[SR-Users] Log files

Joli Martinez mrjoli021 at gmail.com
Wed Nov 27 00:00:18 CET 2013 

I have placed the code below right underneath the route portion in the kamailio.cfg file restarted kamailio and I am still being attacked.

####### Routing Logic ########


# main request routing logic

route{

        if ($ua=="friendly-scanner") {
                sl_send_reply("200","OK"); 
                exit;
        }

On Nov 26, 2013, at 5:29 PM, Daniel Grotti <dgrotti at sipwise.com> wrote:

> Hi,
> you can check the User-Agent reference $ua, if it is equal to
> "friendly-scanner", just send back a reply with sl_send_reply("200", "OK")
> 
> Daniel
> 
> 
> 
> On 11/26/2013 10:53 PM, Joli Martinez wrote:
>> How can I do this?  Is there an article I can reference or something?  I am new to kamailio and not sure how to do this.
>> 
>> Thanks,
>> 
>> On Nov 26, 2013, at 4:41 PM, Ovidiu Sas <osas at voipembedded.com> wrote:
>> 
>>> Google around for "friendly-scanner" to learn more about it.
>>> In the mean time, allow the packets to be handled by kamailio and send
>>> a 200ok back - maybe this will stop the attack.
>>> After the attack is stopped, simply drop all "friendly-scanner" SIP requests :)
>>> 
>>> Regards,
>>> Ovidiu Sas
>>> 
>>> On Tue, Nov 26, 2013 at 4:32 PM, Joli Martinez <mrjoli021 at gmail.com> wrote:
>>>> it is comming from "friendly-scanner" The other issue I have is that "/var/log/secure" is not getting the sip requests so the only way I realize it is happeing is from tcpdump.  If the secure file is not picking it up then iptables wont know about it.  How can I tell iptables to listen for sip requests?  I have already added the IP to the blocked IP's but he still keeps on comming.
>>>> 
>>>> Thanks,
>>>> 
>>>> On Nov 26, 2013, at 4:28 PM, Ovidiu Sas <osas at voipembedded.com> wrote:
>>>> 
>>>>> Most likely it's a bogus script.
>>>>> Sometimes just sending a dummy reply, will stop the script sending SIP requests.
>>>>> Check the User-Agent header and from username to see if you can
>>>>> identify the script and google around for it.
>>>>> 
>>>>> Regards,
>>>>> Ovidiu Sas
>>>>> 
>>>>> On Tue, Nov 26, 2013 at 4:17 PM, Joli Martinez <mrjoli021 at gmail.com> wrote:
>>>>>> I am running Kamailio in CentOS.  I ran tcpdump and noticed that we are getting attacked from IP 188.138.32.72.  I have already blocked it on IPtables, but he keeps on attacking the server.  If I look at "/var/log/secure" there are no SIP messages.  My question is where is the log file for Kamailio and how can I prevent this type of attacks in the future.
>>>>>> 
>>>>>> Thanks,
>>>>>> _______________________________________________
>>>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>>>>>> sr-users at lists.sip-router.org
>>>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>>> 
>>>>> 
>>>>> 
>>>>> --
>>>>> VoIP Embedded, Inc.
>>>>> http://www.voipembedded.com
>>>>> 
>>>>> _______________________________________________
>>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>>>>> sr-users at lists.sip-router.org
>>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>> 
>>>> 
>>>> _______________________________________________
>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>>>> sr-users at lists.sip-router.org
>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>> 
>>> 
>>> 
>>> -- 
>>> VoIP Embedded, Inc.
>>> http://www.voipembedded.com
>>> 
>>> _______________________________________________
>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>>> sr-users at lists.sip-router.org
>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>> 
>> 
>> _______________________________________________
>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>> sr-users at lists.sip-router.org
>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>> 
> 
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20131126/c3ef0a48/attachment-0001.html>

More information about the sr-users mailing list