[SR-Users] Log files
Joli Martinez
mrjoli021 at gmail.com
Wed Nov 27 00:00:18 CET 2013
I have placed the code below right underneath the route portion in the kamailio.cfg file restarted kamailio and I am still being attacked.
####### Routing Logic ########
# main request routing logic
route{
if ($ua=="friendly-scanner") {
sl_send_reply("200","OK");
exit;
}
On Nov 26, 2013, at 5:29 PM, Daniel Grotti <dgrotti at sipwise.com> wrote:
> Hi,
> you can check the User-Agent reference $ua, if it is equal to
> "friendly-scanner", just send back a reply with sl_send_reply("200", "OK")
>
> Daniel
>
>
>
> On 11/26/2013 10:53 PM, Joli Martinez wrote:
>> How can I do this? Is there an article I can reference or something? I am new to kamailio and not sure how to do this.
>>
>> Thanks,
>>
>> On Nov 26, 2013, at 4:41 PM, Ovidiu Sas <osas at voipembedded.com> wrote:
>>
>>> Google around for "friendly-scanner" to learn more about it.
>>> In the mean time, allow the packets to be handled by kamailio and send
>>> a 200ok back - maybe this will stop the attack.
>>> After the attack is stopped, simply drop all "friendly-scanner" SIP requests :)
>>>
>>> Regards,
>>> Ovidiu Sas
>>>
>>> On Tue, Nov 26, 2013 at 4:32 PM, Joli Martinez <mrjoli021 at gmail.com> wrote:
>>>> it is comming from "friendly-scanner" The other issue I have is that "/var/log/secure" is not getting the sip requests so the only way I realize it is happeing is from tcpdump. If the secure file is not picking it up then iptables wont know about it. How can I tell iptables to listen for sip requests? I have already added the IP to the blocked IP's but he still keeps on comming.
>>>>
>>>> Thanks,
>>>>
>>>> On Nov 26, 2013, at 4:28 PM, Ovidiu Sas <osas at voipembedded.com> wrote:
>>>>
>>>>> Most likely it's a bogus script.
>>>>> Sometimes just sending a dummy reply, will stop the script sending SIP requests.
>>>>> Check the User-Agent header and from username to see if you can
>>>>> identify the script and google around for it.
>>>>>
>>>>> Regards,
>>>>> Ovidiu Sas
>>>>>
>>>>> On Tue, Nov 26, 2013 at 4:17 PM, Joli Martinez <mrjoli021 at gmail.com> wrote:
>>>>>> I am running Kamailio in CentOS. I ran tcpdump and noticed that we are getting attacked from IP 188.138.32.72. I have already blocked it on IPtables, but he keeps on attacking the server. If I look at "/var/log/secure" there are no SIP messages. My question is where is the log file for Kamailio and how can I prevent this type of attacks in the future.
>>>>>>
>>>>>> Thanks,
>>>>>> _______________________________________________
>>>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>>>>>> sr-users at lists.sip-router.org
>>>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> VoIP Embedded, Inc.
>>>>> http://www.voipembedded.com
>>>>>
>>>>> _______________________________________________
>>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>>>>> sr-users at lists.sip-router.org
>>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>>
>>>>
>>>> _______________________________________________
>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>>>> sr-users at lists.sip-router.org
>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>
>>>
>>>
>>> --
>>> VoIP Embedded, Inc.
>>> http://www.voipembedded.com
>>>
>>> _______________________________________________
>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>>> sr-users at lists.sip-router.org
>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>
>>
>> _______________________________________________
>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>> sr-users at lists.sip-router.org
>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20131126/c3ef0a48/attachment-0001.html>
More information about the sr-users
mailing list