[Spce-user] SPCE Security alert

Anibal Cañada anibal at hercom.es
Wed Apr 30 10:50:28 EDT 2014 

Hi, 
I have a fake sip server listenning on port 5060 on a linux machine in the same subnet, made in perl , which execute a perl script than ban the ip from our principal router. 
It´s adapted for mikrotik , using its api , but can be easily modified for make a ssh to a cisco or quagga server. 

I have attached the perl script , copy from linux to a txt. 

Regards. 

----- Mensaje original -----

De: "Tabi Tabe Tabi" <tabi.tabe at gmail.com> 
Para: "Derrick Bradbury" <derrickb at halex.com> 
CC: spce-user at lists.sipwise.com 
Enviados: Miércoles, 30 de Abril 2014 16:17:46 
Asunto: Re: [Spce-user] SPCE Security alert 

Thanks Derrick. 

You all make me smile. 

Much appreciated. Will revert with update. 

Regards, 

Tabi 


On Wed, Apr 30, 2014 at 3:47 PM, Derrick Bradbury < derrickb at halex.com > wrote: 


Also you can do GeoIP at the IPTABLES level: 

One way is: 
http://terminal28.com/how-to-block-countries-using-iptables-debian/ 

Slightly modified to be a bit easier... 

sudo apt-get install xtables-addons-common unzip module-assistant 

sudo module-assistant --verbose --text-mode auto-install xtables-addons 

mkdir -p /tmp/xt 
cd /tmp/xt 

/usr/lib/xtables-addons/xt_geoip_dlro 
unzip *.zip 
sudo mkdir -p /usr/share/xt_geoip 
sudo /usr/lib/xtables-addons/xt_geoip_build -D /usr/share/xt_geoip *.csv 


and a sample for what I have is: 

iptables -I INPUT -p udp --dport 5060 -m geoip ! --src-cc CA,US -j DROP -i em2 
iptables -I INPUT -p tcp --dport 5060 -m geoip ! --src-cc CA,US -j DROP -i em2 



________________________________________ 
From: spce-user-bounces at lists.sipwise.com [ spce-user-bounces at lists.sipwise.com ] on behalf of Daniel Grotti [ dgrotti at sipwise.com ] 
Sent: Wednesday, April 30, 2014 8:39 AM 
To: spce-user at lists.sipwise.com 
Subject: Re: [Spce-user] SPCE Security alert 

Hi Tabi, 
another easy solution, just add in LB config file the following lines: 


if ($ua=~"friendly-scanner" || $ua=~"sipvicious" ) 
{ 
drop(); 
} 

Also, regarding svcrash.py: 
http://keithcroxford.wordpress.com/2012/01/08/sip-registerdos-attacks/ 



Daniel 




On 04/30/2014 01:39 PM, Lorenzo Mangani wrote: 
> You could also consider actively crashing the offenders IP on log hits 
> alongside the banning (using either svcrash.py, Homer Kill-Vicious tool, 
> or sipgrep 2.0 -J or your own solution) 
> 
> Best, 
> 
> Lorenzo Mangani 
> 
> HOMER DEV TEAM 
> QXIP - Capture Engineering 
> Desk: +1 (202) 470-5312 
> Mobile: +31 6 4603-2730 
> 
> 
> 
> 
> On Wed, Apr 30, 2014 at 1:26 PM, Norbert Piper 
> < norbert.piper at telenoise.de <mailto: norbert.piper at telenoise.de >> wrote: 
> 
> USE GEOIP ban instead of fail2ban____ 
> 
> __ __ 
> 
> J____ 
> 
> __ __ 
> 
> *Von:* spce-user-bounces at lists.sipwise.com 
> <mailto: spce-user-bounces at lists.sipwise.com > 
> [mailto: spce-user-bounces at lists.sipwise.com 
> <mailto: spce-user-bounces at lists.sipwise.com >] *Im Auftrag von *Tabi 
> Tabe Tabi 
> *Gesendet:* Mittwoch, 30. April 2014 13:18 
> *An:* spce-user at lists.sipwise.com <mailto: spce-user at lists.sipwise.com > 
> *Betreff:* [Spce-user] SPCE Security alert____ 
> 
> __ __ 
> 
> Hi,____ 
> 
> __ __ 
> 
> I just realized one of my test SPCE servers is under heavy friendly 
> scanner and SIPViscious attack. This happened 30 minutes after I 
> exposed the server to the Internet. I found the following IP 
> addresses in Banned IP:____ 
> 
> __ __ 
> 
> 1. 199.231.48.5____ 
> 
> 2. 188.138.4.216____ 
> 
> 3. 109.230.245.113____ 
> 
> 4. 31.3.240.251____ 
> 
> 5. 41.221.11.46____ 
> 
> 6. 46.165.220.215____ 
> 
> 7. 70.34..120.248____ 
> 
> 8. 79.143.83.4____ 
> 
> I am using iptables to drop the packets and have seen drop in 
> resource utilization on the server.____ 
> 
> Does any one have recommendation for implementation of fail2ban on 
> SIPWise?____ 
> 
> __ __ 
> 
> Thanks.____ 
> 
> __ __ 
> 
> -- 
> ...Tabi____ 
> 
> __ __ 
> 
> 
> _______________________________________________ 
> Spce-user mailing list 
> Spce-user at lists.sipwise.com <mailto: Spce-user at lists.sipwise.com > 
> http://lists.sipwise.com/listinfo/spce-user 
> 
> 
> 
> 
> _______________________________________________ 
> Spce-user mailing list 
> Spce-user at lists.sipwise.com 
> http://lists.sipwise.com/listinfo/spce-user 
> 

_______________________________________________ 
Spce-user mailing list 
Spce-user at lists.sipwise.com 
http://lists.sipwise.com/listinfo/spce-user 

_______________________________________________ 
Spce-user mailing list 
Spce-user at lists.sipwise.com 
http://lists.sipwise.com/listinfo/spce-user 






-- 
...Tabi 


_______________________________________________ 
Spce-user mailing list 
Spce-user at lists.sipwise.com 
http://lists.sipwise.com/listinfo/spce-user 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/mailman/private/spce-user_lists.sipwise.com/attachments/20140430/5cdeab91/attachment.html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: sip-server.perl.txt
URL: <http://lists.sipwise.com/mailman/private/spce-user_lists.sipwise.com/attachments/20140430/5cdeab91/attachment.txt>

More information about the Spce-user mailing list