[SR-Users] dictionary attacks
while doing some tests, i noticed that one of my proxies started to receive lots of register requests with different user names starting from a letter. there was also invite attempts in the logs. they came from ip 202.82.16.99 which according to traceroute is somewhere in china. should we start publishing a black list of these attack ip addresses? -- juha ___ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] dictionary attacks
Juha, I think we should be specially careful about black-lists. We receive many of these attacks in a per-day basis and a lot of them are from residential addresses or university, so I'm guessing some kind of worm or trojan performing the attack from various IPs. If you have the time, try fail2ban deamon. It can relate some brute-force events and act accordingly blocking an IP on iptables, executing a script. You send to jail those addresses for a period of time, then you can get them out again; and of course you can manually revert. Last, as a description of the attacks I saw, first it runs an NMAP like scan checking which IPs answer from 5060, then it starts sending registers (usually asterisk answers 404 if the user does not exist), then when the proxy challenges, it interprets the user is found and starts making dictionary attacks on the password (1234, admin, and so on). Keep safe complicated passwords, make kamailio challenge everything and you'll be safe. and again, fail2ban is a pretty good solution for brute force. This might help you finding a solution for your attacks. Cheers, Uriel On Sun, Oct 24, 2010 at 8:54 AM, Juha Heinanen j...@tutpro.com wrote: while doing some tests, i noticed that one of my proxies started to receive lots of register requests with different user names starting from a letter. there was also invite attempts in the logs. they came from ip 202.82.16.99 which according to traceroute is somewhere in china. should we start publishing a black list of these attack ip addresses? -- juha ___ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users ___ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] dictionary attacks
I'm second for fail2ban. I block IP addresses with failed registration
attempts for 1 hour. Here is my setup:
kamailio.cfg:
if (is_method(REGISTER)) {
if(www_authorize(, subscriber) 0) {
if($rc == -1) {
xlog(L_INFO,Invalid username from $proto:$si:$sp\n);
sl_send_reply(200,OK);
} else
www_challenge(, 0);
exit;
}
/etc/fail2ban/filter.d/openser.conf:
[Definition]
#_daemon = kamailio
failregex = Invalid username from ...:HOST:
/etc/fail2ban/jail.conf:
findtime = 600
[openser-iptables]
enabled = true
filter = openser
action = iptables-allports[name=OPENSER, protocol=all]
logpath = /var/log/openser/openser # Replace with your sr log location
maxretry = 10
bantime = 3600
On Sunday 24 October 2010, Uriel Rozenbaum wrote:
Juha,
I think we should be specially careful about black-lists. We receive
many of these attacks in a per-day basis and a lot of them are from
residential addresses or university, so I'm guessing some kind of worm
or trojan performing the attack from various IPs.
If you have the time, try fail2ban deamon. It can relate some
brute-force events and act accordingly blocking an IP on iptables,
executing a script. You send to jail those addresses for a period of
time, then you can get them out again; and of course you can manually
revert.
Last, as a description of the attacks I saw, first it runs an NMAP
like scan checking which IPs answer from 5060, then it starts sending
registers (usually asterisk answers 404 if the user does not exist),
then when the proxy challenges, it interprets the user is found and
starts making dictionary attacks on the password (1234, admin, and so
on). Keep safe complicated passwords, make kamailio challenge
everything and you'll be safe. and again, fail2ban is a pretty good
solution for brute force.
This might help you finding a solution for your attacks.
Cheers,
Uriel
On Sun, Oct 24, 2010 at 8:54 AM, Juha Heinanen j...@tutpro.com wrote:
while doing some tests, i noticed that one of my proxies started to
receive lots of register requests with different user names starting
from a letter. there was also invite attempts in the logs. they came
from ip 202.82.16.99 which according to traceroute is somewhere in
china.
should we start publishing a black list of these attack ip addresses?
-- juha
___
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
___
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
___
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] dictionary attacks
I watched live an attack on voipuser.org while running 3.1 before
release. It lasted 18 hours. I didn't want to ban it because was useful
for testing and see if it reveals any weak. In most of the cases it hit
pike module. I got some data and plan to make an article about it soon.
Anyhow, as a result of that, default config for kamailio has a section
for detecting and banning such bad IPs, using pike to detect floods
and htable to keep it blocked. Search WITH_ANTIFLOOD directive. It can
be enhanced like you pointed here, so if the authorize fails, add the IP
in the banned list stored in htable.
Using fail2ban together with IP tables has the advantage of dropping the
packets before getting to application and eating cpu, although in the
case of voipuser.org the cpu was not affected much - the rate was
170-200 requests per second.
Cheers,
Daniel
On 10/24/10 3:06 PM, Sergey Okhapkin wrote:
I'm second for fail2ban. I block IP addresses with failed registration
attempts for 1 hour. Here is my setup:
kamailio.cfg:
if (is_method(REGISTER)) {
if(www_authorize(, subscriber) 0) {
if($rc == -1) {
xlog(L_INFO,Invalid username from $proto:$si:$sp\n);
sl_send_reply(200,OK);
} else
www_challenge(, 0);
exit;
}
/etc/fail2ban/filter.d/openser.conf:
[Definition]
#_daemon = kamailio
failregex = Invalid username from ...:HOST:
/etc/fail2ban/jail.conf:
findtime = 600
[openser-iptables]
enabled = true
filter = openser
action = iptables-allports[name=OPENSER, protocol=all]
logpath = /var/log/openser/openser # Replace with your sr log location
maxretry = 10
bantime = 3600
On Sunday 24 October 2010, Uriel Rozenbaum wrote:
Juha,
I think we should be specially careful about black-lists. We receive
many of these attacks in a per-day basis and a lot of them are from
residential addresses or university, so I'm guessing some kind of worm
or trojan performing the attack from various IPs.
If you have the time, try fail2ban deamon. It can relate some
brute-force events and act accordingly blocking an IP on iptables,
executing a script. You send to jail those addresses for a period of
time, then you can get them out again; and of course you can manually
revert.
Last, as a description of the attacks I saw, first it runs an NMAP
like scan checking which IPs answer from 5060, then it starts sending
registers (usually asterisk answers 404 if the user does not exist),
then when the proxy challenges, it interprets the user is found and
starts making dictionary attacks on the password (1234, admin, and so
on). Keep safe complicated passwords, make kamailio challenge
everything and you'll be safe. and again, fail2ban is a pretty good
solution for brute force.
This might help you finding a solution for your attacks.
Cheers,
Uriel
On Sun, Oct 24, 2010 at 8:54 AM, Juha Heinanenj...@tutpro.com wrote:
while doing some tests, i noticed that one of my proxies started to
receive lots of register requests with different user names starting
from a letter. there was also invite attempts in the logs. they came
from ip 202.82.16.99 which according to traceroute is somewhere in
china.
should we start publishing a black list of these attack ip addresses?
-- juha
___
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
___
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
___
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla
http://www.asipto.com
___
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] dictionary attacks
2010/10/24 Daniel-Constantin Mierla mico...@gmail.com: Using fail2ban together with IP tables has the advantage of dropping the packets before getting to application and eating cpu I have a testing platfotm with Kamailio and fail2ban working more or less as explained in this thread. But I wonder if fail2ban is a good idea as it works inspecting regular expressions in each line of the log. Is it good enough and feasible under high traffic? wouldn't fail2ban eat too much CPU by inspecting the log file? Just wondering. Of course, the perfect solution would be Kamailio acting as fail2ban. This is, pike module inserting dynamic rules in iptables. Opinnions? -- Iñaki Baz Castillo i...@aliax.net ___ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] dictionary attacks
On 10/24/2010 12:18 PM, Iñaki Baz Castillo wrote: Of course, the perfect solution would be Kamailio acting as fail2ban. This is, pike module inserting dynamic rules in iptables. Opinnions? You could spawn a Perl script that does it, but it'd be kind of slow. I think to come up with a good way to implement this, it is necessary to recognise that there are many topologies other than a firewall local on the Kamailio host that need to be accommodated, as well as an asynchronous architecture. Many people would not want spam requests to even get to the Kamailio box to take up any resources, however small (netfilter), once they have been determined to be spam. Some sort of IPC queue that can be consumed by an outside, non-Kamailio process would probably be the best way to do this. Many commercial routers (such as Vyatta) are beginning to have firewall control APIs via HTTP/REST with which rules can be added. Adding a ban rule to the router is something that could be done with utils:http_qiery(). Blocking could probably be fixed by deferring the HTTP requests with mqueue + rtimer. -- Alex Balashov - Principal Evariste Systems LLC 1170 Peachtree Street 12th Floor, Suite 1200 Atlanta, GA 30309 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/ ___ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] dictionary attacks
probably omitted by mistake, but please keep the mailing list cc-ed.
On 10/24/10 3:38 PM, Sergey Okhapkin wrote:
Note that I check return code of www_authorize to be -1 (invalid user) and
block IP in this case only. Other error codes should not block the IP address.
This one remembered me that in 3.1 we merged the auth modules and we
used the one coming from ser because it has better nonce protection and
other enhancements than kamailio version.
That means the return codes have changed, the new ones are listed now at:
http://kamailio.org/docs/modules/stable/modules_k/auth_db.html#id2753068
Added also note in migration wiki page:
http://www.kamailio.org/dokuwiki/doku.php/install:3.0.x-to-3.1.0#modules_k_auth_db
Cheers,
Daniel
On Sunday 24 October 2010, you wrote:
I watched live an attack on voipuser.org while running 3.1 before
release. It lasted 18 hours. I didn't want to ban it because was useful
for testing and see if it reveals any weak. In most of the cases it hit
pike module. I got some data and plan to make an article about it soon.
Anyhow, as a result of that, default config for kamailio has a section
for detecting and banning such bad IPs, using pike to detect floods
and htable to keep it blocked. Search WITH_ANTIFLOOD directive. It can
be enhanced like you pointed here, so if the authorize fails, add the IP
in the banned list stored in htable.
Using fail2ban together with IP tables has the advantage of dropping the
packets before getting to application and eating cpu, although in the
case of voipuser.org the cpu was not affected much - the rate was
170-200 requests per second.
Cheers,
Daniel
On 10/24/10 3:06 PM, Sergey Okhapkin wrote:
I'm second for fail2ban. I block IP addresses with failed registration
attempts for 1 hour. Here is my setup:
kamailio.cfg:
if (is_method(REGISTER)) {
if(www_authorize(, subscriber) 0) {
if($rc == -1) {
xlog(L_INFO,Invalid username from
$proto:$si:$sp\n); sl_send_reply(200,OK);
} else
www_challenge(, 0);
exit;
}
/etc/fail2ban/filter.d/openser.conf:
[Definition]
#_daemon = kamailio
failregex = Invalid username from ...:HOST:
/etc/fail2ban/jail.conf:
findtime = 600
[openser-iptables]
enabled = true
filter = openser
action = iptables-allports[name=OPENSER, protocol=all]
logpath = /var/log/openser/openser # Replace with your sr log location
maxretry = 10
bantime = 3600
On Sunday 24 October 2010, Uriel Rozenbaum wrote:
Juha,
I think we should be specially careful about black-lists. We receive
many of these attacks in a per-day basis and a lot of them are from
residential addresses or university, so I'm guessing some kind of worm
or trojan performing the attack from various IPs.
If you have the time, try fail2ban deamon. It can relate some
brute-force events and act accordingly blocking an IP on iptables,
executing a script. You send to jail those addresses for a period of
time, then you can get them out again; and of course you can manually
revert.
Last, as a description of the attacks I saw, first it runs an NMAP
like scan checking which IPs answer from 5060, then it starts sending
registers (usually asterisk answers 404 if the user does not exist),
then when the proxy challenges, it interprets the user is found and
starts making dictionary attacks on the password (1234, admin, and so
on). Keep safe complicated passwords, make kamailio challenge
everything and you'll be safe. and again, fail2ban is a pretty good
solution for brute force.
This might help you finding a solution for your attacks.
Cheers,
Uriel
On Sun, Oct 24, 2010 at 8:54 AM, Juha Heinanenj...@tutpro.com wrote:
while doing some tests, i noticed that one of my proxies started to
receive lots of register requests with different user names starting
from a letter. there was also invite attempts in the logs. they came
from ip 202.82.16.99 which according to traceroute is somewhere in
china.
should we start publishing a black list of these attack ip addresses?
-- juha
___
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
___
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
___
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla
http://www.asipto.com
___
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
Re: [SR-Users] dictionary attacks
Correction - auth module is merged in 3.1, but auth_db modules are still
separate.
On Sunday 24 October 2010, Daniel-Constantin Mierla wrote:
probably omitted by mistake, but please keep the mailing list cc-ed.
On 10/24/10 3:38 PM, Sergey Okhapkin wrote:
Note that I check return code of www_authorize to be -1 (invalid user)
and block IP in this case only. Other error codes should not block the IP
address.
This one remembered me that in 3.1 we merged the auth modules and we
used the one coming from ser because it has better nonce protection and
other enhancements than kamailio version.
That means the return codes have changed, the new ones are listed now at:
http://kamailio.org/docs/modules/stable/modules_k/auth_db.html#id2753068
Added also note in migration wiki page:
http://www.kamailio.org/dokuwiki/doku.php/install:3.0.x-to-3.1.0#modules_k_
auth_db
Cheers,
Daniel
On Sunday 24 October 2010, you wrote:
I watched live an attack on voipuser.org while running 3.1 before
release. It lasted 18 hours. I didn't want to ban it because was useful
for testing and see if it reveals any weak. In most of the cases it hit
pike module. I got some data and plan to make an article about it soon.
Anyhow, as a result of that, default config for kamailio has a section
for detecting and banning such bad IPs, using pike to detect floods
and htable to keep it blocked. Search WITH_ANTIFLOOD directive. It can
be enhanced like you pointed here, so if the authorize fails, add the IP
in the banned list stored in htable.
Using fail2ban together with IP tables has the advantage of dropping the
packets before getting to application and eating cpu, although in the
case of voipuser.org the cpu was not affected much - the rate was
170-200 requests per second.
Cheers,
Daniel
On 10/24/10 3:06 PM, Sergey Okhapkin wrote:
I'm second for fail2ban. I block IP addresses with failed registration
attempts for 1 hour. Here is my setup:
kamailio.cfg:
if (is_method(REGISTER)) {
if(www_authorize(, subscriber) 0) {
if($rc == -1) {
xlog(L_INFO,Invalid username from
$proto:$si:$sp\n); sl_send_reply(200,OK);
} else
www_challenge(, 0);
exit;
}
/etc/fail2ban/filter.d/openser.conf:
[Definition]
#_daemon = kamailio
failregex = Invalid username from ...:HOST:
/etc/fail2ban/jail.conf:
findtime = 600
[openser-iptables]
enabled = true
filter = openser
action = iptables-allports[name=OPENSER, protocol=all]
logpath = /var/log/openser/openser # Replace with your sr log location
maxretry = 10
bantime = 3600
On Sunday 24 October 2010, Uriel Rozenbaum wrote:
Juha,
I think we should be specially careful about black-lists. We receive
many of these attacks in a per-day basis and a lot of them are from
residential addresses or university, so I'm guessing some kind of worm
or trojan performing the attack from various IPs.
If you have the time, try fail2ban deamon. It can relate some
brute-force events and act accordingly blocking an IP on iptables,
executing a script. You send to jail those addresses for a period of
time, then you can get them out again; and of course you can manually
revert.
Last, as a description of the attacks I saw, first it runs an NMAP
like scan checking which IPs answer from 5060, then it starts sending
registers (usually asterisk answers 404 if the user does not exist),
then when the proxy challenges, it interprets the user is found and
starts making dictionary attacks on the password (1234, admin, and so
on). Keep safe complicated passwords, make kamailio challenge
everything and you'll be safe. and again, fail2ban is a pretty good
solution for brute force.
This might help you finding a solution for your attacks.
Cheers,
Uriel
On Sun, Oct 24, 2010 at 8:54 AM, Juha Heinanenj...@tutpro.com wrote:
while doing some tests, i noticed that one of my proxies started to
receive lots of register requests with different user names starting
from a letter. there was also invite attempts in the logs. they
came from ip 202.82.16.99 which according to traceroute is somewhere
in china.
should we start publishing a black list of these attack ip addresses?
-- juha
___
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing
list sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
___
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing
list sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
___
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing
Re: [SR-Users] dictionary attacks
On 10/24/2010 03:34 PM, Daniel-Constantin Mierla wrote: what do you mean by outside process? For example, with app_lua, the interpreter is linked to the code, so is no external process, it is like cfg interpreter, just that it resides in a module, not in core. Oh, I did not realise it is so persistent. I thought it worked more like Apache's mod_php, where the interpreter and dependencies are loaded into memory so that the entire language runtime does not need to be initialised each time a script is invoked, but the script itself is still loaded anew every time. What you are suggesting is that the 'perl' module works more like mod_perl, where the user-supplied script itself is loaded into memory persistently? -- Alex Balashov - Principal Evariste Systems LLC 1170 Peachtree Street 12th Floor, Suite 1200 Atlanta, GA 30309 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/ ___ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] dictionary attacks
On 10/24/10 10:12 PM, Sergey Okhapkin wrote:
Correction - auth module is merged in 3.1, but auth_db modules are still
separate.
yes, only auth modules were merged, like I wrote.
auth_db functions use return codes and API functions from auth module.
Cheers,
Daniel
On Sunday 24 October 2010, Daniel-Constantin Mierla wrote:
probably omitted by mistake, but please keep the mailing list cc-ed.
On 10/24/10 3:38 PM, Sergey Okhapkin wrote:
Note that I check return code of www_authorize to be -1 (invalid user)
and block IP in this case only. Other error codes should not block the IP
address.
This one remembered me that in 3.1 we merged the auth modules and we
used the one coming from ser because it has better nonce protection and
other enhancements than kamailio version.
That means the return codes have changed, the new ones are listed now at:
http://kamailio.org/docs/modules/stable/modules_k/auth_db.html#id2753068
Added also note in migration wiki page:
http://www.kamailio.org/dokuwiki/doku.php/install:3.0.x-to-3.1.0#modules_k_
auth_db
Cheers,
Daniel
On Sunday 24 October 2010, you wrote:
I watched live an attack on voipuser.org while running 3.1 before
release. It lasted 18 hours. I didn't want to ban it because was useful
for testing and see if it reveals any weak. In most of the cases it hit
pike module. I got some data and plan to make an article about it soon.
Anyhow, as a result of that, default config for kamailio has a section
for detecting and banning such bad IPs, using pike to detect floods
and htable to keep it blocked. Search WITH_ANTIFLOOD directive. It can
be enhanced like you pointed here, so if the authorize fails, add the IP
in the banned list stored in htable.
Using fail2ban together with IP tables has the advantage of dropping the
packets before getting to application and eating cpu, although in the
case of voipuser.org the cpu was not affected much - the rate was
170-200 requests per second.
Cheers,
Daniel
On 10/24/10 3:06 PM, Sergey Okhapkin wrote:
I'm second for fail2ban. I block IP addresses with failed registration
attempts for 1 hour. Here is my setup:
kamailio.cfg:
if (is_method(REGISTER)) {
if(www_authorize(, subscriber)0) {
if($rc == -1) {
xlog(L_INFO,Invalid username from
$proto:$si:$sp\n); sl_send_reply(200,OK);
} else
www_challenge(, 0);
exit;
}
/etc/fail2ban/filter.d/openser.conf:
[Definition]
#_daemon = kamailio
failregex = Invalid username from ...:HOST:
/etc/fail2ban/jail.conf:
findtime = 600
[openser-iptables]
enabled = true
filter = openser
action = iptables-allports[name=OPENSER, protocol=all]
logpath = /var/log/openser/openser # Replace with your sr log location
maxretry = 10
bantime = 3600
On Sunday 24 October 2010, Uriel Rozenbaum wrote:
Juha,
I think we should be specially careful about black-lists. We receive
many of these attacks in a per-day basis and a lot of them are from
residential addresses or university, so I'm guessing some kind of worm
or trojan performing the attack from various IPs.
If you have the time, try fail2ban deamon. It can relate some
brute-force events and act accordingly blocking an IP on iptables,
executing a script. You send to jail those addresses for a period of
time, then you can get them out again; and of course you can manually
revert.
Last, as a description of the attacks I saw, first it runs an NMAP
like scan checking which IPs answer from 5060, then it starts sending
registers (usually asterisk answers 404 if the user does not exist),
then when the proxy challenges, it interprets the user is found and
starts making dictionary attacks on the password (1234, admin, and so
on). Keep safe complicated passwords, make kamailio challenge
everything and you'll be safe. and again, fail2ban is a pretty good
solution for brute force.
This might help you finding a solution for your attacks.
Cheers,
Uriel
On Sun, Oct 24, 2010 at 8:54 AM, Juha Heinanenj...@tutpro.comwrote:
while doing some tests, i noticed that one of my proxies started to
receive lots of register requests with different user names starting
from a letter. there was also invite attempts in the logs. they
came from ip 202.82.16.99 which according to traceroute is somewhere
in china.
should we start publishing a black list of these attack ip addresses?
-- juha
___
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing
list sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
___
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing
list sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
___
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
Re: [SR-Users] dictionary attacks
I'm working on migration of my kamailio.cfg from v1.4 to 3.1 and stuck with
weird problem:
0(25026) ERROR: auth_db [authdb_mod.c:236]: empty parameter 1 not allowed
0(25026) ERROR: core [route.c:1161]: fixing failed (code=-1) at
cfg:/usr/local/etc/kamailio/kamailio.cfg.31:433
0(25026) ERROR: core [route.c:1161]: fixing failed (code=-1) at
cfg:/usr/local/etc/kamailio/kamailio.cfg.31:438
0(25026) ERROR: core [route.c:1161]: fixing failed (code=-1) at
cfg:/usr/local/etc/kamailio/kamailio.cfg.31:445
0(25026) ERROR: core [route.c:1161]: fixing failed (code=-1) at
cfg:/usr/local/etc/kamailio/kamailio.cfg.31:445
0(25026) ERROR: core [route.c:1161]: fixing failed (code=-1) at
cfg:/usr/local/etc/kamailio/kamailio.cfg.31:445
0(25026) ERROR: core [route.c:1161]: fixing failed (code=-1) at
cfg:/usr/local/etc/kamailio/kamailio.cfg.31:451
ERROR: error -1 while trying to fix configuration
The complained lines are calls like
proxy_authorize(, subscriber)
proxy_challenge(, 0)
According to auth_db module documentation the realm parameter can be an
empty string, but code in modules_k/auth_db/authdb_mod.c line 236 explicitly
checks that parameter value must be non-empty.
On Sunday 24 October 2010, Daniel-Constantin Mierla wrote:
On 10/24/10 10:12 PM, Sergey Okhapkin wrote:
Correction - auth module is merged in 3.1, but auth_db modules are still
separate.
yes, only auth modules were merged, like I wrote.
auth_db functions use return codes and API functions from auth module.
Cheers,
Daniel
On Sunday 24 October 2010, Daniel-Constantin Mierla wrote:
probably omitted by mistake, but please keep the mailing list cc-ed.
On 10/24/10 3:38 PM, Sergey Okhapkin wrote:
Note that I check return code of www_authorize to be -1 (invalid user)
and block IP in this case only. Other error codes should not block the
IP address.
This one remembered me that in 3.1 we merged the auth modules and we
used the one coming from ser because it has better nonce protection and
other enhancements than kamailio version.
That means the return codes have changed, the new ones are listed now
at:
http://kamailio.org/docs/modules/stable/modules_k/auth_db.html#id2753068
Added also note in migration wiki page:
http://www.kamailio.org/dokuwiki/doku.php/install:3.0.x-to-3.1.0#modules
_k_ auth_db
Cheers,
Daniel
On Sunday 24 October 2010, you wrote:
I watched live an attack on voipuser.org while running 3.1 before
release. It lasted 18 hours. I didn't want to ban it because was
useful for testing and see if it reveals any weak. In most of the
cases it hit pike module. I got some data and plan to make an article
about it soon.
Anyhow, as a result of that, default config for kamailio has a section
for detecting and banning such bad IPs, using pike to detect floods
and htable to keep it blocked. Search WITH_ANTIFLOOD directive. It can
be enhanced like you pointed here, so if the authorize fails, add the
IP in the banned list stored in htable.
Using fail2ban together with IP tables has the advantage of dropping
the packets before getting to application and eating cpu, although in
the case of voipuser.org the cpu was not affected much - the rate was
170-200 requests per second.
Cheers,
Daniel
On 10/24/10 3:06 PM, Sergey Okhapkin wrote:
I'm second for fail2ban. I block IP addresses with failed
registration attempts for 1 hour. Here is my setup:
kamailio.cfg:
if (is_method(REGISTER)) {
if(www_authorize(, subscriber)0) {
if($rc == -1) {
xlog(L_INFO,Invalid username from
$proto:$si:$sp\n); sl_send_reply(200,OK);
} else
www_challenge(, 0);
exit;
}
/etc/fail2ban/filter.d/openser.conf:
[Definition]
#_daemon = kamailio
failregex = Invalid username from ...:HOST:
/etc/fail2ban/jail.conf:
findtime = 600
[openser-iptables]
enabled = true
filter = openser
action = iptables-allports[name=OPENSER, protocol=all]
logpath = /var/log/openser/openser # Replace with your sr log
location maxretry = 10
bantime = 3600
On Sunday 24 October 2010, Uriel Rozenbaum wrote:
Juha,
I think we should be specially careful about black-lists. We receive
many of these attacks in a per-day basis and a lot of them are from
residential addresses or university, so I'm guessing some kind of
worm or trojan performing the attack from various IPs.
If you have the time, try fail2ban deamon. It can relate some
brute-force events and act accordingly blocking an IP on iptables,
executing a script. You send to jail those addresses for a period
of time, then you can get them out again; and of course you can
manually revert.
Last, as a description of the attacks I saw, first it runs an NMAP
like scan checking which IPs answer from 5060, then it starts
sending
Re: [SR-Users] dictionary attacks
On 10/24/2010 04:44 PM, Sergey Okhapkin wrote: I'm working on migration of my kamailio.cfg from v1.4 to 3.1 and stuck with weird problem: 0(25026) ERROR: auth_db [authdb_mod.c:236]: empty parameter 1 not allowed 0(25026) ERROR:core [route.c:1161]: fixing failed (code=-1) at cfg:/usr/local/etc/kamailio/kamailio.cfg.31:433 0(25026) ERROR:core [route.c:1161]: fixing failed (code=-1) at cfg:/usr/local/etc/kamailio/kamailio.cfg.31:438 0(25026) ERROR:core [route.c:1161]: fixing failed (code=-1) at cfg:/usr/local/etc/kamailio/kamailio.cfg.31:445 0(25026) ERROR:core [route.c:1161]: fixing failed (code=-1) at cfg:/usr/local/etc/kamailio/kamailio.cfg.31:445 0(25026) ERROR:core [route.c:1161]: fixing failed (code=-1) at cfg:/usr/local/etc/kamailio/kamailio.cfg.31:445 0(25026) ERROR:core [route.c:1161]: fixing failed (code=-1) at cfg:/usr/local/etc/kamailio/kamailio.cfg.31:451 ERROR: error -1 while trying to fix configuration The complained lines are calls like proxy_authorize(, subscriber) proxy_challenge(, 0) According to auth_db module documentation the realm parameter can be an empty string, but code in modules_k/auth_db/authdb_mod.c line 236 explicitly checks that parameter value must be non-empty. I ran into this too. The documentation is wrong; you need to put a realm in there. For www_authorize(), it's $td. For everything else (proxy_challenge()), it's $fd. -- Alex Balashov - Principal Evariste Systems LLC 1170 Peachtree Street 12th Floor, Suite 1200 Atlanta, GA 30309 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/ ___ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
