[SR-Users] Preventing information about my sip network

Andres andres at telesip.net
Thu Mar 27 02:58:22 CET 2014 

On 3/26/14, 2:40 PM, Rainer Piper wrote:
> Hi Andres,
>
> today I had a very funny one ... an amazon server tried to relay over 
> my server.
>
I see that.  Its cheap and easy to use an Amazon server for this 
purpose.  Plus you can change its public IP by shutting down and 
starting the instance again.
>
> LOG Data:
> Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: WARNING: pike 
> [pike_funcs.c:164]: pike_check_req(): PIKE - BLOCKing ip 
> 184.72.211.251, node=0x7f90dd8abcb8
> Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: ALERT: <script>: ALERT: 
> pike blocking INVITE from sip:448099999999 at 184.72.211.251 
> (IP:184.72.211.251:5060)
> Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: ALERT: <script>: 
> IPTABLES: blocking 184.72.211.251 antiflood
>
>
>
> -------- Original-Nachricht --------
>
> Hi,
>
> The IP 184.72.211.251 has just been banned by Fail2Ban after
> 1 attempts against KAMAILIO.
>
>
> Here are more information about 184.72.211.251:
>
>
> #
> # ARIN WHOIS data and services are subject to the Terms of Use
> # available at: https://www.arin.net/whois_tou.html
> #
>
>
> #
> # Query terms are ambiguous.  The query is assumed to be:
> #     "n 184.72.211.251"
> #
> # Use "?" to get help.
> #
>
> #
> # The following results may also be obtained via:
> # 
> http://whois.arin.net/rest/nets;q=184.72.211.251?showDetails=true&showARIN=false&ext=netref2 
>
> #
>
> NetRange:       184.72.0.0 - 184.73.255.255
> CIDR:           184.72.0.0/15
> OriginAS:
> NetName:        AMAZON-EC2-7
> NetHandle:      NET-184-72-0-0-1
> Parent:         NET-184-0-0-0-0
> NetType:        Direct Assignment
> Comment:        The activity you have detected originates from a
> Comment:        dynamic hosting environment.
> Comment:        For fastest response, please submit abuse reports at
> Comment: 
> http://aws-portal.amazon.com/gp/aws/html-forms-controller/contactus/AWSAbuse 
>
> Comment:        For more information regarding EC2 see:
> Comment: http://ec2.amazonaws.com/
> Comment:        All reports MUST include:
> Comment:        * src IP
> Comment:        * dest IP (your IP)
> Comment:        * dest port
> Comment:        * Accurate date/timestamp and timezone of activity
> Comment:        * Intensity/frequency (short log extracts)
> Comment:        * Your contact details (phone and email)
> Comment:        Without these we will be unable to identify
> Comment:        the correct owner of the IP address at that
> Comment:        point in time.
> RegDate:        2010-01-26
> Updated:        2012-03-02
> Ref: http://whois.arin.net/rest/net/NET-184-72-0-0-1
>
>
> OrgName:        Amazon.com, Inc.
> OrgId:          AMAZO-4
> Address:        Amazon Web Services, Elastic Compute Cloud, EC2
> Address:        1200 12th Avenue South
> City:           Seattle
> StateProv:      WA
> PostalCode:     98144
> Country:        US
> RegDate:        2005-09-29
> Updated:        2009-06-02
> Comment:        For details of this service please see
> Comment: http://ec2.amazonaws.com/
> Ref: http://whois.arin.net/rest/org/AMAZO-4
>
> OrgAbuseHandle: AEA8-ARIN
> OrgAbuseName:   Amazon EC2 Abuse
> OrgAbusePhone: +1-206-266-4064 <callto:0012062664064>
> OrgAbuseEmail: ec2-abuse at amazon.com
> OrgAbuseRef: http://whois.arin.net/rest/poc/AEA8-ARIN
>
> OrgTechHandle: ANO24-ARIN
> OrgTechName:   Amazon EC2 Network Operations
> OrgTechPhone: +1-206-266-4064 <callto:0012062664064>
> OrgTechEmail: aes-noc at amazon.com
> OrgTechRef: http://whois.arin.net/rest/poc/ANO24-ARIN
>
> RNOCHandle: ANO24-ARIN
> RNOCName:   Amazon EC2 Network Operations
> RNOCPhone: +1-206-266-4064 <callto:0012062664064>
> RNOCEmail: aes-noc at amazon.com
> RNOCRef: http://whois.arin.net/rest/poc/ANO24-ARIN
>
> RTechHandle: ANO24-ARIN
> RTechName:   Amazon EC2 Network Operations
> RTechPhone: +1-206-266-4064 <callto:0012062664064>
> RTechEmail: aes-noc at amazon.com
> RTechRef: http://whois.arin.net/rest/poc/ANO24-ARIN
>
> RAbuseHandle: AEA8-ARIN
> RAbuseName:   Amazon EC2 Abuse
> RAbusePhone: +1-206-266-4064 <callto:0012062664064>
> RAbuseEmail: ec2-abuse at amazon.com
> RAbuseRef: http://whois.arin.net/rest/poc/AEA8-ARIN
>
>
> #
> # ARIN WHOIS data and services are subject to the Terms of Use
> # available at: https://www.arin.net/whois_tou.html
> #
>
>
> Lines containing IP:184.72.211.251 in /var/log/kamailio.log
>
> Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: WARNING: pike 
> [pike_funcs.c:164]: pike_check_req(): PIKE - BLOCKing ip 
> 184.72.211.251, node=0x7f90dd8abcb8
> Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: ALERT: <script>: ALERT: 
> pike blocking INVITE from sip:448099999999 at 184.72.211.251 
> (IP:184.72.211.251:5060)
> Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: ALERT: <script>: 
> IPTABLES: blocking 184.72.211.251 antiflood
>
>
> Regards,
>
> Fail2Ban
>
>
> -- 
> *Rainer Piper*
> NOC - +49 (0)228 97167161 - sip.soho-piper.de
> NOC - +49 (0)2247 9064188 - sip.tele33.de - sip.tefonix.de - D293
>
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users


-- 
Technical Support
http://www.cellroute.net

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20140326/93a82011/attachment-0001.html>

More information about the sr-users mailing list