[Spce-user] SPCE Security alert
Derrick Bradbury
derrickb at halex.com
Wed Apr 30 09:47:38 EDT 2014
Also you can do GeoIP at the IPTABLES level:
One way is:
http://terminal28.com/how-to-block-countries-using-iptables-debian/
Slightly modified to be a bit easier...
sudo apt-get install xtables-addons-common unzip module-assistant
sudo module-assistant --verbose --text-mode auto-install xtables-addons
mkdir -p /tmp/xt
cd /tmp/xt
/usr/lib/xtables-addons/xt_geoip_dlro
unzip *.zip
sudo mkdir -p /usr/share/xt_geoip
sudo /usr/lib/xtables-addons/xt_geoip_build -D /usr/share/xt_geoip *.csv
and a sample for what I have is:
iptables -I INPUT -p udp --dport 5060 -m geoip ! --src-cc CA,US -j DROP -i em2
iptables -I INPUT -p tcp --dport 5060 -m geoip ! --src-cc CA,US -j DROP -i em2
________________________________________
From: spce-user-bounces at lists.sipwise.com [spce-user-bounces at lists.sipwise.com] on behalf of Daniel Grotti [dgrotti at sipwise.com]
Sent: Wednesday, April 30, 2014 8:39 AM
To: spce-user at lists.sipwise.com
Subject: Re: [Spce-user] SPCE Security alert
Hi Tabi,
another easy solution, just add in LB config file the following lines:
if ($ua=~"friendly-scanner" || $ua=~"sipvicious" )
{
drop();
}
Also, regarding svcrash.py:
http://keithcroxford.wordpress.com/2012/01/08/sip-registerdos-attacks/
Daniel
On 04/30/2014 01:39 PM, Lorenzo Mangani wrote:
> You could also consider actively crashing the offenders IP on log hits
> alongside the banning (using either svcrash.py, Homer Kill-Vicious tool,
> or sipgrep 2.0 -J or your own solution)
>
> Best,
>
> Lorenzo Mangani
>
> HOMER DEV TEAM
> QXIP - Capture Engineering
> Desk: +1 (202) 470-5312
> Mobile: +31 6 4603-2730
>
>
>
>
> On Wed, Apr 30, 2014 at 1:26 PM, Norbert Piper
> <norbert.piper at telenoise.de <mailto:norbert.piper at telenoise.de>> wrote:
>
> USE GEOIP ban instead of fail2ban____
>
> __ __
>
> J____
>
> __ __
>
> *Von:*spce-user-bounces at lists.sipwise.com
> <mailto:spce-user-bounces at lists.sipwise.com>
> [mailto:spce-user-bounces at lists.sipwise.com
> <mailto:spce-user-bounces at lists.sipwise.com>] *Im Auftrag von *Tabi
> Tabe Tabi
> *Gesendet:* Mittwoch, 30. April 2014 13:18
> *An:* spce-user at lists.sipwise.com <mailto:spce-user at lists.sipwise.com>
> *Betreff:* [Spce-user] SPCE Security alert____
>
> __ __
>
> Hi,____
>
> __ __
>
> I just realized one of my test SPCE servers is under heavy friendly
> scanner and SIPViscious attack. This happened 30 minutes after I
> exposed the server to the Internet. I found the following IP
> addresses in Banned IP:____
>
> __ __
>
> 1. 199.231.48.5____
>
> 2. 188.138.4.216____
>
> 3. 109.230.245.113____
>
> 4. 31.3.240.251____
>
> 5. 41.221.11.46____
>
> 6. 46.165.220.215____
>
> 7. 70.34..120.248____
>
> 8. 79.143.83.4____
>
> I am using iptables to drop the packets and have seen drop in
> resource utilization on the server.____
>
> Does any one have recommendation for implementation of fail2ban on
> SIPWise?____
>
> __ __
>
> Thanks.____
>
> __ __
>
> --
> ...Tabi____
>
> __ __
>
>
> _______________________________________________
> Spce-user mailing list
> Spce-user at lists.sipwise.com <mailto:Spce-user at lists.sipwise.com>
> http://lists.sipwise.com/listinfo/spce-user
>
>
>
>
> _______________________________________________
> Spce-user mailing list
> Spce-user at lists.sipwise.com
> http://lists.sipwise.com/listinfo/spce-user
>
_______________________________________________
Spce-user mailing list
Spce-user at lists.sipwise.com
http://lists.sipwise.com/listinfo/spce-user
More information about the Spce-user
mailing list