[SR-Users] Log files

Muhammad Shahzad shaheryarkh at gmail.com
Wed Nov 27 09:47:46 CET 2013 

Never give any SIP response to any malicious SIP request, ignore it
completely. Usually such malicious attacks are done through bots (with
identifiable user--agent header), which send a basic / harmless SIP request
such as SIP OPTIONS and see if they get response, if they do then they
proceed with sending SIP REGISTER or INVITE and start actual brute-force
attack to crack the server. If on the other hand, you completely ignore
them and do not respond to them then they ignore you too and move on to
next target server.

if ($ua=="friendly-scanner") {
         exit;
}

Thank you.




On Wed, Nov 27, 2013 at 9:31 AM, Daniel Grotti <dgrotti at sipwise.com> wrote:

> Do you have some example about malicious messages ?
>
> D.
>
> On 11/27/2013 12:00 AM, Joli Martinez wrote:
> > I have placed the code below right underneath the route portion in the
> > kamailio.cfg file restarted kamailio and I am still being attacked.
> >
> > ####### Routing Logic ########
> >
> >
> > # main request routing logic
> >
> > route{
> >
> >         if ($ua=="friendly-scanner") {
> >                 sl_send_reply("200","OK");
> >                 exit;
> >         }
> >
> > On Nov 26, 2013, at 5:29 PM, Daniel Grotti <dgrotti at sipwise.com
> > <mailto:dgrotti at sipwise.com>> wrote:
> >
> >> Hi,
> >> you can check the User-Agent reference $ua, if it is equal to
> >> "friendly-scanner", just send back a reply with sl_send_reply("200",
> "OK")
> >>
> >> Daniel
> >>
> >>
> >>
> >> On 11/26/2013 10:53 PM, Joli Martinez wrote:
> >>> How can I do this?  Is there an article I can reference or something?
> >>>  I am new to kamailio and not sure how to do this.
> >>>
> >>> Thanks,
> >>>
> >>> On Nov 26, 2013, at 4:41 PM, Ovidiu Sas <osas at voipembedded.com
> >>> <mailto:osas at voipembedded.com>> wrote:
> >>>
> >>>> Google around for "friendly-scanner" to learn more about it.
> >>>> In the mean time, allow the packets to be handled by kamailio and send
> >>>> a 200ok back - maybe this will stop the attack.
> >>>> After the attack is stopped, simply drop all "friendly-scanner" SIP
> >>>> requests :)
> >>>>
> >>>> Regards,
> >>>> Ovidiu Sas
> >>>>
> >>>> On Tue, Nov 26, 2013 at 4:32 PM, Joli Martinez <mrjoli021 at gmail.com
> >>>> <mailto:mrjoli021 at gmail.com>> wrote:
> >>>>> it is comming from "friendly-scanner" The other issue I have is
> >>>>> that "/var/log/secure" is not getting the sip requests so the only
> >>>>> way I realize it is happeing is from tcpdump.  If the secure file
> >>>>> is not picking it up then iptables wont know about it.  How can I
> >>>>> tell iptables to listen for sip requests?  I have already added the
> >>>>> IP to the blocked IP's but he still keeps on comming.
> >>>>>
> >>>>> Thanks,
> >>>>>
> >>>>> On Nov 26, 2013, at 4:28 PM, Ovidiu Sas <osas at voipembedded.com
> >>>>> <mailto:osas at voipembedded.com>> wrote:
> >>>>>
> >>>>>> Most likely it's a bogus script.
> >>>>>> Sometimes just sending a dummy reply, will stop the script sending
> >>>>>> SIP requests.
> >>>>>> Check the User-Agent header and from username to see if you can
> >>>>>> identify the script and google around for it.
> >>>>>>
> >>>>>> Regards,
> >>>>>> Ovidiu Sas
> >>>>>>
> >>>>>> On Tue, Nov 26, 2013 at 4:17 PM, Joli Martinez
> >>>>>> <mrjoli021 at gmail.com <mailto:mrjoli021 at gmail.com>> wrote:
> >>>>>>> I am running Kamailio in CentOS.  I ran tcpdump and noticed that
> >>>>>>> we are getting attacked from IP 188.138.32.72.  I have already
> >>>>>>> blocked it on IPtables, but he keeps on attacking the server.  If
> >>>>>>> I look at "/var/log/secure" there are no SIP messages.  My
> >>>>>>> question is where is the log file for Kamailio and how can I
> >>>>>>> prevent this type of attacks in the future.
> >>>>>>>
> >>>>>>> Thanks,
> >>>>>>> _______________________________________________
> >>>>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users
> >>>>>>> mailing list
> >>>>>>> sr-users at lists.sip-router.org <mailto:
> sr-users at lists.sip-router.org>
> >>>>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> --
> >>>>>> VoIP Embedded, Inc.
> >>>>>> http://www.voipembedded.com
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing
> >>>>>> list
> >>>>>> sr-users at lists.sip-router.org
> >>>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
> >>>>>
> >>>>>
> >>>>> _______________________________________________
> >>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing
> list
> >>>>> sr-users at lists.sip-router.org <mailto:sr-users at lists.sip-router.org>
> >>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>> VoIP Embedded, Inc.
> >>>> http://www.voipembedded.com
> >>>>
> >>>> _______________________________________________
> >>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing
> list
> >>>> sr-users at lists.sip-router.org
> >>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
> >>>
> >>>
> >>> _______________________________________________
> >>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> >>> sr-users at lists.sip-router.org <mailto:sr-users at lists.sip-router.org>
> >>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
> >>>
> >>
> >> _______________________________________________
> >> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> >> sr-users at lists.sip-router.org <mailto:sr-users at lists.sip-router.org>
> >> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
> >
> >
> >
> > _______________________________________________
> > SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> > sr-users at lists.sip-router.org
> > http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
> >
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>



-- 
Mit freundlichen Grüßen
Muhammad Shahzad
-----------------------------------
CISCO Rich Media Communication Specialist (CRMCS)
CISCO Certified Network Associate (CCNA)
Cell: +49 176 99 83 10 85
MSN: shari_786pk at hotmail.com
Email: shaheryarkh at googlemail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20131127/ff34f88a/attachment-0001.html>

More information about the sr-users mailing list