Hi Andres,
today I had a very funny one ... an amazon server tried to relay over my server.
LOG Data: Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: WARNING: pike [pike_funcs.c:164]: pike_check_req(): PIKE - BLOCKing ip 184.72.211.251, node=0x7f90dd8abcb8 Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: ALERT: <script>: ALERT: pike blocking INVITE from sip:448099999999@184.72.211.251 (IP:184.72.211.251:5060) Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: ALERT: <script>: IPTABLES: blocking 184.72.211.251 antiflood
-------- Original-Nachricht --------
Hi,
The IP 184.72.211.251 has just been banned by Fail2Ban after 1 attempts against KAMAILIO.
Here are more information about 184.72.211.251:
# # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html #
# # Query terms are ambiguous. The query is assumed to be: # "n 184.72.211.251" # # Use "?" to get help. #
# # The following results may also be obtained via: # http://whois.arin.net/rest/nets;q=184.72.211.251?showDetails=true&showAR...
#
NetRange: 184.72.0.0 - 184.73.255.255 CIDR: 184.72.0.0/15 OriginAS: NetName: AMAZON-EC2-7 NetHandle: NET-184-72-0-0-1 Parent: NET-184-0-0-0-0 NetType: Direct Assignment Comment: The activity you have detected originates from a Comment: dynamic hosting environment. Comment: For fastest response, please submit abuse reports at Comment: http://aws-portal.amazon.com/gp/aws/html-forms-controller/contactus/AWSAbuse
Comment: For more information regarding EC2 see: Comment: http://ec2.amazonaws.com/ Comment: All reports MUST include: Comment: * src IP Comment: * dest IP (your IP) Comment: * dest port Comment: * Accurate date/timestamp and timezone of activity Comment: * Intensity/frequency (short log extracts) Comment: * Your contact details (phone and email) Comment: Without these we will be unable to identify Comment: the correct owner of the IP address at that Comment: point in time. RegDate: 2010-01-26 Updated: 2012-03-02 Ref: http://whois.arin.net/rest/net/NET-184-72-0-0-1
OrgName: Amazon.com, Inc. OrgId: AMAZO-4 Address: Amazon Web Services, Elastic Compute Cloud, EC2 Address: 1200 12th Avenue South City: Seattle StateProv: WA PostalCode: 98144 Country: US RegDate: 2005-09-29 Updated: 2009-06-02 Comment: For details of this service please see Comment: http://ec2.amazonaws.com/ Ref: http://whois.arin.net/rest/org/AMAZO-4
OrgAbuseHandle: AEA8-ARIN OrgAbuseName: Amazon EC2 Abuse OrgAbusePhone: +1-206-266-4064 callto:0012062664064 OrgAbuseEmail: ec2-abuse@amazon.com OrgAbuseRef: http://whois.arin.net/rest/poc/AEA8-ARIN
OrgTechHandle: ANO24-ARIN OrgTechName: Amazon EC2 Network Operations OrgTechPhone: +1-206-266-4064 callto:0012062664064 OrgTechEmail: aes-noc@amazon.com OrgTechRef: http://whois.arin.net/rest/poc/ANO24-ARIN
RNOCHandle: ANO24-ARIN RNOCName: Amazon EC2 Network Operations RNOCPhone: +1-206-266-4064 callto:0012062664064 RNOCEmail: aes-noc@amazon.com RNOCRef: http://whois.arin.net/rest/poc/ANO24-ARIN
RTechHandle: ANO24-ARIN RTechName: Amazon EC2 Network Operations RTechPhone: +1-206-266-4064 callto:0012062664064 RTechEmail: aes-noc@amazon.com RTechRef: http://whois.arin.net/rest/poc/ANO24-ARIN
RAbuseHandle: AEA8-ARIN RAbuseName: Amazon EC2 Abuse RAbusePhone: +1-206-266-4064 callto:0012062664064 RAbuseEmail: ec2-abuse@amazon.com RAbuseRef: http://whois.arin.net/rest/poc/AEA8-ARIN
# # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html #
Lines containing IP:184.72.211.251 in /var/log/kamailio.log
Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: WARNING: pike [pike_funcs.c:164]: pike_check_req(): PIKE - BLOCKing ip 184.72.211.251, node=0x7f90dd8abcb8 Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: ALERT: <script>: ALERT: pike blocking INVITE from sip:448099999999@184.72.211.251 (IP:184.72.211.251:5060) Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: ALERT: <script>: IPTABLES: blocking 184.72.211.251 antiflood
Regards,
Fail2Ban