana31...@gmail.com wrote: I added bot rules TCP as well as UDP. Still not working. How changing SIP listen port will prevent it. Please explain. I will try fail2band. On Fri, Jun 27, 2014 at 8:16 PM, Prakash N prakas...@tevatel.com wrote: Hi, Install fail2band and change sip listen port to avoid attack With regards N.Prakash -- From: Anurag Rana anuragrana31...@gmail.com Sent: 27-06-2014 08:07 PM To: Asterisk Users Mailing List - Non-Commercial Discussion asterisk-users@lists.digium.com Subject: [asterisk-users] Attack on Sip server. Hi All. Someone is attacking on my SIP server. There are lot of requests coming in and I am not able to stop it because I am unable to detect the IP address. I used wireshark to capture the packets. Although I am using very strong password for my SIP users but still is there any way to drop these packets and stop this attack. I tried dropping packet after matching some string (most of the packets from attacker contains string 'VaxSIPUserAgent/3.1' ) but it failed. Packets are still flowing in. iptables -I INPUT 1 -p tcp --dport 5060 -m string --string VaxSIPUserAgent --algo bm -j DROP Its something like this Registration from '30 sp:30@my_public_ip:5060 failed for '192.168.xxx.xxx:6373' - Wrong Password and there are approx 10 request per minute of this type. Please suggest some way to stop this. -- Anurag Rana http://newbie42.blogspot.in/ On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences. -- Anurag Rana http://newbie42.blogspot.in/ On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences. -- Anurag Rana http://newbie42.blogspot.in/ On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Attack on Sip server.
On 27 Jun 2014, at 15:37, Anurag Rana anuragrana31...@gmail.com wrote: There are lot of requests coming in and I am not able to stop it because I am unable to detect the IP address. I used wireshark to capture the packets. If you can capture the packet, surely you have the IP? If they intend to get the response then the IP header can’t be forged. Steve-- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Attack on Sip server.
very simple, yet effective http://www.palner.com/blog/171/asterisk-no-matching-peer-found-block/ Am 27.06.2014 16:58, schrieb Steven Howes: On 27 Jun 2014, at 15:37, Anurag Rana anuragrana31...@gmail.com mailto:anuragrana31...@gmail.com wrote: There are lot of requests coming in and I am not able to stop it because I am unable to detect the IP address. I used wireshark to capture the packets. If you can capture the packet, surely you have the IP? If they intend to get the response then the IP header can't be forged. Steve -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Attack on Sip server.
This is a common issue and is covered in the mailing list archives multiple times. Do a Google search for something like: site:lists.digium.com fail2ban From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Steven Howes Sent: Friday, June 27, 2014 10:58 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] Attack on Sip server. On 27 Jun 2014, at 15:37, Anurag Rana anuragrana31...@gmail.commailto:anuragrana31...@gmail.com wrote: There are lot of requests coming in and I am not able to stop it because I am unable to detect the IP address. I used wireshark to capture the packets. If you can capture the packet, surely you have the IP? If they intend to get the response then the IP header can't be forged. Steve -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Attack on Sip server.
+1 fail2ban Very easy and very effective. On 27/06/2014 10:52 AM, Anurag Rana wrote: Both Rules* (typo in last mail) On Fri, Jun 27, 2014 at 8:19 PM, Anurag Rana anuragrana31...@gmail.com mailto:anuragrana31...@gmail.com wrote: I added bot rules TCP as well as UDP. Still not working. How changing SIP listen port will prevent it. Please explain. I will try fail2band. On Fri, Jun 27, 2014 at 8:16 PM, Prakash N prakas...@tevatel.com mailto:prakas...@tevatel.com wrote: Hi, Install fail2band and change sip listen port to avoid attack With regards N.Prakash From: Anurag Rana mailto:anuragrana31...@gmail.com Sent: ?27-?06-?2014 08:07 PM To: Asterisk Users Mailing List - Non-Commercial Discussion mailto:asterisk-users@lists.digium.com Subject: [asterisk-users] Attack on Sip server. Hi All. Someone is attacking on my SIP server. There are lot of requests coming in and I am not able to stop it because I am unable to detect the IP address. I used wireshark to capture the packets. Although I am using very strong password for my SIP users but still is there any way to drop these packets and stop this attack. I tried dropping packet after matching some string (most of the packets from attacker contains string 'VaxSIPUserAgent/3.1' ) but it failed. Packets are still flowing in. iptables -I INPUT 1 -p tcp --dport 5060 -m string --string VaxSIPUserAgent --algo bm -j DROP Its something like this Registration from '30 sp:30@my_public_ip:5060 failed for '192.168.xxx.xxx:6373' - Wrong Password and there are approx 10 request per minute of this type. Please suggest some way to stop this. -- Anurag Rana http://newbie42.blogspot.in/ On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences. -- Anurag Rana http://newbie42.blogspot.in/ On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences. -- Anurag Rana http://newbie42.blogspot.in/ On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences. -- Ron Wheeler President Artifact Software Inc email: rwhee...@artifact-software.com skype: ronaldmwheeler phone: 866-970-2435, ext 102 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Attack on Sip server.
In sip.conf change listen port 5060 to some other number like 7242 any number ,then restart asterisk . Register sip phone with listen port (7242) Example Domain: 192.168.1.10:7242 With regards N.Prakash -- From: Anurag Rana anuragrana31...@gmail.com Sent: 27-06-2014 08:19 PM To: Prakash N prakas...@tevatel.com Cc: Asterisk Users Mailing List - Non-Commercial Discussion asterisk-users@lists.digium.com Subject: Re: [asterisk-users] Attack on Sip server. I added bot rules TCP as well as UDP. Still not working. How changing SIP listen port will prevent it. Please explain. I will try fail2band. On Fri, Jun 27, 2014 at 8:16 PM, Prakash N prakas...@tevatel.com wrote: Hi, Install fail2band and change sip listen port to avoid attack With regards N.Prakash -- From: Anurag Rana anuragrana31...@gmail.com Sent: 27-06-2014 08:07 PM To: Asterisk Users Mailing List - Non-Commercial Discussion asterisk-users@lists.digium.com Subject: [asterisk-users] Attack on Sip server. Hi All. Someone is attacking on my SIP server. There are lot of requests coming in and I am not able to stop it because I am unable to detect the IP address. I used wireshark to capture the packets. Although I am using very strong password for my SIP users but still is there any way to drop these packets and stop this attack. I tried dropping packet after matching some string (most of the packets from attacker contains string 'VaxSIPUserAgent/3.1' ) but it failed. Packets are still flowing in. iptables -I INPUT 1 -p tcp --dport 5060 -m string --string VaxSIPUserAgent --algo bm -j DROP Its something like this Registration from '30 sp:30@my_public_ip:5060 failed for '192.168.xxx.xxx:6373' - Wrong Password and there are approx 10 request per minute of this type. Please suggest some way to stop this. -- Anurag Rana http://newbie42.blogspot.in/ On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences. -- Anurag Rana http://newbie42.blogspot.in/ On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Attack on Sip server.
Block the ip? You should only enable sip for your specific clients in iptables. Sent from Samsung Mobile div Original message /divdivFrom: arun kumar arunvsadni...@gmail.com /divdivDate:27/06/2014 4:42 PM (GMT+02:00) /divdivTo: Asterisk Users Mailing List - Non-Commercial Discussion asterisk-users@lists.digium.com /divdivSubject: Re: [asterisk-users] Attack on Sip server. /divdiv /divHi, Change the protocol from tcp to udp in iptables. ~Arun On 27 Jun 2014 20:07, Anurag Rana anuragrana31...@gmail.com wrote: Hi All. Someone is attacking on my SIP server. There are lot of requests coming in and I am not able to stop it because I am unable to detect the IP address. I used wireshark to capture the packets. Although I am using very strong password for my SIP users but still is there any way to drop these packets and stop this attack. I tried dropping packet after matching some string (most of the packets from attacker contains string 'VaxSIPUserAgent/3.1' ) but it failed. Packets are still flowing in. iptables -I INPUT 1 -p tcp --dport 5060 -m string --string VaxSIPUserAgent --algo bm -j DROP Its something like this Registration from '30 sp:30@my_public_ip:5060 failed for '192.168.xxx.xxx:6373' - Wrong Password and there are approx 10 request per minute of this type. Please suggest some way to stop this. -- Anurag Rana http://newbie42.blogspot.in/ On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Attack on Sip server.
Anurag, Here is small script, that will check your logs and will block the IPs. http://www.didforsale.com/blog/is-your-asterisk-system-under-heavy-attack This is good if you dont expect any registration. If you do have some valid registration, you might want to add some counter to see how time IP need to fail or how many different users IP is trying to register on before blocking the IP. Jai Rangi www.didforslae.com On Fri, Jun 27, 2014 at 7:37 AM, Anurag Rana anuragrana31...@gmail.com wrote: Hi All. Someone is attacking on my SIP server. There are lot of requests coming in and I am not able to stop it because I am unable to detect the IP address. I used wireshark to capture the packets. Although I am using very strong password for my SIP users but still is there any way to drop these packets and stop this attack. I tried dropping packet after matching some string (most of the packets from attacker contains string 'VaxSIPUserAgent/3.1' ) but it failed. Packets are still flowing in. iptables -I INPUT 1 -p tcp --dport 5060 -m string --string VaxSIPUserAgent --algo bm -j DROP Its something like this Registration from '30 sp:30@my_public_ip:5060 failed for '192.168.xxx.xxx:6373' - Wrong Password and there are approx 10 request per minute of this type. Please suggest some way to stop this. -- Anurag Rana http://newbie42.blogspot.in/ On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Attack on Sip server.
I think your asterisk server is behind firewall or some sort of NAT where the out to in packets are getting masqueraded with local or DMZ IP of your firewall / gateway box. Fix this first to get fail2ban detect the correct public IP. Otherwise fail2ban will ban your local GW IP due to which you won't be able to access the box even from your local network for ssh. Hope u know how to fix the firewall snat. Mitul On 27-Jun-2014 9:51 PM, Jai Rangi jpra...@didforsale.com wrote: Anurag, Here is small script, that will check your logs and will block the IPs. http://www.didforsale.com/blog/is-your-asterisk-system-under-heavy-attack This is good if you dont expect any registration. If you do have some valid registration, you might want to add some counter to see how time IP need to fail or how many different users IP is trying to register on before blocking the IP. Jai Rangi www.didforslae.com On Fri, Jun 27, 2014 at 7:37 AM, Anurag Rana anuragrana31...@gmail.com wrote: Hi All. Someone is attacking on my SIP server. There are lot of requests coming in and I am not able to stop it because I am unable to detect the IP address. I used wireshark to capture the packets. Although I am using very strong password for my SIP users but still is there any way to drop these packets and stop this attack. I tried dropping packet after matching some string (most of the packets from attacker contains string 'VaxSIPUserAgent/3.1' ) but it failed. Packets are still flowing in. iptables -I INPUT 1 -p tcp --dport 5060 -m string --string VaxSIPUserAgent --algo bm -j DROP Its something like this Registration from '30 sp:30@my_public_ip:5060 failed for '192.168.xxx.xxx:6373' - Wrong Password and there are approx 10 request per minute of this type. Please suggest some way to stop this. -- Anurag Rana http://newbie42.blogspot.in/ On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Attack on Sip server.
Fail2band installation http://striker24x7.blogspot.in/2011/07/fail2ban-in-asterisk.html?m=1 Iptables http://striker24x7.blogspot.in/2014/03/simple-iptables-script.html?m=1 With regards N.Prakash -- From: Anurag Rana anuragrana31...@gmail.com Sent: 27-06-2014 08:22 PM To: Prakash N prakas...@tevatel.com Cc: Asterisk Users Mailing List - Non-Commercial Discussion asterisk-users@lists.digium.com Subject: Re: [asterisk-users] Attack on Sip server. Both Rules* (typo in last mail) On Fri, Jun 27, 2014 at 8:19 PM, Anurag Rana anuragrana31...@gmail.com wrote: I added bot rules TCP as well as UDP. Still not working. How changing SIP listen port will prevent it. Please explain. I will try fail2band. On Fri, Jun 27, 2014 at 8:16 PM, Prakash N prakas...@tevatel.com wrote: Hi, Install fail2band and change sip listen port to avoid attack With regards N.Prakash -- From: Anurag Rana anuragrana31...@gmail.com Sent: 27-06-2014 08:07 PM To: Asterisk Users Mailing List - Non-Commercial Discussion asterisk-users@lists.digium.com Subject: [asterisk-users] Attack on Sip server. Hi All. Someone is attacking on my SIP server. There are lot of requests coming in and I am not able to stop it because I am unable to detect the IP address. I used wireshark to capture the packets. Although I am using very strong password for my SIP users but still is there any way to drop these packets and stop this attack. I tried dropping packet after matching some string (most of the packets from attacker contains string 'VaxSIPUserAgent/3.1' ) but it failed. Packets are still flowing in. iptables -I INPUT 1 -p tcp --dport 5060 -m string --string VaxSIPUserAgent --algo bm -j DROP Its something like this Registration from '30 sp:30@my_public_ip:5060 failed for '192.168.xxx.xxx:6373' - Wrong Password and there are approx 10 request per minute of this type. Please suggest some way to stop this. -- Anurag Rana http://newbie42.blogspot.in/ On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences. -- Anurag Rana http://newbie42.blogspot.in/ On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences. -- Anurag Rana http://newbie42.blogspot.in/ On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Attack on Sip server.
Right Mitul. System is behind some gateway. On Fri, Jun 27, 2014 at 10:06 PM, Mitul Limbani mi...@enterux.in wrote: I think your asterisk server is behind firewall or some sort of NAT where the out to in packets are getting masqueraded with local or DMZ IP of your firewall / gateway box. Fix this first to get fail2ban detect the correct public IP. Otherwise fail2ban will ban your local GW IP due to which you won't be able to access the box even from your local network for ssh. Hope u know how to fix the firewall snat. Mitul On 27-Jun-2014 9:51 PM, Jai Rangi jpra...@didforsale.com wrote: Anurag, Here is small script, that will check your logs and will block the IPs. http://www.didforsale.com/blog/is-your-asterisk-system-under-heavy-attack This is good if you dont expect any registration. If you do have some valid registration, you might want to add some counter to see how time IP need to fail or how many different users IP is trying to register on before blocking the IP. Jai Rangi www.didforslae.com On Fri, Jun 27, 2014 at 7:37 AM, Anurag Rana anuragrana31...@gmail.com wrote: Hi All. Someone is attacking on my SIP server. There are lot of requests coming in and I am not able to stop it because I am unable to detect the IP address. I used wireshark to capture the packets. Although I am using very strong password for my SIP users but still is there any way to drop these packets and stop this attack. I tried dropping packet after matching some string (most of the packets from attacker contains string 'VaxSIPUserAgent/3.1' ) but it failed. Packets are still flowing in. iptables -I INPUT 1 -p tcp --dport 5060 -m string --string VaxSIPUserAgent --algo bm -j DROP Its something like this Registration from '30 sp:30@my_public_ip:5060 failed for '192.168.xxx.xxx:6373' - Wrong Password and there are approx 10 request per minute of this type. Please suggest some way to stop this. -- Anurag Rana http://newbie42.blogspot.in/ On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- Anurag Rana http://newbie42.blogspot.in/ On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Attack on Sip server.
Can't use anything which block IP addresses because my system is behind a gateway and attacker gets the address of that gateway. In this way I will end up blocking myself. Please suggest something else. On Fri, Jun 27, 2014 at 10:24 PM, Anurag Rana anuragrana31...@gmail.com wrote: Right Mitul. System is behind some gateway. On Fri, Jun 27, 2014 at 10:06 PM, Mitul Limbani mi...@enterux.in wrote: I think your asterisk server is behind firewall or some sort of NAT where the out to in packets are getting masqueraded with local or DMZ IP of your firewall / gateway box. Fix this first to get fail2ban detect the correct public IP. Otherwise fail2ban will ban your local GW IP due to which you won't be able to access the box even from your local network for ssh. Hope u know how to fix the firewall snat. Mitul On 27-Jun-2014 9:51 PM, Jai Rangi jpra...@didforsale.com wrote: Anurag, Here is small script, that will check your logs and will block the IPs. http://www.didforsale.com/blog/is-your-asterisk-system-under-heavy-attack This is good if you dont expect any registration. If you do have some valid registration, you might want to add some counter to see how time IP need to fail or how many different users IP is trying to register on before blocking the IP. Jai Rangi www.didforslae.com On Fri, Jun 27, 2014 at 7:37 AM, Anurag Rana anuragrana31...@gmail.com wrote: Hi All. Someone is attacking on my SIP server. There are lot of requests coming in and I am not able to stop it because I am unable to detect the IP address. I used wireshark to capture the packets. Although I am using very strong password for my SIP users but still is there any way to drop these packets and stop this attack. I tried dropping packet after matching some string (most of the packets from attacker contains string 'VaxSIPUserAgent/3.1' ) but it failed. Packets are still flowing in. iptables -I INPUT 1 -p tcp --dport 5060 -m string --string VaxSIPUserAgent --algo bm -j DROP Its something like this Registration from '30 sp:30@my_public_ip:5060 failed for '192.168.xxx.xxx:6373' - Wrong Password and there are approx 10 request per minute of this type. Please suggest some way to stop this. -- Anurag Rana http://newbie42.blogspot.in/ On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- Anurag Rana http://newbie42.blogspot.in/ On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences. -- Anurag Rana http://newbie42.blogspot.in/ On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Attack on Sip server.
No way out. Fix ur gateway which is masquerading out to in traffic. And do some research as others mentioned instead of expecting quick fix. Mitul On 27-Jun-2014 10:45 PM, Anurag Rana anuragrana31...@gmail.com wrote: Can't use anything which block IP addresses because my system is behind a gateway and attacker gets the address of that gateway. In this way I will end up blocking myself. Please suggest something else. On Fri, Jun 27, 2014 at 10:24 PM, Anurag Rana anuragrana31...@gmail.com wrote: Right Mitul. System is behind some gateway. On Fri, Jun 27, 2014 at 10:06 PM, Mitul Limbani mi...@enterux.in wrote: I think your asterisk server is behind firewall or some sort of NAT where the out to in packets are getting masqueraded with local or DMZ IP of your firewall / gateway box. Fix this first to get fail2ban detect the correct public IP. Otherwise fail2ban will ban your local GW IP due to which you won't be able to access the box even from your local network for ssh. Hope u know how to fix the firewall snat. Mitul On 27-Jun-2014 9:51 PM, Jai Rangi jpra...@didforsale.com wrote: Anurag, Here is small script, that will check your logs and will block the IPs. http://www.didforsale.com/blog/is-your-asterisk-system-under-heavy-attack This is good if you dont expect any registration. If you do have some valid registration, you might want to add some counter to see how time IP need to fail or how many different users IP is trying to register on before blocking the IP. Jai Rangi www.didforslae.com On Fri, Jun 27, 2014 at 7:37 AM, Anurag Rana anuragrana31...@gmail.com wrote: Hi All. Someone is attacking on my SIP server. There are lot of requests coming in and I am not able to stop it because I am unable to detect the IP address. I used wireshark to capture the packets. Although I am using very strong password for my SIP users but still is there any way to drop these packets and stop this attack. I tried dropping packet after matching some string (most of the packets from attacker contains string 'VaxSIPUserAgent/3.1' ) but it failed. Packets are still flowing in. iptables -I INPUT 1 -p tcp --dport 5060 -m string --string VaxSIPUserAgent --algo bm -j DROP Its something like this Registration from '30 sp:30@my_public_ip:5060 failed for '192.168.xxx.xxx:6373' - Wrong Password and there are approx 10 request per minute of this type. Please suggest some way to stop this. -- Anurag Rana http://newbie42.blogspot.in/ On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- Anurag Rana http://newbie42.blogspot.in/ On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences. -- Anurag Rana http://newbie42.blogspot.in/ On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Attack on Sip server.
Ok. Thanks. :) On Fri, Jun 27, 2014 at 11:05 PM, Mitul Limbani mi...@enterux.in wrote: No way out. Fix ur gateway which is masquerading out to in traffic. And do some research as others mentioned instead of expecting quick fix. Mitul On 27-Jun-2014 10:45 PM, Anurag Rana anuragrana31...@gmail.com wrote: Can't use anything which block IP addresses because my system is behind a gateway and attacker gets the address of that gateway. In this way I will end up blocking myself. Please suggest something else. On Fri, Jun 27, 2014 at 10:24 PM, Anurag Rana anuragrana31...@gmail.com wrote: Right Mitul. System is behind some gateway. On Fri, Jun 27, 2014 at 10:06 PM, Mitul Limbani mi...@enterux.in wrote: I think your asterisk server is behind firewall or some sort of NAT where the out to in packets are getting masqueraded with local or DMZ IP of your firewall / gateway box. Fix this first to get fail2ban detect the correct public IP. Otherwise fail2ban will ban your local GW IP due to which you won't be able to access the box even from your local network for ssh. Hope u know how to fix the firewall snat. Mitul On 27-Jun-2014 9:51 PM, Jai Rangi jpra...@didforsale.com wrote: Anurag, Here is small script, that will check your logs and will block the IPs. http://www.didforsale.com/blog/is-your-asterisk-system-under-heavy-attack This is good if you dont expect any registration. If you do have some valid registration, you might want to add some counter to see how time IP need to fail or how many different users IP is trying to register on before blocking the IP. Jai Rangi www.didforslae.com On Fri, Jun 27, 2014 at 7:37 AM, Anurag Rana anuragrana31...@gmail.com wrote: Hi All. Someone is attacking on my SIP server. There are lot of requests coming in and I am not able to stop it because I am unable to detect the IP address. I used wireshark to capture the packets. Although I am using very strong password for my SIP users but still is there any way to drop these packets and stop this attack. I tried dropping packet after matching some string (most of the packets from attacker contains string 'VaxSIPUserAgent/3.1' ) but it failed. Packets are still flowing in. iptables -I INPUT 1 -p tcp --dport 5060 -m string --string VaxSIPUserAgent --algo bm -j DROP Its something like this Registration from '30 sp:30@my_public_ip:5060 failed for '192.168.xxx.xxx:6373' - Wrong Password and there are approx 10 request per minute of this type. Please suggest some way to stop this. -- Anurag Rana http://newbie42.blogspot.in/ On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- Anurag Rana http://newbie42.blogspot.in/ On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences. -- Anurag Rana http://newbie42.blogspot.in/ On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To
Re: [asterisk-users] Attack on Sip server.
Please don't top-post. Please trim posts to the specific post you are replying to. On Fri, 27 Jun 2014, Anurag Rana wrote: Can't use anything which block IP addresses because my system is behind a gateway and attacker gets the address of that gateway. In this way I will end up blocking myself. Please suggest something else. The most effective approach would be to configure your gateway to block all IP addresses and white-list the ones you really need. If you are in control of the endpoints, moving to a non-standard SIP port as previously suggested should be pretty effective. Most script-kiddies won't bother to 'port-scan' to identify the new port number. -- Thanks in advance, - Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST Newline Fax: +1-760-731-3000-- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users