[SR-Users] Preventing information about my sip network

Rainer Piper rainer.piper at soho-piper.de
Wed Mar 26 19:40:39 CET 2014


Hi Andres,

today I had a very funny one ... an amazon server tried to relay over my 
server.


LOG Data:
Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: WARNING: pike 
[pike_funcs.c:164]: pike_check_req(): PIKE - BLOCKing ip 184.72.211.251, 
node=0x7f90dd8abcb8
Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: ALERT: <script>: ALERT: 
pike blocking INVITE from sip:448099999999 at 184.72.211.251 
(IP:184.72.211.251:5060)
Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: ALERT: <script>: 
IPTABLES: blocking 184.72.211.251 antiflood



-------- Original-Nachricht --------

Hi,

The IP 184.72.211.251 has just been banned by Fail2Ban after
1 attempts against KAMAILIO.


Here are more information about 184.72.211.251:


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#


#
# Query terms are ambiguous.  The query is assumed to be:
#     "n 184.72.211.251"
#
# Use "?" to get help.
#

#
# The following results may also be obtained via:
# 
http://whois.arin.net/rest/nets;q=184.72.211.251?showDetails=true&showARIN=false&ext=netref2 

#

NetRange:       184.72.0.0 - 184.73.255.255
CIDR:           184.72.0.0/15
OriginAS:
NetName:        AMAZON-EC2-7
NetHandle:      NET-184-72-0-0-1
Parent:         NET-184-0-0-0-0
NetType:        Direct Assignment
Comment:        The activity you have detected originates from a
Comment:        dynamic hosting environment.
Comment:        For fastest response, please submit abuse reports at
Comment: 
http://aws-portal.amazon.com/gp/aws/html-forms-controller/contactus/AWSAbuse 

Comment:        For more information regarding EC2 see:
Comment: http://ec2.amazonaws.com/
Comment:        All reports MUST include:
Comment:        * src IP
Comment:        * dest IP (your IP)
Comment:        * dest port
Comment:        * Accurate date/timestamp and timezone of activity
Comment:        * Intensity/frequency (short log extracts)
Comment:        * Your contact details (phone and email)
Comment:        Without these we will be unable to identify
Comment:        the correct owner of the IP address at that
Comment:        point in time.
RegDate:        2010-01-26
Updated:        2012-03-02
Ref: http://whois.arin.net/rest/net/NET-184-72-0-0-1


OrgName:        Amazon.com, Inc.
OrgId:          AMAZO-4
Address:        Amazon Web Services, Elastic Compute Cloud, EC2
Address:        1200 12th Avenue South
City:           Seattle
StateProv:      WA
PostalCode:     98144
Country:        US
RegDate:        2005-09-29
Updated:        2009-06-02
Comment:        For details of this service please see
Comment: http://ec2.amazonaws.com/
Ref: http://whois.arin.net/rest/org/AMAZO-4

OrgAbuseHandle: AEA8-ARIN
OrgAbuseName:   Amazon EC2 Abuse
OrgAbusePhone: +1-206-266-4064 <callto:0012062664064>
OrgAbuseEmail: ec2-abuse at amazon.com
OrgAbuseRef: http://whois.arin.net/rest/poc/AEA8-ARIN

OrgTechHandle: ANO24-ARIN
OrgTechName:   Amazon EC2 Network Operations
OrgTechPhone: +1-206-266-4064 <callto:0012062664064>
OrgTechEmail: aes-noc at amazon.com
OrgTechRef: http://whois.arin.net/rest/poc/ANO24-ARIN

RNOCHandle: ANO24-ARIN
RNOCName:   Amazon EC2 Network Operations
RNOCPhone: +1-206-266-4064 <callto:0012062664064>
RNOCEmail: aes-noc at amazon.com
RNOCRef: http://whois.arin.net/rest/poc/ANO24-ARIN

RTechHandle: ANO24-ARIN
RTechName:   Amazon EC2 Network Operations
RTechPhone: +1-206-266-4064 <callto:0012062664064>
RTechEmail: aes-noc at amazon.com
RTechRef: http://whois.arin.net/rest/poc/ANO24-ARIN

RAbuseHandle: AEA8-ARIN
RAbuseName:   Amazon EC2 Abuse
RAbusePhone: +1-206-266-4064 <callto:0012062664064>
RAbuseEmail: ec2-abuse at amazon.com
RAbuseRef: http://whois.arin.net/rest/poc/AEA8-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#


Lines containing IP:184.72.211.251 in /var/log/kamailio.log

Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: WARNING: pike 
[pike_funcs.c:164]: pike_check_req(): PIKE - BLOCKing ip 184.72.211.251, 
node=0x7f90dd8abcb8
Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: ALERT: <script>: ALERT: 
pike blocking INVITE from sip:448099999999 at 184.72.211.251 
(IP:184.72.211.251:5060)
Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: ALERT: <script>: 
IPTABLES: blocking 184.72.211.251 antiflood


Regards,

Fail2Ban


-- 
*Rainer Piper*
NOC - +49 (0)228 97167161 - sip.soho-piper.de
NOC - +49 (0)2247 9064188 - sip.tele33.de - sip.tefonix.de - D293
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20140326/db7fac1c/attachment.html>


More information about the sr-users mailing list