Never give any SIP response to any malicious SIP request, ignore it completely. Usually such malicious attacks are done through bots (with identifiable user--agent header), which send a basic / harmless SIP request such as SIP OPTIONS and see if they get response, if they do then they proceed with sending SIP REGISTER or INVITE and start actual brute-force attack to crack the server. If on the other hand, you completely ignore them and do not respond to them then they ignore you too and move on to next target server.
if ($ua=="friendly-scanner") { exit; }
Thank you.
On Wed, Nov 27, 2013 at 9:31 AM, Daniel Grotti dgrotti@sipwise.com wrote:
Do you have some example about malicious messages ?
D.
On 11/27/2013 12:00 AM, Joli Martinez wrote:
I have placed the code below right underneath the route portion in the kamailio.cfg file restarted kamailio and I am still being attacked.
####### Routing Logic ########
# main request routing logic
route{
if ($ua=="friendly-scanner") { sl_send_reply("200","OK"); exit; }On Nov 26, 2013, at 5:29 PM, Daniel Grotti <dgrotti@sipwise.com mailto:dgrotti@sipwise.com> wrote:
Hi, you can check the User-Agent reference $ua, if it is equal to "friendly-scanner", just send back a reply with sl_send_reply("200",
"OK")
Daniel
On 11/26/2013 10:53 PM, Joli Martinez wrote:
How can I do this? Is there an article I can reference or something? I am new to kamailio and not sure how to do this.
Thanks,
On Nov 26, 2013, at 4:41 PM, Ovidiu Sas <osas@voipembedded.com mailto:osas@voipembedded.com> wrote:
Google around for "friendly-scanner" to learn more about it. In the mean time, allow the packets to be handled by kamailio and send a 200ok back - maybe this will stop the attack. After the attack is stopped, simply drop all "friendly-scanner" SIP requests :)
Regards, Ovidiu Sas
On Tue, Nov 26, 2013 at 4:32 PM, Joli Martinez <mrjoli021@gmail.com mailto:mrjoli021@gmail.com> wrote:
it is comming from "friendly-scanner" The other issue I have is that "/var/log/secure" is not getting the sip requests so the only way I realize it is happeing is from tcpdump. If the secure file is not picking it up then iptables wont know about it. How can I tell iptables to listen for sip requests? I have already added the IP to the blocked IP's but he still keeps on comming.
Thanks,
On Nov 26, 2013, at 4:28 PM, Ovidiu Sas <osas@voipembedded.com mailto:osas@voipembedded.com> wrote:
> Most likely it's a bogus script. > Sometimes just sending a dummy reply, will stop the script sending > SIP requests. > Check the User-Agent header and from username to see if you can > identify the script and google around for it. > > Regards, > Ovidiu Sas > > On Tue, Nov 26, 2013 at 4:17 PM, Joli Martinez > <mrjoli021@gmail.com mailto:mrjoli021@gmail.com> wrote: >> I am running Kamailio in CentOS. I ran tcpdump and noticed that >> we are getting attacked from IP 188.138.32.72. I have already >> blocked it on IPtables, but he keeps on attacking the server. If >> I look at "/var/log/secure" there are no SIP messages. My >> question is where is the log file for Kamailio and how can I >> prevent this type of attacks in the future. >> >> Thanks, >> _______________________________________________ >> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users >> mailing list >> sr-users@lists.sip-router.org <mailto:
sr-users@lists.sip-router.org>
>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users > > > > -- > VoIP Embedded, Inc. > http://www.voipembedded.com > > _______________________________________________ > SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing > list > sr-users@lists.sip-router.org > http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing
list
sr-users@lists.sip-router.org mailto:sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-- VoIP Embedded, Inc. http://www.voipembedded.com
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing
list
sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org mailto:sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org mailto:sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users