[Spce-user] SPCE Security alert

Anibal Cañada anibal at hercom.es
Wed Apr 30 10:50:28 EDT 2014


Hi, 
I have a fake sip server listenning on port 5060 on a linux machine in the same subnet, made in perl , which execute a perl script than ban the ip from our principal router. 
It´s adapted for mikrotik , using its api , but can be easily modified for make a ssh to a cisco or quagga server. 

I have attached the perl script , copy from linux to a txt. 

Regards. 

----- Mensaje original -----

De: "Tabi Tabe Tabi" <tabi.tabe at gmail.com> 
Para: "Derrick Bradbury" <derrickb at halex.com> 
CC: spce-user at lists.sipwise.com 
Enviados: Miércoles, 30 de Abril 2014 16:17:46 
Asunto: Re: [Spce-user] SPCE Security alert 

Thanks Derrick. 

You all make me smile. 

Much appreciated. Will revert with update. 

Regards, 

Tabi 


On Wed, Apr 30, 2014 at 3:47 PM, Derrick Bradbury < derrickb at halex.com > wrote: 


Also you can do GeoIP at the IPTABLES level: 

One way is: 
http://terminal28.com/how-to-block-countries-using-iptables-debian/ 

Slightly modified to be a bit easier... 

sudo apt-get install xtables-addons-common unzip module-assistant 

sudo module-assistant --verbose --text-mode auto-install xtables-addons 

mkdir -p /tmp/xt 
cd /tmp/xt 

/usr/lib/xtables-addons/xt_geoip_dlro 
unzip *.zip 
sudo mkdir -p /usr/share/xt_geoip 
sudo /usr/lib/xtables-addons/xt_geoip_build -D /usr/share/xt_geoip *.csv 


and a sample for what I have is: 

iptables -I INPUT -p udp --dport 5060 -m geoip ! --src-cc CA,US -j DROP -i em2 
iptables -I INPUT -p tcp --dport 5060 -m geoip ! --src-cc CA,US -j DROP -i em2 



________________________________________ 
From: spce-user-bounces at lists.sipwise.com [ spce-user-bounces at lists.sipwise.com ] on behalf of Daniel Grotti [ dgrotti at sipwise.com ] 
Sent: Wednesday, April 30, 2014 8:39 AM 
To: spce-user at lists.sipwise.com 
Subject: Re: [Spce-user] SPCE Security alert 

Hi Tabi, 
another easy solution, just add in LB config file the following lines: 


if ($ua=~"friendly-scanner" || $ua=~"sipvicious" ) 
{ 
drop(); 
} 

Also, regarding svcrash.py: 
http://keithcroxford.wordpress.com/2012/01/08/sip-registerdos-attacks/ 



Daniel 




On 04/30/2014 01:39 PM, Lorenzo Mangani wrote: 
> You could also consider actively crashing the offenders IP on log hits 
> alongside the banning (using either svcrash.py, Homer Kill-Vicious tool, 
> or sipgrep 2.0 -J or your own solution) 
> 
> Best, 
> 
> Lorenzo Mangani 
> 
> HOMER DEV TEAM 
> QXIP - Capture Engineering 
> Desk: +1 (202) 470-5312 
> Mobile: +31 6 4603-2730 
> 
> 
> 
> 
> On Wed, Apr 30, 2014 at 1:26 PM, Norbert Piper 
> < norbert.piper at telenoise.de <mailto: norbert.piper at telenoise.de >> wrote: 
> 
> USE GEOIP ban instead of fail2ban____ 
> 
> __ __ 
> 
> J____ 
> 
> __ __ 
> 
> *Von:* spce-user-bounces at lists.sipwise.com 
> <mailto: spce-user-bounces at lists.sipwise.com > 
> [mailto: spce-user-bounces at lists.sipwise.com 
> <mailto: spce-user-bounces at lists.sipwise.com >] *Im Auftrag von *Tabi 
> Tabe Tabi 
> *Gesendet:* Mittwoch, 30. April 2014 13:18 
> *An:* spce-user at lists.sipwise.com <mailto: spce-user at lists.sipwise.com > 
> *Betreff:* [Spce-user] SPCE Security alert____ 
> 
> __ __ 
> 
> Hi,____ 
> 
> __ __ 
> 
> I just realized one of my test SPCE servers is under heavy friendly 
> scanner and SIPViscious attack. This happened 30 minutes after I 
> exposed the server to the Internet. I found the following IP 
> addresses in Banned IP:____ 
> 
> __ __ 
> 
> 1. 199.231.48.5____ 
> 
> 2. 188.138.4.216____ 
> 
> 3. 109.230.245.113____ 
> 
> 4. 31.3.240.251____ 
> 
> 5. 41.221.11.46____ 
> 
> 6. 46.165.220.215____ 
> 
> 7. 70.34..120.248____ 
> 
> 8. 79.143.83.4____ 
> 
> I am using iptables to drop the packets and have seen drop in 
> resource utilization on the server.____ 
> 
> Does any one have recommendation for implementation of fail2ban on 
> SIPWise?____ 
> 
> __ __ 
> 
> Thanks.____ 
> 
> __ __ 
> 
> -- 
> ...Tabi____ 
> 
> __ __ 
> 
> 
> _______________________________________________ 
> Spce-user mailing list 
> Spce-user at lists.sipwise.com <mailto: Spce-user at lists.sipwise.com > 
> http://lists.sipwise.com/listinfo/spce-user 
> 
> 
> 
> 
> _______________________________________________ 
> Spce-user mailing list 
> Spce-user at lists.sipwise.com 
> http://lists.sipwise.com/listinfo/spce-user 
> 

_______________________________________________ 
Spce-user mailing list 
Spce-user at lists.sipwise.com 
http://lists.sipwise.com/listinfo/spce-user 

_______________________________________________ 
Spce-user mailing list 
Spce-user at lists.sipwise.com 
http://lists.sipwise.com/listinfo/spce-user 






-- 
...Tabi 


_______________________________________________ 
Spce-user mailing list 
Spce-user at lists.sipwise.com 
http://lists.sipwise.com/listinfo/spce-user 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20140430/5cdeab91/attachment-0001.html>
-------------- next part --------------
my $me = "LISTENING IP"; #write here your IP address



use IO::Socket;
$server = IO::Socket::INET->new(LocalPort=>'5060',Proto=>"udp")
or die "Couldn't be a udp server: $@\n";

my $MAX_TO_READ = 2048;

sub header
{
  my $field = shift;
  my $headers = shift;
  my $s;
  $s=$headers;
  $s=~s/(^|\n)(?!$field)[^\n]*/$1/gs;
  $s=~s/(^\n*|\n*$)//gs;
  $s=~s/\n+/\n/gs;
  return $s
}

sub sender_ip
{
  my $headers = shift;
  my $contact = header("Contact",$headers);
  my $s;
  $s=$contact;
  $s=~s/^.*\@(\d+(\.\d+){3})\D.*$/$1/s;
  return $s;
}

%location=();

sub save
{
  my $headers = shift;
  my $contact = header("Contact",$headers);
  my $to = header("To",$headers);
  $to=~s/^.*<(.*)>.*$/$1/;
  $contact=~s/^.*<(.*)>.*$/$1/;
  $ip=sender_ip($headers);
  $location{$to}=$ip;
}

sub send_msg
{
  my $ip = shift;
  my $infoline = shift;
  my $headers = shift;
  my $body = shift;
  my $msg=$infoline."\r\n".$headers.$body;

  my $sock = new IO::Socket::INET (
    PeerAddr =>$ip,
    PeerPort => '5060',
    Proto => 'udp');
  die "Could not create socket: $!\n" unless $sock;
  print $sock $msg;
  close($sock);
}

my $datagram;
my $infoline;
my $headers;
my $body;
my $ip;
my $uri;
my $msg;

while ($user=$server->recv($datagram,$MAX_TO_READ))
{
  print "---\n";

  $infoline=$datagram;
  $headers=$datagram;
  $body=$datagram;
  $method=$datagram;

  $infoline=~s/^([^\r\n]*).*$/$1/s;
  $headers=~s/^[^\r\n]*\r?\n(.*(\r?\n){2}).*$/$1/s;
  $body=~s/^.*(\r?\n){2}(.*)$/$2/s;
  $method=~s/^([^ ]*) .*$/$1/s;

  print "Message: $infoline\n...\n";

  if($method eq "REGISTER")
  {
    print "$method\n";
    $ip=sender_ip($headers);
    $msg=$headers;
    $msg=~s/(^|\n)Via:[^\n]*\n/$1/s;
    $ip2=~s/.*(^|\n)(Via: +[^ ]+ +)(\d+(\.\d+){3}).*$/$3/s;
    $ip2=$msg;
    print $ip2;
    system("perl","SCRIPT TO EXECUTE WITH SOURCE IP AS PARAMETER",$ip);
    save($headers);
    while(($key,$val)=each(%location))
    {
      print "$key => $val\n";
    }
    send_msg($ip,"SIP/2.0 200 OK",$headers,"");
  }

  if($method eq "INVITE")
  {
    print "$method\n";
    $uri=$datagram;
    $uri=~s/^INVITE +([^ ]*) .*$/$1/s;
    print "$uri => $location{$uri}\n";
    if($location{$uri} eq "")
    {
      print "Unknown URI $uri\n";
      $ip=sender_ip($headers);
      $msg=$headers;
      $msg=~s/\nContent-Length:[^\n]*\n/\n/s;
      $msg=~s/\nContent-Type:[^\n]*\n/\n/s;
      system("perl","SCRIPT TO EXECUTE WITH SOURCE IP AS PARAMETER",$ip);
      send_msg($ip,"SIP/2.0 500 Error",$msg,"");
    }
    else
    {
      print "Known URI $uri\n";

      $ip=sender_ip($headers);
      $msg=$headers;
      $msg=~s/\nContent-Length:[^\n]*\n/\n/s;
      $msg=~s/\nContent-Type:[^\n]*\n/\n/s;
      system("perl","SCRIPT TO EXECUTE WITH SOURCE IP AS PARAMETER",$ip);
      send_msg($ip,"SIP/2.0 100 Trying",$msg,"");

      #adding the Via header
      $msg=$headers;
      $msg=~s/(^|\n)(Via[^\n]*\n)/$1$2$2/s;
      $msg=~s/(^|\n)(Via: +[^ ]+ +)\d+(\.\d+){3}/$1$2$me/s;
      $ip=$location{$uri};
      print "Forwarding to $ip\n";
      send_msg($ip,$infoline,$msg,$body);
    }
  }

  if($method eq "SIP/2.0")
  {
    #handling replies of the transaction
    $msg=$headers;
    $msg=~s/(^|\n)Via:[^\n]*\n/$1/s;
    $ip=~s/.*(^|\n)(Via: +[^ ]+ +)(\d+(\.\d+){3}).*$/$3/s;
    $ip=$msg;
    system("perl","SCRIPT TO EXECUTE WITH SOURCE IP AS PARAMETER",$ip);
    send_msg($ip,$infoline,$msg,$body);
  }
}

close($server);


More information about the Spce-user mailing list