A few suggestions (mostly already suggested by many guys in this thread, i am only arranging their order to a secure setup), opensips log level should be at least 2.
1. I usually filter out all known nasty users / attackers right in sanity check section of default request route. My sanity check section structured something like this, a). check max forwards. b). check message size. c). check user-agent string against filter list, you can use permissions module for this as well as hard code user-agents as Nick suggested. ############################################ route { if (!mf_process_maxfwd_header("10")) { sl_send_reply("483","Too Many Hops"); exit; }; if (msg:len > max_len) { sl_send_reply("513","Message Too Big"); exit; }; if ($ua =~ "friendly-scanner") { xlog("L_WARN", "[$pr:$fU@$si:$sp]: Rejecting '$rm' request from bogus device '$ua' \n"); exit; }; ... ##################################### 2. Then in authentication section, i make sure to authenticate both INVITE and REGISTER requests, you check ret-code for both www-authorize and proxy-authorize methods and if it is -1 or -2 then do xlog to print log on intruder which is picked by fail2ban to block the user (make sure text pattern in your xlog matches failregex in fail2ban! ). ##################################### ... if (!www_authorize("","subscriber")) { switch ($retcode) { case -1: xlog("L_NOTICE", "[$pr:$fU@$si:$sp]: Auth error for '$tU' from '$si', peer not found - User-Agent: '$ua' \n"); break; case -2: xlog("L_NOTICE", "[$pr:$fU@$si:$sp]: Auth error for '$tU' from '$si', wrong password - User-Agent: '$ua' \n"); break; ... }; www_challenge("", "1"); exit; }; ... ####################################### Thank you. On Wed, Mar 6, 2013 at 7:58 PM, leo <uzcud...@yahoo.it> wrote: > Hello Bakko: > > I've it configured as you but i'm still not having events in opensips.log > file like "Auth error for $fU@$fd from $si cause" for packets: > > 19:52:41.100695 00:08:e3:20:fb:b6 > 00:0c:29:fc:95:e1, ethertype IPv4 > (0x0800), length 384: (tos 0x0, ttl 52, id 0, offset 0, flags [DF], proto > UDP (17), length 370) > 199.217.115.214.5981 > [my SIP Server].5060: [udp sum ok] SIP, length: > 342 > REGISTER sip:[my SIP Server] SIP/2.0 > Via: SIP/2.0/UDP 199.217.115.214:5981;branch=z9hG4bK-2068012690;rport > Content-Length: 0 > From: "5988" <sip:5988@[my SIP Server]> > Accept: application/sdp > User-Agent: friendly-scanner > To: "5988" <sip:5988@[my SIP Server]> > > Contact: sip:123@1.1.1.1 > CSeq: 1 REGISTER > Call-ID: 1787915151 > Max-Forwards: 70 > > > I've also added Nick's suggestion: > > if ($ua =~ "friendly-scanner") { > xlog("L_ERR", "Attack attempt - Request dropped"); > drop(); > } > > But i don't have neither those events in the opensips.log file. > > Any clue? > Thanks, > Leo > > ------------------------------ > *Da:* bakko [via OpenSIPS (Open SIP Server)] <[hidden > email]<http://user/SendEmail.jtp?type=node&node=7585123&i=0> > > > *A:* leo <[hidden > email]<http://user/SendEmail.jtp?type=node&node=7585123&i=1>> > > *Inviato:* Mercoledì 6 Marzo 2013 11:49 > *Oggetto:* Re: How to protect OpenSIPS from undesidered requests (DoS > attack?) > > Hello, > > I'm using this configuration: > > if (is_method("REGISTER")) { > $var(auth_code) = www_authorize("", "subscriber"); > if ( $var(auth_code) == -1 || $var(auth_code) == -2 ) { > xlog("L_NOTICE","Auth error for $fU@$fd from $si cause > $var(auth_code)"); > } > if ( $var(auth_code) < 0 ) { > www_challenge("", "0"); > exit; > } > save("location"); > exit; > > on > > /etc/fail2ban/filter.d/opensips.conf > > # Fail2Ban configuration file > # > # > # $Revision: 250 $ > # > > [INCLUDES] > > # Read common prefixes. If any customizations available -- read them from > # common.local > #before = common.conf > > > [Definition] > > #_daemon = opensips > > # Option: failregex > # Notes.: regex to match the password failures messages in the logfile. > The > # host must be matched by a group named "host". The tag > "<HOST>" can > # be used for standard IP/hostname matching and is only an > alias for > # (?:::f{4,6}:)?(?P<host>\S+) > # Values: TEXT > # > > failregex = Auth error for .* from <HOST> cause -[0-9] > > # Option: ignoreregex > # Notes.: regex to ignore. If this regex matches, the line is ignored. > # Values: TEXT > # > ignoreregex = > > and on /etc/fail2ban/jail.conf > > [opensips] > enabled = true > filter = opensips > action = iptables-allports[name=opensips, protocol=all] > sendmail-whois[name=opensips, dest=[hidden email], > sender=[hidden email]] > logpath = /var/log/opensips.log > maxretry = 3 > bantime = 7200 > > > Regards > > > _______________________________________________ > Users mailing list > [hidden email] > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > > ------------------------------ > If you reply to this email, your message will be added to the discussion > below: > > http://opensips-open-sip-server.1449251.n2.nabble.com/How-to-protect-OpenSIPS-from-undesidered-requests-DoS-attack-tp7585091p7585097.html > To unsubscribe from How to protect OpenSIPS from undesidered requests > (DoS attack?), click here. > NAML<http://opensips-open-sip-server.1449251.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> > > > > ------------------------------ > View this message in context: Re: How to protect OpenSIPS from > undesidered requests (DoS > attack?)<http://opensips-open-sip-server.1449251.n2.nabble.com/How-to-protect-OpenSIPS-from-undesidered-requests-DoS-attack-tp7585091p7585123.html> > > Sent from the OpenSIPS - Users mailing list > archive<http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html>at > Nabble.com. > > _______________________________________________ > Users mailing list > Users@lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > -- Muhammad Shahzad ----------------------------------- CISCO Rich Media Communication Specialist (CRMCS) CISCO Certified Network Associate (CCNA) Cell: +49 176 99 83 10 85 MSN: shari_78...@hotmail.com Email: shaherya...@googlemail.com
_______________________________________________ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users