[Spce-user] autoban or fail2ban

Lorenzo Mangani lorenzo.mangani at gmail.com
Mon May 7 16:00:57 EDT 2012


Matthew,

Once the source is banned, the REGISTER requests are not forwarded
internally to the database, so there are zero chances of brute forcing
anything. The scanner might as well guess and never know; Anyhow, sometimes
sending back a false 200 OK can help stop the flooding if it the
"unfriendly" scanner is in stateless mode, wasting your bandwidth or
cluttering your monitoring. They'll get a useless password and your attack
should drop.

Best,

Lorenzo Mangani
QXIP.NET

On Mon, May 7, 2012 at 9:05 PM, Matthew Ogden <matthew at tenacit.net> wrote:

> Thanks, so if I understand this correctly then,
>
> You have your defaults at 20 times per 2 seconds. But, at this point, pike
> is not banning them from trying to connect, it is simply ignoring trying to
> authenticate them, is that correct?
>
> In other words, I will continue to see their traffic hitting my network
> card, in and out, and entries in ngrep? But they are very unlikely to
> succeed in brute forcing a password? (Or perhaps I have misunderstood this)
>
> As so:
> (Friendly scanner indeed!)
>
> U 2012/05/07 20:02:08.715659 213.189.34.21:5341 -> MY_SERVER_IP:5060
> REGISTER sip:MY_SERVER_IP SIP/2.0'
> Via: SIP/2.0/UDP 213.189.34.21:5341;branch=z9hG4bK-285169266;rport'
> Content-Length: 0'
> From: "102" <sip:102 at MY_SERVER_IP>'
> Accept: application/sdp'
> User-Agent: friendly-scanner'
> To: "102" <sip:102 at MY_SERVER_IP>'
> Contact: sip:123 at 1.1.1.1'
> CSeq: 1 REGISTER'
> Call-ID: 828443369'
> Max-Forwards: 70'
> '
>
> #
> U 2012/05/07 20:02:08.715727 MY_SERVER_IP:5060 -> 213.189.34.21:5341
> SIP/2.0 100 Trying'
> Via: SIP/2.0/UDP 213.189.34.21:5341;branch=z9hG4bK-285169266;rport=5341'
> From: "102" <sip:102 at MY_SERVER_IP>'
> To: "102" <sip:102 at MY_SERVER_IP>'
> CSeq: 1 REGISTER'
> Call-ID: 828443369'
> Server: Sipwise NGCP LB 2.X'
> Content-Length: 0'
> '
>
> #
> U 2012/05/07 20:02:08.728398 213.189.34.21:5341 -> MY_SERVER_IP:5060
> REGISTER sip:MY_SERVER_IP SIP/2.0'
> Via: SIP/2.0/UDP 213.189.34.21:5341;branch=z9hG4bK-1723630567;rport'
> Content-Length: 0'
> From: "102" <sip:102 at MY_SERVER_IP>'
> Accept: application/sdp'
> User-Agent: friendly-scanner'
> To: "102" <sip:102 at MY_SERVER_IP>'
> Contact: sip:123 at 1.1.1.1'
> CSeq: 1 REGISTER'
> Call-ID: 4175934776'
> Max-Forwards: 70'
> '
>
> #
> U 2012/05/07 20:02:08.728478 MY_SERVER_IP:5060 -> 213.189.34.21:5341
> SIP/2.0 100 Trying'
> Via: SIP/2.0/UDP 213.189.34.21:5341;branch=z9hG4bK-1723630567;rport=5341'
> From: "102" <sip:102 at MY_SERVER_IP>'
> To: "102" <sip:102 at MY_SERVER_IP>'
> CSeq: 1 REGISTER'
> Call-ID: 4175934776'
> Server: Sipwise NGCP LB 2.X'
> Content-Length: 0'
>
>
> -----Original Message-----
> From: spce-user-bounces at lists.sipwise.com
> [mailto:spce-user-bounces at lists.sipwise.com] On Behalf Of Andreas Granig
> Sent: 07 May 2012 08:46 PM
> To: spce-user at lists.sipwise.com
> Subject: Re: [Spce-user] autoban or fail2ban
>
> Hi,
>
> On 05/07/2012 08:35 PM, Jon Bonilla (Manwe) wrote:
> > The spce has SIP attack protection against DOS and DDOS attacks.
> >
> > If you're talking about ssh or similar you should use iptables. Please
> > check the security chapter of the handbook.
>
> To make it clear, flood traffic above a certain threshold is blocked in
> user-space on the load-balancer. You can check the blocked ips with the
> following command:
>
> ngcp-sercmd lb htable.dump ipban
>
> Every time an IP gets into this blacklist, a warning is logged in
> kamailio-lb.log, using this kamailio config line:
>
> xlog("L_WARN", "IP '$var(banip)' is blocked and banned - M=$rm R=$ru F=$fu
> T=$tu IP=$pr:$si:$sp ID=$ci\n");
>
> Sometimes it makes sense to block the traffic on kernel level already to
> keep the receive queue clean, so fail2ban could make sense here. See the
> section "Fail2Ban" in
> http://kb.asipto.com/kamailio:usage:k31-sip-scanning-attack (the rest is
> already implemented in the SPCE), just adapt the "failregex" to the log
> message shown above.
>
> Andreas
>
> _______________________________________________
> Spce-user mailing list
> Spce-user at lists.sipwise.com
> http://lists.sipwise.com/listinfo/spce-user
>



--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20120507/35a8248e/attachment-0001.html>


More information about the Spce-user mailing list