[Spce-user] autoban or fail2ban

Matthew Ogden matthew at tenacit.net
Mon May 7 15:05:14 EDT 2012 

Thanks, so if I understand this correctly then,

You have your defaults at 20 times per 2 seconds. But, at this point, pike
is not banning them from trying to connect, it is simply ignoring trying to
authenticate them, is that correct?

In other words, I will continue to see their traffic hitting my network
card, in and out, and entries in ngrep? But they are very unlikely to
succeed in brute forcing a password? (Or perhaps I have misunderstood this)

As so:
(Friendly scanner indeed!)

U 2012/05/07 20:02:08.715659 213.189.34.21:5341 -> MY_SERVER_IP:5060
REGISTER sip:MY_SERVER_IP SIP/2.0'
Via: SIP/2.0/UDP 213.189.34.21:5341;branch=z9hG4bK-285169266;rport'
Content-Length: 0'
From: "102" <sip:102 at MY_SERVER_IP>'
Accept: application/sdp'
User-Agent: friendly-scanner'
To: "102" <sip:102 at MY_SERVER_IP>'
Contact: sip:123 at 1.1.1.1'
CSeq: 1 REGISTER'
Call-ID: 828443369'
Max-Forwards: 70'
'

#
U 2012/05/07 20:02:08.715727 MY_SERVER_IP:5060 -> 213.189.34.21:5341
SIP/2.0 100 Trying'
Via: SIP/2.0/UDP 213.189.34.21:5341;branch=z9hG4bK-285169266;rport=5341'
From: "102" <sip:102 at MY_SERVER_IP>'
To: "102" <sip:102 at MY_SERVER_IP>'
CSeq: 1 REGISTER'
Call-ID: 828443369'
Server: Sipwise NGCP LB 2.X'
Content-Length: 0'
'

#
U 2012/05/07 20:02:08.728398 213.189.34.21:5341 -> MY_SERVER_IP:5060
REGISTER sip:MY_SERVER_IP SIP/2.0'
Via: SIP/2.0/UDP 213.189.34.21:5341;branch=z9hG4bK-1723630567;rport'
Content-Length: 0'
From: "102" <sip:102 at MY_SERVER_IP>'
Accept: application/sdp'
User-Agent: friendly-scanner'
To: "102" <sip:102 at MY_SERVER_IP>'
Contact: sip:123 at 1.1.1.1'
CSeq: 1 REGISTER'
Call-ID: 4175934776'
Max-Forwards: 70'
'

#
U 2012/05/07 20:02:08.728478 MY_SERVER_IP:5060 -> 213.189.34.21:5341
SIP/2.0 100 Trying'
Via: SIP/2.0/UDP 213.189.34.21:5341;branch=z9hG4bK-1723630567;rport=5341'
From: "102" <sip:102 at MY_SERVER_IP>'
To: "102" <sip:102 at MY_SERVER_IP>'
CSeq: 1 REGISTER'
Call-ID: 4175934776'
Server: Sipwise NGCP LB 2.X'
Content-Length: 0'


-----Original Message-----
From: spce-user-bounces at lists.sipwise.com
[mailto:spce-user-bounces at lists.sipwise.com] On Behalf Of Andreas Granig
Sent: 07 May 2012 08:46 PM
To: spce-user at lists.sipwise.com
Subject: Re: [Spce-user] autoban or fail2ban

Hi,

On 05/07/2012 08:35 PM, Jon Bonilla (Manwe) wrote:
> The spce has SIP attack protection against DOS and DDOS attacks.
>
> If you're talking about ssh or similar you should use iptables. Please
> check the security chapter of the handbook.

To make it clear, flood traffic above a certain threshold is blocked in
user-space on the load-balancer. You can check the blocked ips with the
following command:

ngcp-sercmd lb htable.dump ipban

Every time an IP gets into this blacklist, a warning is logged in
kamailio-lb.log, using this kamailio config line:

xlog("L_WARN", "IP '$var(banip)' is blocked and banned - M=$rm R=$ru F=$fu
T=$tu IP=$pr:$si:$sp ID=$ci\n");

Sometimes it makes sense to block the traffic on kernel level already to
keep the receive queue clean, so fail2ban could make sense here. See the
section "Fail2Ban" in
http://kb.asipto.com/kamailio:usage:k31-sip-scanning-attack (the rest is
already implemented in the SPCE), just adapt the "failregex" to the log
message shown above.

Andreas

More information about the Spce-user mailing list