The writer of sipvicious, Sandro Gauci, which created it with good intentions, and a tool for looking for sip vulnerabilities, recommends Fail2ban as one of the primary tool against the new variants of sipvicious. Also svcrash. http://code.google.com/p/sipvicious/
-----Original Message----- From: sipx-users-boun...@list.sipfoundry.org [mailto:sipx-users-boun...@list.sipfoundry.org] On Behalf Of Gerardo Barajas Sent: Saturday, February 04, 2012 8:42 PM To: Discussion list for users of sipXecs software Subject: Re: [sipx-users] Sip Vicious and Remote Workers Hi members of the list. ¿Is Fail2ban useful in this situation?? Saludos/Regards -- Ing. Gerardo Barajas Puente Ingeniería | www.neocenter.com T:+52 (55) 8590-9000 x 7003 On Sat, Feb 4, 2012 at 9:33 PM, Todd Hodgen <thod...@frontier.com> wrote: > There is a program, Tracebuster, that will show you if you are > receiving sipvicious attacks. For $99, I believe it's a great > investment. Simply monitor traffic from the router, it will show > sipvicious attacks, and is also great for measuring Jitter on a network having issues. > > -----Original Message----- > From: sipx-users-boun...@list.sipfoundry.org > [mailto:sipx-users-boun...@list.sipfoundry.org] On Behalf Of Tony > Graziano > Sent: Saturday, February 04, 2012 3:53 PM > To: Discussion list for users of sipXecs software > Subject: Re: [sipx-users] Sip Vicious and Remote Workers > > On Sat, Feb 4, 2012 at 6:47 PM, Keith Laidlaw <laidlaw1...@rogers.com> > wrote: >> I have a working, stable sipX system (4.4.0 from ISO) with various >> same-subnet phones and sipxbridge to an ITSP (Voip.ms). The entire >> system is behind a port restricted NAT. All is well. >> >> >> >> Recently I tried to add remote workers to the mix, very carefully. >> The first - and only - thing I did was port forward 5060 TCP/UDP and >> 30000-31000 UDP. When I did this I experienced what I suspect is the >> sipvicious problem described elsewhere in this list. Every 24 hours >> or so, sipxproxy and sipxregistrar prevent phones from registering >> and the only cure is to restart those two. >> >> >> >> My questions: >> >> >> >> 1) What is the best way to confirm that my problem is due to >> sipvicious. >> > Look through either the registrar logs or proxy logs. If those logs > are HUGE in size, it is likely the system was targeted. Inspecting the > logs will tell you more. > >> 2) Is the detailed reason that sipvicious causes an >> irrecoverable lockup well known? > > It's like any script attack in that it is overwhelming whatever > resources your box has to offer it. It's called a DoS attack. >> >> 3) Does 4.6 handle this situation better and make it into a >> (self) recoverable situation? >> > It has additional tools in the security aspect to help and to also be > able to update certain firewalls, etc. >> 4) Does 4.6 offer sipvicious protection to minimise this from >> happening in the first place? >> > See answer to #3. >> 5) In the meantime, is pfsense my best option to block >> sipvicious (and also change me to symmetric)? >> > ANY firewall which will allow you to lessen your exposed footprint for > ANY application is a good idea. pfSense will certainly do this. >> 6) Is there an ISO for pfsense that is appropriate for sipx? Or >> an ISO with instructions for configuring for sipx? >> > Yes, they have ISO's available on the pfSense site. >> >> >> Any help would be appreciated. >> >> >> >> Keith >> >> >> >> >> _______________________________________________ >> sipx-users mailing list >> sipx-users@list.sipfoundry.org >> List Archive: http://list.sipfoundry.org/archive/sipx-users/ > > > > -- > ~~~~~~~~~~~~~~~~~~ > Tony Graziano, Manager > Telephone: 434.984.8430 > sip: tgrazi...@voice.myitdepartment.net > Fax: 434.465.6833 > ~~~~~~~~~~~~~~~~~~ > LAN/Telephony/Security and Control Systems Helpdesk: > Telephone: 434.984.8426 > sip: helpd...@voice.myitdepartment.net > > Helpdesk Customers: http://myhelp.myitdepartment.net > Blog: http://blog.myitdepartment.net > > Linked-In Profile: > http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4 > Ask about our Internet Fax services! > > -- > LAN/Telephony/Security and Control Systems Helpdesk: > Telephone: 434.984.8426 > sip: helpd...@voice.myitdepartment.net > > Helpdesk Customers: http://myhelp.myitdepartment.net > Blog: http://blog.myitdepartment.net > _______________________________________________ > sipx-users mailing list > sipx-users@list.sipfoundry.org > List Archive: http://list.sipfoundry.org/archive/sipx-users/ > > _______________________________________________ > sipx-users mailing list > sipx-users@list.sipfoundry.org > List Archive: http://list.sipfoundry.org/archive/sipx-users/ _______________________________________________ sipx-users mailing list sipx-users@list.sipfoundry.org List Archive: http://list.sipfoundry.org/archive/sipx-users/ _______________________________________________ sipx-users mailing list sipx-users@list.sipfoundry.org List Archive: http://list.sipfoundry.org/archive/sipx-users/