[Spce-user] SPCE Security alert

Daniel Grotti dgrotti at sipwise.com
Wed Apr 30 08:39:51 EDT 2014 

Hi Tabi,
another easy solution, just add in LB config file the following lines:


if ($ua=~"friendly-scanner" || $ua=~"sipvicious" )
{
     drop();
}

Also, regarding svcrash.py:
http://keithcroxford.wordpress.com/2012/01/08/sip-registerdos-attacks/



Daniel




On 04/30/2014 01:39 PM, Lorenzo Mangani wrote:
> You could also consider actively crashing the offenders IP on log hits
> alongside the banning (using either svcrash.py, Homer Kill-Vicious tool,
> or sipgrep 2.0 -J or your own solution)
> 
> Best,
> 
> Lorenzo Mangani
> 
> HOMER DEV TEAM
> QXIP - Capture Engineering
> Desk: +1 (202) 470-5312
> Mobile: +31 6 4603-2730
> 
> 
> 
> 
> On Wed, Apr 30, 2014 at 1:26 PM, Norbert Piper
> <norbert.piper at telenoise.de <mailto:norbert.piper at telenoise.de>> wrote:
> 
>     USE GEOIP ban instead of fail2ban____
> 
>     __ __
> 
>     J____
> 
>     __ __
> 
>     *Von:*spce-user-bounces at lists.sipwise.com
>     <mailto:spce-user-bounces at lists.sipwise.com>
>     [mailto:spce-user-bounces at lists.sipwise.com
>     <mailto:spce-user-bounces at lists.sipwise.com>] *Im Auftrag von *Tabi
>     Tabe Tabi
>     *Gesendet:* Mittwoch, 30. April 2014 13:18
>     *An:* spce-user at lists.sipwise.com <mailto:spce-user at lists.sipwise.com>
>     *Betreff:* [Spce-user] SPCE Security alert____
> 
>     __ __
> 
>     Hi,____
> 
>     __ __
> 
>     I just realized one of my test SPCE servers is under heavy friendly
>     scanner and SIPViscious attack. This happened 30 minutes after I
>     exposed the server to the Internet. I found the following IP
>     addresses in Banned IP:____
> 
>     __ __
> 
>     1.       199.231.48.5____
> 
>     2.       188.138.4.216____
> 
>     3.       109.230.245.113____
> 
>     4.       31.3.240.251____
> 
>     5.       41.221.11.46____
> 
>     6.       46.165.220.215____
> 
>     7.       70.34..120.248____
> 
>     8.       79.143.83.4____
> 
>          I am using iptables to drop the packets and have seen drop in
>     resource utilization on the server.____
> 
>     Does any one have recommendation for implementation of fail2ban on
>     SIPWise?____
> 
>     __ __
> 
>     Thanks.____
> 
>     __ __
> 
>     -- 
>     ...Tabi____
> 
>     __ __
> 
> 
>     _______________________________________________
>     Spce-user mailing list
>     Spce-user at lists.sipwise.com <mailto:Spce-user at lists.sipwise.com>
>     http://lists.sipwise.com/listinfo/spce-user
> 
> 
> 
> 
> _______________________________________________
> Spce-user mailing list
> Spce-user at lists.sipwise.com
> http://lists.sipwise.com/listinfo/spce-user
>

More information about the Spce-user mailing list