Re: [SR-Users] Preventing information about my sip network

Hi Andres, today I had a very funny one ... an amazon server tried to relay over my server.

LOG Data: Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: WARNING: pike [pike_funcs.c:164]: pike_check_req(): PIKE - BLOCKing ip 184.72.211.251, node=0x7f90dd8abcb8 Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: ALERT: <script>: ALERT: pike blocking INVITE from sip:448099999999@184.72.211.251 (IP:184.72.211.251:5060) Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: ALERT: <script>: IPTABLES: blocking 184.72.211.251 antiflood -------- Original-Nachricht -------- Hi, The IP 184.72.211.251 has just been banned by Fail2Ban after 1 attempts against KAMAILIO. Here are more information about 184.72.211.251: # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html # # # Query terms are ambiguous. The query is assumed to be: # "n 184.72.211.251" # # Use "?" to get help. # # # The following results may also be obtained via: # http://whois.arin.net/rest/nets;q=184.72.211.251?showDetails=true&showA… # NetRange: 184.72.0.0 - 184.73.255.255 CIDR: 184.72.0.0/15 OriginAS: NetName: AMAZON-EC2-7 NetHandle: NET-184-72-0-0-1 Parent: NET-184-0-0-0-0 NetType: Direct Assignment Comment: The activity you have detected originates from a Comment: dynamic hosting environment. Comment: For fastest response, please submit abuse reports at Comment: http://aws-portal.amazon.com/gp/aws/html-forms-controller/contactus/AWSAbuse Comment: For more information regarding EC2 see: Comment: http://ec2.amazonaws.com/ Comment: All reports MUST include: Comment: * src IP Comment: * dest IP (your IP) Comment: * dest port Comment: * Accurate date/timestamp and timezone of activity Comment: * Intensity/frequency (short log extracts) Comment: * Your contact details (phone and email) Comment: Without these we will be unable to identify Comment: the correct owner of the IP address at that Comment: point in time. RegDate: 2010-01-26 Updated: 2012-03-02 Ref: http://whois.arin.net/rest/net/NET-184-72-0-0-1 OrgName: Amazon.com, Inc. OrgId: AMAZO-4 Address: Amazon Web Services, Elastic Compute Cloud, EC2 Address: 1200 12th Avenue South City: Seattle StateProv: WA PostalCode: 98144 Country: US RegDate: 2005-09-29 Updated: 2009-06-02 Comment: For details of this service please see Comment: http://ec2.amazonaws.com/ Ref: http://whois.arin.net/rest/org/AMAZO-4 OrgAbuseHandle: AEA8-ARIN OrgAbuseName: Amazon EC2 Abuse OrgAbusePhone: +1-206-266-4064 <callto:0012062664064> OrgAbuseEmail: ec2-abuse(a)amazon.com OrgAbuseRef: http://whois.arin.net/rest/poc/AEA8-ARIN OrgTechHandle: ANO24-ARIN OrgTechName: Amazon EC2 Network Operations OrgTechPhone: +1-206-266-4064 <callto:0012062664064> OrgTechEmail: aes-noc(a)amazon.com OrgTechRef: http://whois.arin.net/rest/poc/ANO24-ARIN RNOCHandle: ANO24-ARIN RNOCName: Amazon EC2 Network Operations RNOCPhone: +1-206-266-4064 <callto:0012062664064> RNOCEmail: aes-noc(a)amazon.com RNOCRef: http://whois.arin.net/rest/poc/ANO24-ARIN RTechHandle: ANO24-ARIN RTechName: Amazon EC2 Network Operations RTechPhone: +1-206-266-4064 <callto:0012062664064> RTechEmail: aes-noc(a)amazon.com RTechRef: http://whois.arin.net/rest/poc/ANO24-ARIN RAbuseHandle: AEA8-ARIN RAbuseName: Amazon EC2 Abuse RAbusePhone: +1-206-266-4064 <callto:0012062664064> RAbuseEmail: ec2-abuse(a)amazon.com RAbuseRef: http://whois.arin.net/rest/poc/AEA8-ARIN # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html # Lines containing IP:184.72.211.251 in /var/log/kamailio.log Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: WARNING: pike [pike_funcs.c:164]: pike_check_req(): PIKE - BLOCKing ip 184.72.211.251, node=0x7f90dd8abcb8 Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: ALERT: <script>: ALERT: pike blocking INVITE from sip:448099999999@184.72.211.251 (IP:184.72.211.251:5060) Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: ALERT: <script>: IPTABLES: blocking 184.72.211.251 antiflood Regards, Fail2Ban -- *Rainer Piper* NOC - +49 (0)228 97167161 - sip.soho-piper.de NOC - +49 (0)2247 9064188 - sip.tele33.de - sip.tefonix.de - D293 _______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users(a)lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users