[Spce-user] SPCE Security alert

Tabi Tabe Tabi tabi.tabe at gmail.com
Wed Apr 30 10:17:46 EDT 2014


Thanks Derrick.

You all make me smile.

Much appreciated. Will revert with update.

Regards,

Tabi


On Wed, Apr 30, 2014 at 3:47 PM, Derrick Bradbury <derrickb at halex.com>wrote:

> Also you can do GeoIP at the IPTABLES level:
>
> One way is:
> http://terminal28.com/how-to-block-countries-using-iptables-debian/
>
> Slightly modified to be a bit easier...
>
> sudo apt-get install xtables-addons-common unzip module-assistant
>
> sudo module-assistant --verbose --text-mode auto-install xtables-addons
>
> mkdir -p /tmp/xt
> cd /tmp/xt
>
> /usr/lib/xtables-addons/xt_geoip_dlro
> unzip *.zip
> sudo mkdir -p /usr/share/xt_geoip
> sudo /usr/lib/xtables-addons/xt_geoip_build -D /usr/share/xt_geoip *.csv
>
>
> and a sample for what I have is:
>
> iptables -I INPUT -p udp --dport 5060 -m geoip ! --src-cc CA,US -j DROP -i
> em2
> iptables -I INPUT -p tcp --dport 5060 -m geoip ! --src-cc CA,US -j DROP -i
> em2
>
>
>
> ________________________________________
> From: spce-user-bounces at lists.sipwise.com [
> spce-user-bounces at lists.sipwise.com] on behalf of Daniel Grotti [
> dgrotti at sipwise.com]
> Sent: Wednesday, April 30, 2014 8:39 AM
> To: spce-user at lists.sipwise.com
> Subject: Re: [Spce-user] SPCE Security alert
>
> Hi Tabi,
> another easy solution, just add in LB config file the following lines:
>
>
> if ($ua=~"friendly-scanner" || $ua=~"sipvicious" )
> {
>      drop();
> }
>
> Also, regarding svcrash.py:
> http://keithcroxford.wordpress.com/2012/01/08/sip-registerdos-attacks/
>
>
>
> Daniel
>
>
>
>
> On 04/30/2014 01:39 PM, Lorenzo Mangani wrote:
> > You could also consider actively crashing the offenders IP on log hits
> > alongside the banning (using either svcrash.py, Homer Kill-Vicious tool,
> > or sipgrep 2.0 -J or your own solution)
> >
> > Best,
> >
> > Lorenzo Mangani
> >
> > HOMER DEV TEAM
> > QXIP - Capture Engineering
> > Desk: +1 (202) 470-5312
> > Mobile: +31 6 4603-2730
> >
> >
> >
> >
> > On Wed, Apr 30, 2014 at 1:26 PM, Norbert Piper
> > <norbert.piper at telenoise.de <mailto:norbert.piper at telenoise.de>> wrote:
> >
> >     USE GEOIP ban instead of fail2ban____
> >
> >     __ __
> >
> >     J____
> >
> >     __ __
> >
> >     *Von:*spce-user-bounces at lists.sipwise.com
> >     <mailto:spce-user-bounces at lists.sipwise.com>
> >     [mailto:spce-user-bounces at lists.sipwise.com
> >     <mailto:spce-user-bounces at lists.sipwise.com>] *Im Auftrag von *Tabi
> >     Tabe Tabi
> >     *Gesendet:* Mittwoch, 30. April 2014 13:18
> >     *An:* spce-user at lists.sipwise.com <mailto:
> spce-user at lists.sipwise.com>
> >     *Betreff:* [Spce-user] SPCE Security alert____
> >
> >     __ __
> >
> >     Hi,____
> >
> >     __ __
> >
> >     I just realized one of my test SPCE servers is under heavy friendly
> >     scanner and SIPViscious attack. This happened 30 minutes after I
> >     exposed the server to the Internet. I found the following IP
> >     addresses in Banned IP:____
> >
> >     __ __
> >
> >     1.       199.231.48.5____
> >
> >     2.       188.138.4.216____
> >
> >     3.       109.230.245.113____
> >
> >     4.       31.3.240.251____
> >
> >     5.       41.221.11.46____
> >
> >     6.       46.165.220.215____
> >
> >     7.       70.34..120.248____
> >
> >     8.       79.143.83.4____
> >
> >          I am using iptables to drop the packets and have seen drop in
> >     resource utilization on the server.____
> >
> >     Does any one have recommendation for implementation of fail2ban on
> >     SIPWise?____
> >
> >     __ __
> >
> >     Thanks.____
> >
> >     __ __
> >
> >     --
> >     ...Tabi____
> >
> >     __ __
> >
> >
> >     _______________________________________________
> >     Spce-user mailing list
> >     Spce-user at lists.sipwise.com <mailto:Spce-user at lists.sipwise.com>
> >     http://lists.sipwise.com/listinfo/spce-user
> >
> >
> >
> >
> > _______________________________________________
> > Spce-user mailing list
> > Spce-user at lists.sipwise.com
> > http://lists.sipwise.com/listinfo/spce-user
> >
>
> _______________________________________________
> Spce-user mailing list
> Spce-user at lists.sipwise.com
> http://lists.sipwise.com/listinfo/spce-user
>
> _______________________________________________
> Spce-user mailing list
> Spce-user at lists.sipwise.com
> http://lists.sipwise.com/listinfo/spce-user
>



-- 
...Tabi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20140430/03c94a6d/attachment-0001.html>


More information about the Spce-user mailing list