<div dir="ltr">Thanks everyone for your suggestions. I will try out the various top suggestions from Daniel and Lorenzo.<div><br></div><div>Regards,</div><div><br></div><div>Tabi</div></div><div class="gmail_extra"><br><br>
<div class="gmail_quote">On Wed, Apr 30, 2014 at 2:39 PM, Daniel Grotti <span dir="ltr"><<a href="mailto:dgrotti@sipwise.com" target="_blank">dgrotti@sipwise.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi Tabi,<br>
another easy solution, just add in LB config file the following lines:<br>
<br>
<br>
if ($ua=~"friendly-scanner" || $ua=~"sipvicious" )<br>
{<br>
drop();<br>
}<br>
<br>
Also, regarding svcrash.py:<br>
<a href="http://keithcroxford.wordpress.com/2012/01/08/sip-registerdos-attacks/" target="_blank">http://keithcroxford.wordpress.com/2012/01/08/sip-registerdos-attacks/</a><br>
<br>
<br>
<br>
Daniel<br>
<div class=""><br>
<br>
<br>
<br>
On 04/30/2014 01:39 PM, Lorenzo Mangani wrote:<br>
> You could also consider actively crashing the offenders IP on log hits<br>
> alongside the banning (using either svcrash.py, Homer Kill-Vicious tool,<br>
> or sipgrep 2.0 -J or your own solution)<br>
><br>
> Best,<br>
><br>
> Lorenzo Mangani<br>
><br>
> HOMER DEV TEAM<br>
> QXIP - Capture Engineering<br>
> Desk: <a href="tel:%2B1%20%28202%29%20470-5312" value="+12024705312">+1 (202) 470-5312</a><br>
> Mobile: <a href="tel:%2B31%206%204603-2730" value="+31646032730">+31 6 4603-2730</a><br>
><br>
><br>
><br>
><br>
> On Wed, Apr 30, 2014 at 1:26 PM, Norbert Piper<br>
</div>> <<a href="mailto:norbert.piper@telenoise.de">norbert.piper@telenoise.de</a> <mailto:<a href="mailto:norbert.piper@telenoise.de">norbert.piper@telenoise.de</a>>> wrote:<br>
><br>
> USE GEOIP ban instead of fail2ban____<br>
><br>
> __ __<br>
><br>
> J____<br>
><br>
> __ __<br>
><br>
> *Von:*<a href="mailto:spce-user-bounces@lists.sipwise.com">spce-user-bounces@lists.sipwise.com</a><br>
> <mailto:<a href="mailto:spce-user-bounces@lists.sipwise.com">spce-user-bounces@lists.sipwise.com</a>><br>
> [mailto:<a href="mailto:spce-user-bounces@lists.sipwise.com">spce-user-bounces@lists.sipwise.com</a><br>
<div class="">> <mailto:<a href="mailto:spce-user-bounces@lists.sipwise.com">spce-user-bounces@lists.sipwise.com</a>>] *Im Auftrag von *Tabi<br>
> Tabe Tabi<br>
</div>> *Gesendet:* Mittwoch, 30. April 2014 13:18<br>
> *An:* <a href="mailto:spce-user@lists.sipwise.com">spce-user@lists.sipwise.com</a> <mailto:<a href="mailto:spce-user@lists.sipwise.com">spce-user@lists.sipwise.com</a>><br>
> *Betreff:* [Spce-user] SPCE Security alert____<br>
><br>
> __ __<br>
><br>
> Hi,____<br>
><br>
> __ __<br>
<div class="">><br>
> I just realized one of my test SPCE servers is under heavy friendly<br>
> scanner and SIPViscious attack. This happened 30 minutes after I<br>
> exposed the server to the Internet. I found the following IP<br>
</div>> addresses in Banned IP:____<br>
><br>
> __ __<br>
><br>
> 1. 199.231.48.5____<br>
><br>
> 2. 188.138.4.216____<br>
><br>
> 3. 109.230.245.113____<br>
><br>
> 4. 31.3.240.251____<br>
><br>
> 5. 41.221.11.46____<br>
><br>
> 6. 46.165.220.215____<br>
><br>
> 7. 70.34..120.248____<br>
><br>
> 8. 79.143.83.4____<br>
<div class="">><br>
> I am using iptables to drop the packets and have seen drop in<br>
</div>> resource utilization on the server.____<br>
<div class="">><br>
> Does any one have recommendation for implementation of fail2ban on<br>
</div>> SIPWise?____<br>
><br>
> __ __<br>
><br>
> Thanks.____<br>
><br>
> __ __<br>
><br>
> --<br>
> ...Tabi____<br>
><br>
> __ __<br>
><br>
><br>
> _______________________________________________<br>
> Spce-user mailing list<br>
> <a href="mailto:Spce-user@lists.sipwise.com">Spce-user@lists.sipwise.com</a> <mailto:<a href="mailto:Spce-user@lists.sipwise.com">Spce-user@lists.sipwise.com</a>><br>
> <a href="http://lists.sipwise.com/listinfo/spce-user" target="_blank">http://lists.sipwise.com/listinfo/spce-user</a><br>
<div class="HOEnZb"><div class="h5">><br>
><br>
><br>
><br>
> _______________________________________________<br>
> Spce-user mailing list<br>
> <a href="mailto:Spce-user@lists.sipwise.com">Spce-user@lists.sipwise.com</a><br>
> <a href="http://lists.sipwise.com/listinfo/spce-user" target="_blank">http://lists.sipwise.com/listinfo/spce-user</a><br>
><br>
<br>
_______________________________________________<br>
Spce-user mailing list<br>
<a href="mailto:Spce-user@lists.sipwise.com">Spce-user@lists.sipwise.com</a><br>
<a href="http://lists.sipwise.com/listinfo/spce-user" target="_blank">http://lists.sipwise.com/listinfo/spce-user</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br>...Tabi<div><br></div>
</div>