Hi Andres,
today I had a very funny one ... an amazon server tried to relay
over my server.
LOG Data:
Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: WARNING: pike
[pike_funcs.c:164]: pike_check_req(): PIKE - BLOCKing ip
184.72.211.251, node=0x7f90dd8abcb8
Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: ALERT:
<script>: ALERT: pike blocking INVITE from sip:448099999999@184.72.211.251
(IP:184.72.211.251:5060)
Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: ALERT:
<script>: IPTABLES: blocking 184.72.211.251 antiflood
-------- Original-Nachricht --------
Hi,
The IP 184.72.211.251 has just been banned by Fail2Ban after
1 attempts against KAMAILIO.
Here are more information about 184.72.211.251:
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
#
# Query terms are ambiguous. The query is assumed to be:
# "n 184.72.211.251"
#
# Use "?" to get help.
#
#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=184.72.211.251?showDetails=true&showARIN=false&ext=netref2
#
NetRange: 184.72.0.0 - 184.73.255.255
CIDR: 184.72.0.0/15
OriginAS:
NetName: AMAZON-EC2-7
NetHandle: NET-184-72-0-0-1
Parent: NET-184-0-0-0-0
NetType: Direct Assignment
Comment: The activity you have detected originates from a
Comment: dynamic hosting environment.
Comment: For fastest response, please submit abuse reports at
Comment: http://aws-portal.amazon.com/gp/aws/html-forms-controller/contactus/AWSAbuse
Comment: For more information regarding EC2 see:
Comment: http://ec2.amazonaws.com/
Comment: All reports MUST include:
Comment: * src IP
Comment: * dest IP (your IP)
Comment: * dest port
Comment: * Accurate date/timestamp and timezone of activity
Comment: * Intensity/frequency (short log extracts)
Comment: * Your contact details (phone and email)
Comment: Without these we will be unable to identify
Comment: the correct owner of the IP address at that
Comment: point in time.
RegDate: 2010-01-26
Updated: 2012-03-02
Ref: http://whois.arin.net/rest/net/NET-184-72-0-0-1
OrgName: Amazon.com, Inc.
OrgId: AMAZO-4
Address: Amazon Web Services, Elastic Compute Cloud, EC2
Address: 1200 12th Avenue South
City: Seattle
StateProv: WA
PostalCode: 98144
Country: US
RegDate: 2005-09-29
Updated: 2009-06-02
Comment: For details of this service please see
Comment: http://ec2.amazonaws.com/
Ref: http://whois.arin.net/rest/org/AMAZO-4
OrgAbuseHandle: AEA8-ARIN
OrgAbuseName: Amazon EC2 Abuse
OrgAbusePhone: +1-206-266-4064
OrgAbuseEmail: ec2-abuse@amazon.com
OrgAbuseRef: http://whois.arin.net/rest/poc/AEA8-ARIN
OrgTechHandle: ANO24-ARIN
OrgTechName: Amazon EC2 Network Operations
OrgTechPhone: +1-206-266-4064
OrgTechEmail: aes-noc@amazon.com
OrgTechRef: http://whois.arin.net/rest/poc/ANO24-ARIN
RNOCHandle: ANO24-ARIN
RNOCName: Amazon EC2 Network Operations
RNOCPhone: +1-206-266-4064
RNOCEmail: aes-noc@amazon.com
RNOCRef: http://whois.arin.net/rest/poc/ANO24-ARIN
RTechHandle: ANO24-ARIN
RTechName: Amazon EC2 Network Operations
RTechPhone: +1-206-266-4064
RTechEmail: aes-noc@amazon.com
RTechRef: http://whois.arin.net/rest/poc/ANO24-ARIN
RAbuseHandle: AEA8-ARIN
RAbuseName: Amazon EC2 Abuse
RAbusePhone: +1-206-266-4064
RAbuseEmail: ec2-abuse@amazon.com
RAbuseRef: http://whois.arin.net/rest/poc/AEA8-ARIN
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
Lines containing IP:184.72.211.251 in /var/log/kamailio.log
Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: WARNING: pike
[pike_funcs.c:164]: pike_check_req(): PIKE - BLOCKing ip
184.72.211.251, node=0x7f90dd8abcb8
Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: ALERT:
<script>: ALERT: pike blocking INVITE from sip:448099999999@184.72.211.251
(IP:184.72.211.251:5060)
Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: ALERT:
<script>: IPTABLES: blocking 184.72.211.251 antiflood
Regards,
Fail2Ban
--
Rainer Piper
NOC - +49 (0)228 97167161 - sip.soho-piper.de
NOC - +49 (0)2247 9064188 - sip.tele33.de - sip.tefonix.de - D293