| View previous topic :: View next topic |
| Author |
Message |
anuragrana31189 at gma...
Guest
|
 Posted: Fri Jun 27, 2014 9:37 am Post subject: [asterisk-users] Attack on Sip server. |
 |
|
Hi All.
Someone is attacking on my SIP server.
There are lot of requests coming in and I am not able to stop it because I am unable to detect the IP address.Â
I used wireshark to capture the packets.
Although I am using very strong password for my SIP users but still is there any way to drop these packets and stop this attack.
I tried dropping packet after matching some string (most of the packets from attacker contains string 'VaxSIPUserAgent/3.1' ) but it failed. Packets are still flowing in.Â
| Quote: | | iptables -I INPUT 1 -p tcp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm -j DROP |
​Its something like this
Registration from '"30" <sp:30@my_public_ip:5060> failed for '192.168.xxx.xxx:6373' - Wrong Password​
​and there are approx 10 request per minute of this type.
Please suggest some way to stop this.​
--
Anurag Rana
http://newbie42.blogspot.in/
On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences. |
|
| Back to top |
|
 |
arunvsadnikov at gmail...
Guest
|
| Posted: Fri Jun 27, 2014 9:42 am Post subject: [asterisk-users] Attack on Sip server. |
|
|
Hi,
   Change the protocol from tcp to udp in iptables.
~Arun On 27 Jun 2014 20:07, "Anurag Rana" <anuragrana31189@gmail.com (anuragrana31189@gmail.com)> wrote: | Quote: |
Hi All.
Someone is attacking on my SIP server.
There are lot of requests coming in and I am not able to stop it because I am unable to detect the IP address.Â
I used wireshark to capture the packets.
Although I am using very strong password for my SIP users but still is there any way to drop these packets and stop this attack.
I tried dropping packet after matching some string (most of the packets from attacker contains string 'VaxSIPUserAgent/3.1' ) but it failed. Packets are still flowing in.Â
| Quote: | | iptables -I INPUT 1 -p tcp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm -j DROP |
​Its something like this
Registration from '"30" <sp:30@my_public_ip:5060> failed for '192.168.xxx.xxx:6373' - Wrong Password​
​and there are approx 10 request per minute of this type.
Please suggest some way to stop this.​
--
Anurag Rana
http://newbie42.blogspot.in/
On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences.
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
        http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users
|
|
|
| Back to top |
|
|
prakash.n at tevatel.com
Guest
|
| Posted: Fri Jun 27, 2014 9:46 am Post subject: [asterisk-users] Attack on Sip server. |
|
|
Hi,
Install fail2band and change sip listen port to avoid attack
With regards
N.Prakash
From: Anurag Rana (anuragrana31189@gmail.com)
Sent: ‎27-‎06-‎2014 08:07 PM
To: Asterisk Users Mailing List - Non-Commercial Discussion (asterisk-users@lists.digium.com)
Subject: [asterisk-users] Attack on Sip server. |
|
| Back to top |
|
|
anuragrana31189 at gma...
Guest
|
| Posted: Fri Jun 27, 2014 9:49 am Post subject: [asterisk-users] Attack on Sip server. |
|
|
I added bot rules TCP as well as UDP. Â Still not working.
How changing SIP listen port will prevent it. Please explain.
I will try fail2band.
On Fri, Jun 27, 2014 at 8:16 PM, Prakash N <prakash.n@tevatel.com (prakash.n@tevatel.com)> wrote:
| Quote: | Hi,
Install fail2band and change sip listen port to avoid attack
With regards
N.Prakash
From: Anurag Rana (anuragrana31189@gmail.com)
Sent: ‎27-‎06-‎2014 08:07 PM
To: Asterisk Users Mailing List - Non-Commercial Discussion (asterisk-users@lists.digium.com)
Subject: [asterisk-users] Attack on Sip server.
Hi All.
Someone is attacking on my SIP server.
There are lot of requests coming in and I am not able to stop it because I am unable to detect the IP address.Â
I used wireshark to capture the packets.
Although I am using very strong password for my SIP users but still is there any way to drop these packets and stop this attack.
I tried dropping packet after matching some string (most of the packets from attacker contains string 'VaxSIPUserAgent/3.1' ) but it failed. Packets are still flowing in.Â
| Quote: | | iptables -I INPUT 1 -p tcp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm -j DROP |
​Its something like this
Registration from '"30" <sp:30@my_public_ip:5060> failed for '192.168.xxx.xxx:6373' - Wrong Password​
​and there are approx 10 request per minute of this type.
Please suggest some way to stop this.​
--
Anurag Rana
http://newbie42.blogspot.in/
On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences.
|
--
Anurag Rana
http://newbie42.blogspot.in/
On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences. |
|
| Back to top |
|
|
anuragrana31189 at gma...
Guest
|
| Posted: Fri Jun 27, 2014 9:52 am Post subject: [asterisk-users] Attack on Sip server. |
|
|
Both Rules* (typo in last mail)
On Fri, Jun 27, 2014 at 8:19 PM, Anurag Rana <anuragrana31189@gmail.com (anuragrana31189@gmail.com)> wrote:
| Quote: | I added bot rules TCP as well as UDP. Â Still not working.
How changing SIP listen port will prevent it. Please explain.
I will try fail2band.
On Fri, Jun 27, 2014 at 8:16 PM, Prakash N <prakash.n@tevatel.com (prakash.n@tevatel.com)> wrote:
| Quote: | Hi,
Install fail2band and change sip listen port to avoid attack
With regards
N.Prakash
From: Anurag Rana (anuragrana31189@gmail.com)
Sent: ‎27-‎06-‎2014 08:07 PM
To: Asterisk Users Mailing List - Non-Commercial Discussion (asterisk-users@lists.digium.com)
Subject: [asterisk-users] Attack on Sip server.
Hi All.
Someone is attacking on my SIP server.
There are lot of requests coming in and I am not able to stop it because I am unable to detect the IP address.Â
I used wireshark to capture the packets.
Although I am using very strong password for my SIP users but still is there any way to drop these packets and stop this attack.
I tried dropping packet after matching some string (most of the packets from attacker contains string 'VaxSIPUserAgent/3.1' ) but it failed. Packets are still flowing in.Â
| Quote: | | iptables -I INPUT 1 -p tcp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm -j DROP |
​Its something like this
Registration from '"30" <sp:30@my_public_ip:5060> failed for '192.168.xxx.xxx:6373' - Wrong Password​
​and there are approx 10 request per minute of this type.
Please suggest some way to stop this.​
--
Anurag Rana
http://newbie42.blogspot.in/
On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences.
|
--
Anurag Rana
http://newbie42.blogspot.in/
On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences.
|
--
Anurag Rana
http://newbie42.blogspot.in/
On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences. |
|
| Back to top |
|
|
steve-lists at geekint...
Guest
|
| Posted: Fri Jun 27, 2014 9:58 am Post subject: [asterisk-users] Attack on Sip server. |
|
|
On 27 Jun 2014, at 15:37, Anurag Rana <anuragrana31189@gmail.com (anuragrana31189@gmail.com)> wrote:
| Quote: | There are lot of requests coming in and I am not able to stop it because I am unable to detect the IP address.
I used wireshark to capture the packets.
|
If you can capture the packet, surely you have the IP? If they intend to get the response then the IP header can’t be forged.
Steve |
|
| Back to top |
|
|
EWieling at nyigc.com
Guest
|
| Posted: Fri Jun 27, 2014 10:00 am Post subject: [asterisk-users] Attack on Sip server. |
|
|
This is a common issue and is covered in the mailing list archives multiple times.
Do a Google search for something like:
site:lists.digium.com fail2ban
From: asterisk-users-bounces@lists.digium.com [mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of Steven Howes
Sent: Friday, June 27, 2014 10:58 AM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-users] Attack on Sip server.
On 27 Jun 2014, at 15:37, Anurag Rana <anuragrana31189@gmail.com (anuragrana31189@gmail.com)> wrote: | Quote: |
There are lot of requests coming in and I am not able to stop it because I am unable to detect the IP address.
I used wireshark to capture the packets.
|
If you can capture the packet, surely you have the IP? If they intend to get the response then the IP header can’t be forged.
Steve |
|
| Back to top |
|
|
markus_weiler at mailw...
Guest
|
| Posted: Fri Jun 27, 2014 10:01 am Post subject: [asterisk-users] Attack on Sip server. |
|
|
very simple,
yet effective
http://www.palner.com/blog/171/asterisk-no-matching-peer-found-block/
Am 27.06.2014 16:58, schrieb Steven Howes:
| Quote: | On 27 Jun 2014, at 15:37, Anurag Rana <anuragrana31189@gmail.com (anuragrana31189@gmail.com)> wrote:
| Quote: | There are lot of requests coming in and I am not able to stop it because I am unable to detect the IP address.
I used wireshark to capture the packets.
|
If you can capture the packet, surely you have the IP? If they intend to get the response then the IP header can’t be forged.
Steve
|
|
|
| Back to top |
|
|
rwheeler at artifact-s...
Guest
|
| Posted: Fri Jun 27, 2014 10:28 am Post subject: [asterisk-users] Attack on Sip server. |
|
|
+1 fail2ban
Very easy and very effective.
On 27/06/2014 10:52 AM, Anurag Rana wrote:
| Quote: | Both Rules* (typo in last mail)
On Fri, Jun 27, 2014 at 8:19 PM, Anurag Rana <anuragrana31189@gmail.com (anuragrana31189@gmail.com)> wrote:
| Quote: | I added bot rules TCP as well as UDP. Still not working.
How changing SIP listen port will prevent it. Please explain.
I will try fail2band.
On Fri, Jun 27, 2014 at 8:16 PM, Prakash N <prakash.n@tevatel.com (prakash.n@tevatel.com)> wrote:
| Quote: | Hi,
Install fail2band and change sip listen port to avoid attack
With regards
N.Prakash
From: Anurag Rana (anuragrana31189@gmail.com)
Sent: 27-06-2014 08:07 PM
To: Asterisk Users Mailing List - Non-Commercial Discussion (asterisk-users@lists.digium.com)
Subject: [asterisk-users] Attack on Sip server.
Hi All.
Someone is attacking on my SIP server.
There are lot of requests coming in and I am not able to stop it because I am unable to detect the IP address.
I used wireshark to capture the packets.
Although I am using very strong password for my SIP users but still is there any way to drop these packets and stop this attack.
I tried dropping packet after matching some string (most of the packets from attacker contains string 'VaxSIPUserAgent/3.1' ) but it failed. Packets are still flowing in.
| Quote: | | iptables -I INPUT 1 -p tcp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm -j DROP |
Its something like this
Registration from '"30" <sp:30@my_public_ip:5060> failed for '192.168.xxx.xxx:6373' - Wrong Password
and there are approx 10 request per minute of this type.
Please suggest some way to stop this.
--
Anurag Rana
http://newbie42.blogspot.in/
On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences.
|
--
Anurag Rana
http://newbie42.blogspot.in/
On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences.
|
--
Anurag Rana
http://newbie42.blogspot.in/
On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences.
--
Ron Wheeler
President
Artifact Software Inc
email: rwheeler@artifact-software.com (rwheeler@artifact-software.com)
skype: ronaldmwheeler
phone: 866-970-2435, ext 102 |
|
|
| Back to top |
|
|
prakash.n at tevatel.com
Guest
|
| Posted: Fri Jun 27, 2014 11:02 am Post subject: [asterisk-users] Attack on Sip server. |
|
|
In sip.conf change listen port 5060 to some other number like 7242 any number ,then restart asterisk . Register sip phone with listen port (7242)
ExampleÂ
Domain: 192.168.1.10:7242
With regards
N.Prakash
From: Anurag Rana (anuragrana31189@gmail.com)
Sent: ‎27-‎06-‎2014 08:19 PM
To: Prakash N (prakash.n@tevatel.com)
Cc: Asterisk Users Mailing List - Non-Commercial Discussion (asterisk-users@lists.digium.com)
Subject: Re: [asterisk-users] Attack on Sip server. |
|
| Back to top |
|
|
andrew at vsave.co.za
Guest
|
| Posted: Fri Jun 27, 2014 11:15 am Post subject: [asterisk-users] Attack on Sip server. |
|
|
Block the ip?
You should only enable sip for your specific clients in iptables.
Sent from Samsung Mobile
-------- Original message --------
From: arun kumar
Date:27/06/2014 4:42 PM (GMT+02:00)
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-users] Attack on Sip server.
Hi,
Change the protocol from tcp to udp in iptables.
~Arun On 27 Jun 2014 20:07, "Anurag Rana" <anuragrana31189@gmail.com (anuragrana31189@gmail.com)> wrote: | Quote: |
Hi All.
Someone is attacking on my SIP server.
There are lot of requests coming in and I am not able to stop it because I am unable to detect the IP address.
I used wireshark to capture the packets.
Although I am using very strong password for my SIP users but still is there any way to drop these packets and stop this attack.
I tried dropping packet after matching some string (most of the packets from attacker contains string 'VaxSIPUserAgent/3.1' ) but it failed. Packets are still flowing in.
| Quote: | | iptables -I INPUT 1 -p tcp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm -j DROP |
​Its something like this
Registration from '"30" <sp:30@my_public_ip:5060> failed for '192.168.xxx.xxx:6373' - Wrong Password​
​and there are approx 10 request per minute of this type.
Please suggest some way to stop this.​
--
Anurag Rana
http://newbie42.blogspot.in/
On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences.
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
|
|
|
| Back to top |
|
|
jprangi at didforsale.com
Guest
|
| Posted: Fri Jun 27, 2014 11:21 am Post subject: [asterisk-users] Attack on Sip server. |
|
|
Anurag,
Here is small script, that will check your logs and will block the IPs.
http://www.didforsale.com/blog/is-your-asterisk-system-under-heavy-attack
This is good if you dont expect any registration. If you do have some valid registration, you might want to add some counter to see how time IP need to fail or how many different users IP is trying to register on before blocking the IP.
Jai Rangi
www.didforslae.com
On Fri, Jun 27, 2014 at 7:37 AM, Anurag Rana <anuragrana31189@gmail.com (anuragrana31189@gmail.com)> wrote:
| Quote: |
Hi All.
Someone is attacking on my SIP server.
There are lot of requests coming in and I am not able to stop it because I am unable to detect the IP address.Â
I used wireshark to capture the packets.
Although I am using very strong password for my SIP users but still is there any way to drop these packets and stop this attack.
I tried dropping packet after matching some string (most of the packets from attacker contains string 'VaxSIPUserAgent/3.1' ) but it failed. Packets are still flowing in.Â
| Quote: | | iptables -I INPUT 1 -p tcp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm -j DROP |
​Its something like this
Registration from '"30" <sp:30@my_public_ip:5060> failed for '192.168.xxx.xxx:6373' - Wrong Password​
​and there are approx 10 request per minute of this type.
Please suggest some way to stop this.​
--
Anurag Rana
http://newbie42.blogspot.in/
On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences.
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
        http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users
|
|
|
| Back to top |
|
|
mitul at enterux.in
Guest
|
| Posted: Fri Jun 27, 2014 11:36 am Post subject: [asterisk-users] Attack on Sip server. |
|
|
I think your asterisk server is behind firewall or some sort of NAT where the out to in packets are getting masqueraded with local or DMZÂ IP of your firewall / gateway box.
Fix this first to get fail2ban detect the correct public IP.
Otherwise fail2ban will ban your local GW IP due to which you won't be able to access the box even from your local network for ssh.
Hope u know how to fix the firewall snat.Â
Mitul On 27-Jun-2014 9:51 PM, "Jai Rangi" <jprangi@didforsale.com (jprangi@didforsale.com)> wrote: | Quote: | Anurag,
Here is small script, that will check your logs and will block the IPs.
http://www.didforsale.com/blog/is-your-asterisk-system-under-heavy-attack
This is good if you dont expect any registration. If you do have some valid registration, you might want to add some counter to see how time IP need to fail or how many different users IP is trying to register on before blocking the IP.
Jai Rangi
www.didforslae.com
On Fri, Jun 27, 2014 at 7:37 AM, Anurag Rana <anuragrana31189@gmail.com (anuragrana31189@gmail.com)> wrote:
| Quote: |
Hi All.
Someone is attacking on my SIP server.
There are lot of requests coming in and I am not able to stop it because I am unable to detect the IP address.Â
I used wireshark to capture the packets.
Although I am using very strong password for my SIP users but still is there any way to drop these packets and stop this attack.
I tried dropping packet after matching some string (most of the packets from attacker contains string 'VaxSIPUserAgent/3.1' ) but it failed. Packets are still flowing in.Â
| Quote: | | iptables -I INPUT 1 -p tcp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm -j DROP |
​Its something like this
Registration from '"30" <sp:30@my_public_ip:5060> failed for '192.168.xxx.xxx:6373' - Wrong Password​
​and there are approx 10 request per minute of this type.
Please suggest some way to stop this.​
--
Anurag Rana
http://newbie42.blogspot.in/
On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences.
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
        http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users
|
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
        http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users
|
|
|
| Back to top |
|
|
prakash.n at tevatel.com
Guest
|
|
| Back to top |
|
|
anuragrana31189 at gma...
Guest
|
| Posted: Fri Jun 27, 2014 11:55 am Post subject: [asterisk-users] Attack on Sip server. |
|
|
Right Mitul. System is behind some gateway.
On Fri, Jun 27, 2014 at 10:06 PM, Mitul Limbani <mitul@enterux.in (mitul@enterux.in)> wrote:
| Quote: |
I think your asterisk server is behind firewall or some sort of NAT where the out to in packets are getting masqueraded with local or DMZÂ IP of your firewall / gateway box.
Fix this first to get fail2ban detect the correct public IP.
Otherwise fail2ban will ban your local GW IP due to which you won't be able to access the box even from your local network for ssh.
Hope u know how to fix the firewall snat.Â
Mitul On 27-Jun-2014 9:51 PM, "Jai Rangi" <jprangi@didforsale.com (jprangi@didforsale.com)> wrote:
| Quote: | Anurag,
Here is small script, that will check your logs and will block the IPs.
http://www.didforsale.com/blog/is-your-asterisk-system-under-heavy-attack
This is good if you dont expect any registration. If you do have some valid registration, you might want to add some counter to see how time IP need to fail or how many different users IP is trying to register on before blocking the IP.
Jai Rangi
www.didforslae.com
On Fri, Jun 27, 2014 at 7:37 AM, Anurag Rana <anuragrana31189@gmail.com (anuragrana31189@gmail.com)> wrote:
| Quote: |
Hi All.
Someone is attacking on my SIP server.
There are lot of requests coming in and I am not able to stop it because I am unable to detect the IP address.Â
I used wireshark to capture the packets.
Although I am using very strong password for my SIP users but still is there any way to drop these packets and stop this attack.
I tried dropping packet after matching some string (most of the packets from attacker contains string 'VaxSIPUserAgent/3.1' ) but it failed. Packets are still flowing in.Â
| Quote: | | iptables -I INPUT 1 -p tcp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm -j DROP |
​Its something like this
Registration from '"30" <sp:30@my_public_ip:5060> failed for '192.168.xxx.xxx:6373' - Wrong Password​
​and there are approx 10 request per minute of this type.
Please suggest some way to stop this.​
--
Anurag Rana
http://newbie42.blogspot.in/
On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences.
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
        http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users
|
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
        http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users
|
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
        http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users
|
--
Anurag Rana
http://newbie42.blogspot.in/
On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences. |
|
| Back to top |
|
|
|
Search
