[SR-Users] dictionary attacks

Sergey Okhapkin sos at sokhapkin.dyndns.org
Sun Oct 24 15:06:03 CEST 2010


I'm second for fail2ban. I block IP addresses with failed registration 
attempts for 1 hour. Here is my setup:

kamailio.cfg:

if (is_method("REGISTER")) {
        if(www_authorize("", "subscriber") < 0) {
              if($rc == -1) {
                     xlog("L_INFO","Invalid username from $proto:$si:$sp\n");
                     sl_send_reply("200","OK");
               } else
                     www_challenge("", "0");
               exit;
         }
....

/etc/fail2ban/filter.d/openser.conf:

[Definition]
#_daemon = kamailio
failregex = Invalid username from ...:<HOST>:

/etc/fail2ban/jail.conf:

findtime  = 600

[openser-iptables]
enabled  = true
filter   = openser
action   = iptables-allports[name=OPENSER, protocol=all]
logpath  = /var/log/openser/openser # Replace with your sr log location
maxretry = 10
bantime = 3600


On Sunday 24 October 2010, Uriel Rozenbaum wrote:
> Juha,
> 
> I think we should be specially careful about black-lists. We receive
> many of these attacks in a per-day basis and a lot of them are from
> residential addresses or university, so I'm guessing some kind of worm
> or trojan performing the attack from various IPs.
> 
> If you have the time, try fail2ban deamon. It can relate some
> brute-force events and act accordingly blocking an IP on iptables,
> executing a script. You send to "jail" those addresses for a period of
> time, then you can get them out again; and of course you can manually
> revert.
> 
> Last, as a description of the attacks I saw, first it runs an NMAP
> like scan checking which IPs answer from 5060, then it starts sending
> registers (usually asterisk answers 404 if the user does not exist),
> then when the proxy challenges, it interprets the user is found and
> starts making dictionary attacks on the password (1234, admin, and so
> on). Keep safe complicated passwords, make kamailio challenge
> everything and you'll be safe. and again, fail2ban is a pretty good
> solution for brute force.
> 
> This might help you finding a solution for your attacks.
> 
> Cheers,
> Uriel
> 
> On Sun, Oct 24, 2010 at 8:54 AM, Juha Heinanen <jh at tutpro.com> wrote:
> > while doing some tests, i noticed that one of my proxies started to
> > receive lots of register requests with different user names starting
> > from a letter.  there was also invite attempts in the logs.  they came
> > from ip 202.82.16.99 which according to traceroute is somewhere in
> > china.
> >
> > should we start publishing a black list of these attack ip addresses?
> >
> > -- juha
> >
> > _______________________________________________
> > SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> > sr-users at lists.sip-router.org
> > http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
> 
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
> 




More information about the sr-users mailing list