27 Nov
2013
27 Nov
'13
5:25 p.m.
Thanks,
that worked.
On Nov 27, 2013, at 3:47 AM, Muhammad Shahzad <shaheryarkh(a)gmail.com> wrote:
Never give any SIP response to any malicious SIP
request, ignore it completely. Usually such malicious attacks are done through bots (with
identifiable user--agent header), which send a basic / harmless SIP request such as SIP
OPTIONS and see if they get response, if they do then they proceed with sending SIP
REGISTER or INVITE and start actual brute-force attack to crack the server. If on the
other hand, you completely ignore them and do not respond to them then they ignore you too
and move on to next target server.
if ($ua=="friendly-scanner") {
exit;
}
Thank you.
On Wed, Nov 27, 2013 at 9:31 AM, Daniel Grotti <dgrotti(a)sipwise.com> wrote:
Do you have some example about malicious messages ?
D.
On 11/27/2013 12:00 AM, Joli Martinez wrote:
I have placed the code below right underneath the
route portion in the
kamailio.cfg file restarted kamailio and I am still being attacked.
####### Routing Logic ########
# main request routing logic
route{
if ($ua=="friendly-scanner") {
sl_send_reply("200","OK");
exit;
}
On Nov 26, 2013, at 5:29 PM, Daniel Grotti <dgrotti(a)sipwise.com
<mailto:dgrotti@sipwise.com>> wrote:
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
Mit freundlichen Grüßen
Muhammad Shahzad
-----------------------------------
CISCO Rich Media Communication Specialist (CRMCS)
CISCO Certified Network Associate (CCNA)
Cell: +49 176 99 83 10 85
MSN: shari_786pk(a)hotmail.com
Email: shaheryarkh(a)googlemail.com
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users Hi,
you can check the User-Agent reference $ua, if it is equal to
"friendly-scanner", just send back a reply with sl_send_reply("200",
"OK")
Daniel
On 11/26/2013 10:53 PM, Joli Martinez wrote:
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
How can I do this? Is there an article I can
reference or something?
I am new to kamailio and not sure how to do this.
Thanks,
On Nov 26, 2013, at 4:41 PM, Ovidiu Sas <osas(a)voipembedded.com
<mailto:osas@voipembedded.com>> wrote:
> Google around for "friendly-scanner" to learn more about it.
> In the mean time, allow the packets to be handled by kamailio and send
> a 200ok back - maybe this will stop the attack.
> After the attack is stopped, simply drop all "friendly-scanner" SIP
> requests :)
>
> Regards,
> Ovidiu Sas
>
> On Tue, Nov 26, 2013 at 4:32 PM, Joli Martinez <mrjoli021(a)gmail.com
> <mailto:mrjoli021@gmail.com>> wrote:
>> it is comming from "friendly-scanner" The other issue I have is
>> that "/var/log/secure" is not getting the sip requests so the only
>> way I realize it is happeing is from tcpdump. If the secure file
>> is not picking it up then iptables wont know about it. How can I
>> tell iptables to listen for sip requests? I have already added the
>> IP to the blocked IP's but he still keeps on comming.
>>
>> Thanks,
>>
>> On Nov 26, 2013, at 4:28 PM, Ovidiu Sas <osas(a)voipembedded.com
>> <mailto:osas@voipembedded.com>> wrote:
>>
>>> Most likely it's a bogus script.
>>> Sometimes just sending a dummy reply, will stop the script sending
>>> SIP requests.
>>> Check the User-Agent header and from username to see if you can
>>> identify the script and google around for it.
>>>
>>> Regards,
>>> Ovidiu Sas
>>>
>>> On Tue, Nov 26, 2013 at 4:17 PM, Joli Martinez
>>> <mrjoli021(a)gmail.com <mailto:mrjoli021@gmail.com>> wrote:
>>>> I am running Kamailio in CentOS. I ran tcpdump and noticed that
>>>> we are getting attacked from IP 188.138.32.72. I have already
>>>> blocked it on IPtables, but he keeps on attacking the server. If
>>>> I look at "/var/log/secure" there are no SIP messages. My
>>>> question is where is the log file for Kamailio and how can I
>>>> prevent this type of attacks in the future.
>>>>
>>>> Thanks,
>>>> _______________________________________________
>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users
>>>> mailing list
>>>> sr-users(a)lists.sip-router.org
<mailto:sr-users@lists.sip-router.org>
>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>
>>>
>>>
>>> --
>>> VoIP Embedded, Inc.
>>> http://www.voipembedded.com
>>>
>>> _______________________________________________
>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing
>>> list
>>> sr-users(a)lists.sip-router.org
>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>
>>
>> _______________________________________________
>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>> sr-users(a)lists.sip-router.org <mailto:sr-users@lists.sip-router.org>
>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>
>
>
> --
> VoIP Embedded, Inc.
> http://www.voipembedded.com
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users(a)lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org <mailto:sr-users@lists.sip-router.org>
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org <mailto:sr-users@lists.sip-router.org>
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users