[SR-Users] Preventing information about my sip network
Andres
andres at telesip.net
Thu Mar 27 02:58:22 CET 2014
On 3/26/14, 2:40 PM, Rainer Piper wrote:
> Hi Andres,
>
> today I had a very funny one ... an amazon server tried to relay over
> my server.
>
I see that. Its cheap and easy to use an Amazon server for this
purpose. Plus you can change its public IP by shutting down and
starting the instance again.
>
> LOG Data:
> Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: WARNING: pike
> [pike_funcs.c:164]: pike_check_req(): PIKE - BLOCKing ip
> 184.72.211.251, node=0x7f90dd8abcb8
> Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: ALERT: <script>: ALERT:
> pike blocking INVITE from sip:448099999999 at 184.72.211.251
> (IP:184.72.211.251:5060)
> Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: ALERT: <script>:
> IPTABLES: blocking 184.72.211.251 antiflood
>
>
>
> -------- Original-Nachricht --------
>
> Hi,
>
> The IP 184.72.211.251 has just been banned by Fail2Ban after
> 1 attempts against KAMAILIO.
>
>
> Here are more information about 184.72.211.251:
>
>
> #
> # ARIN WHOIS data and services are subject to the Terms of Use
> # available at: https://www.arin.net/whois_tou.html
> #
>
>
> #
> # Query terms are ambiguous. The query is assumed to be:
> # "n 184.72.211.251"
> #
> # Use "?" to get help.
> #
>
> #
> # The following results may also be obtained via:
> #
> http://whois.arin.net/rest/nets;q=184.72.211.251?showDetails=true&showARIN=false&ext=netref2
>
> #
>
> NetRange: 184.72.0.0 - 184.73.255.255
> CIDR: 184.72.0.0/15
> OriginAS:
> NetName: AMAZON-EC2-7
> NetHandle: NET-184-72-0-0-1
> Parent: NET-184-0-0-0-0
> NetType: Direct Assignment
> Comment: The activity you have detected originates from a
> Comment: dynamic hosting environment.
> Comment: For fastest response, please submit abuse reports at
> Comment:
> http://aws-portal.amazon.com/gp/aws/html-forms-controller/contactus/AWSAbuse
>
> Comment: For more information regarding EC2 see:
> Comment: http://ec2.amazonaws.com/
> Comment: All reports MUST include:
> Comment: * src IP
> Comment: * dest IP (your IP)
> Comment: * dest port
> Comment: * Accurate date/timestamp and timezone of activity
> Comment: * Intensity/frequency (short log extracts)
> Comment: * Your contact details (phone and email)
> Comment: Without these we will be unable to identify
> Comment: the correct owner of the IP address at that
> Comment: point in time.
> RegDate: 2010-01-26
> Updated: 2012-03-02
> Ref: http://whois.arin.net/rest/net/NET-184-72-0-0-1
>
>
> OrgName: Amazon.com, Inc.
> OrgId: AMAZO-4
> Address: Amazon Web Services, Elastic Compute Cloud, EC2
> Address: 1200 12th Avenue South
> City: Seattle
> StateProv: WA
> PostalCode: 98144
> Country: US
> RegDate: 2005-09-29
> Updated: 2009-06-02
> Comment: For details of this service please see
> Comment: http://ec2.amazonaws.com/
> Ref: http://whois.arin.net/rest/org/AMAZO-4
>
> OrgAbuseHandle: AEA8-ARIN
> OrgAbuseName: Amazon EC2 Abuse
> OrgAbusePhone: +1-206-266-4064 <callto:0012062664064>
> OrgAbuseEmail: ec2-abuse at amazon.com
> OrgAbuseRef: http://whois.arin.net/rest/poc/AEA8-ARIN
>
> OrgTechHandle: ANO24-ARIN
> OrgTechName: Amazon EC2 Network Operations
> OrgTechPhone: +1-206-266-4064 <callto:0012062664064>
> OrgTechEmail: aes-noc at amazon.com
> OrgTechRef: http://whois.arin.net/rest/poc/ANO24-ARIN
>
> RNOCHandle: ANO24-ARIN
> RNOCName: Amazon EC2 Network Operations
> RNOCPhone: +1-206-266-4064 <callto:0012062664064>
> RNOCEmail: aes-noc at amazon.com
> RNOCRef: http://whois.arin.net/rest/poc/ANO24-ARIN
>
> RTechHandle: ANO24-ARIN
> RTechName: Amazon EC2 Network Operations
> RTechPhone: +1-206-266-4064 <callto:0012062664064>
> RTechEmail: aes-noc at amazon.com
> RTechRef: http://whois.arin.net/rest/poc/ANO24-ARIN
>
> RAbuseHandle: AEA8-ARIN
> RAbuseName: Amazon EC2 Abuse
> RAbusePhone: +1-206-266-4064 <callto:0012062664064>
> RAbuseEmail: ec2-abuse at amazon.com
> RAbuseRef: http://whois.arin.net/rest/poc/AEA8-ARIN
>
>
> #
> # ARIN WHOIS data and services are subject to the Terms of Use
> # available at: https://www.arin.net/whois_tou.html
> #
>
>
> Lines containing IP:184.72.211.251 in /var/log/kamailio.log
>
> Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: WARNING: pike
> [pike_funcs.c:164]: pike_check_req(): PIKE - BLOCKing ip
> 184.72.211.251, node=0x7f90dd8abcb8
> Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: ALERT: <script>: ALERT:
> pike blocking INVITE from sip:448099999999 at 184.72.211.251
> (IP:184.72.211.251:5060)
> Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: ALERT: <script>:
> IPTABLES: blocking 184.72.211.251 antiflood
>
>
> Regards,
>
> Fail2Ban
>
>
> --
> *Rainer Piper*
> NOC - +49 (0)228 97167161 - sip.soho-piper.de
> NOC - +49 (0)2247 9064188 - sip.tele33.de - sip.tefonix.de - D293
>
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
Technical Support
http://www.cellroute.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20140326/93a82011/attachment-0001.html>
More information about the sr-users
mailing list