On 3/26/14, 2:40 PM, Rainer Piper wrote:
Hi Andres,

today I had a very funny one ... an amazon server tried to relay over my server.

I see that.  Its cheap and easy to use an Amazon server for this purpose.  Plus you can change its public IP by shutting down and starting the instance again.

LOG Data:
Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: WARNING: pike [pike_funcs.c:164]: pike_check_req(): PIKE - BLOCKing ip 184.72.211.251, node=0x7f90dd8abcb8
Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: ALERT: <script>: ALERT: pike blocking INVITE from sip:448099999999@184.72.211.251 (IP:184.72.211.251:5060)
Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: ALERT: <script>: IPTABLES: blocking 184.72.211.251 antiflood



-------- Original-Nachricht --------

Hi,

The IP 184.72.211.251 has just been banned by Fail2Ban after
1 attempts against KAMAILIO.


Here are more information about 184.72.211.251:


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#


#
# Query terms are ambiguous.  The query is assumed to be:
#     "n 184.72.211.251"
#
# Use "?" to get help.
#

#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=184.72.211.251?showDetails=true&showARIN=false&ext=netref2
#

NetRange:       184.72.0.0 - 184.73.255.255
CIDR:           184.72.0.0/15
OriginAS:
NetName:        AMAZON-EC2-7
NetHandle:      NET-184-72-0-0-1
Parent:         NET-184-0-0-0-0
NetType:        Direct Assignment
Comment:        The activity you have detected originates from a
Comment:        dynamic hosting environment.
Comment:        For fastest response, please submit abuse reports at
Comment:        http://aws-portal.amazon.com/gp/aws/html-forms-controller/contactus/AWSAbuse
Comment:        For more information regarding EC2 see:
Comment:        http://ec2.amazonaws.com/
Comment:        All reports MUST include:
Comment:        * src IP
Comment:        * dest IP (your IP)
Comment:        * dest port
Comment:        * Accurate date/timestamp and timezone of activity
Comment:        * Intensity/frequency (short log extracts)
Comment:        * Your contact details (phone and email)
Comment:        Without these we will be unable to identify
Comment:        the correct owner of the IP address at that
Comment:        point in time.
RegDate:        2010-01-26
Updated:        2012-03-02
Ref:            http://whois.arin.net/rest/net/NET-184-72-0-0-1


OrgName:        Amazon.com, Inc.
OrgId:          AMAZO-4
Address:        Amazon Web Services, Elastic Compute Cloud, EC2
Address:        1200 12th Avenue South
City:           Seattle
StateProv:      WA
PostalCode:     98144
Country:        US
RegDate:        2005-09-29
Updated:        2009-06-02
Comment:        For details of this service please see
Comment:        http://ec2.amazonaws.com/
Ref:            http://whois.arin.net/rest/org/AMAZO-4

OrgAbuseHandle: AEA8-ARIN
OrgAbuseName:   Amazon EC2 Abuse
OrgAbusePhone:  +1-206-266-4064
OrgAbuseEmail:  ec2-abuse@amazon.com
OrgAbuseRef:    http://whois.arin.net/rest/poc/AEA8-ARIN

OrgTechHandle: ANO24-ARIN
OrgTechName:   Amazon EC2 Network Operations
OrgTechPhone:  +1-206-266-4064
OrgTechEmail:  aes-noc@amazon.com
OrgTechRef:    http://whois.arin.net/rest/poc/ANO24-ARIN

RNOCHandle: ANO24-ARIN
RNOCName:   Amazon EC2 Network Operations
RNOCPhone:  +1-206-266-4064
RNOCEmail:  aes-noc@amazon.com
RNOCRef:    http://whois.arin.net/rest/poc/ANO24-ARIN

RTechHandle: ANO24-ARIN
RTechName:   Amazon EC2 Network Operations
RTechPhone:  +1-206-266-4064
RTechEmail:  aes-noc@amazon.com
RTechRef:    http://whois.arin.net/rest/poc/ANO24-ARIN

RAbuseHandle: AEA8-ARIN
RAbuseName:   Amazon EC2 Abuse
RAbusePhone:  +1-206-266-4064
RAbuseEmail:  ec2-abuse@amazon.com
RAbuseRef:    http://whois.arin.net/rest/poc/AEA8-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#


Lines containing IP:184.72.211.251 in /var/log/kamailio.log

Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: WARNING: pike [pike_funcs.c:164]: pike_check_req(): PIKE - BLOCKing ip 184.72.211.251, node=0x7f90dd8abcb8
Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: ALERT: <script>: ALERT: pike blocking INVITE from sip:448099999999@184.72.211.251 (IP:184.72.211.251:5060)
Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: ALERT: <script>: IPTABLES: blocking 184.72.211.251 antiflood


Regards,

Fail2Ban


--
Rainer Piper
NOC - +49 (0)228 97167161 - sip.soho-piper.de
NOC - +49 (0)2247 9064188 - sip.tele33.de - sip.tefonix.de - D293


_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users


-- 
Technical Support
http://www.cellroute.net