[Spce-user] SPCE Security alert
Anibal Cañada
anibal at hercom.es
Wed Apr 30 10:50:28 EDT 2014
Hi,
I have a fake sip server listenning on port 5060 on a linux machine in the same subnet, made in perl , which execute a perl script than ban the ip from our principal router.
It´s adapted for mikrotik , using its api , but can be easily modified for make a ssh to a cisco or quagga server.
I have attached the perl script , copy from linux to a txt.
Regards.
----- Mensaje original -----
De: "Tabi Tabe Tabi" <tabi.tabe at gmail.com>
Para: "Derrick Bradbury" <derrickb at halex.com>
CC: spce-user at lists.sipwise.com
Enviados: Miércoles, 30 de Abril 2014 16:17:46
Asunto: Re: [Spce-user] SPCE Security alert
Thanks Derrick.
You all make me smile.
Much appreciated. Will revert with update.
Regards,
Tabi
On Wed, Apr 30, 2014 at 3:47 PM, Derrick Bradbury < derrickb at halex.com > wrote:
Also you can do GeoIP at the IPTABLES level:
One way is:
http://terminal28.com/how-to-block-countries-using-iptables-debian/
Slightly modified to be a bit easier...
sudo apt-get install xtables-addons-common unzip module-assistant
sudo module-assistant --verbose --text-mode auto-install xtables-addons
mkdir -p /tmp/xt
cd /tmp/xt
/usr/lib/xtables-addons/xt_geoip_dlro
unzip *.zip
sudo mkdir -p /usr/share/xt_geoip
sudo /usr/lib/xtables-addons/xt_geoip_build -D /usr/share/xt_geoip *.csv
and a sample for what I have is:
iptables -I INPUT -p udp --dport 5060 -m geoip ! --src-cc CA,US -j DROP -i em2
iptables -I INPUT -p tcp --dport 5060 -m geoip ! --src-cc CA,US -j DROP -i em2
________________________________________
From: spce-user-bounces at lists.sipwise.com [ spce-user-bounces at lists.sipwise.com ] on behalf of Daniel Grotti [ dgrotti at sipwise.com ]
Sent: Wednesday, April 30, 2014 8:39 AM
To: spce-user at lists.sipwise.com
Subject: Re: [Spce-user] SPCE Security alert
Hi Tabi,
another easy solution, just add in LB config file the following lines:
if ($ua=~"friendly-scanner" || $ua=~"sipvicious" )
{
drop();
}
Also, regarding svcrash.py:
http://keithcroxford.wordpress.com/2012/01/08/sip-registerdos-attacks/
Daniel
On 04/30/2014 01:39 PM, Lorenzo Mangani wrote:
> You could also consider actively crashing the offenders IP on log hits
> alongside the banning (using either svcrash.py, Homer Kill-Vicious tool,
> or sipgrep 2.0 -J or your own solution)
>
> Best,
>
> Lorenzo Mangani
>
> HOMER DEV TEAM
> QXIP - Capture Engineering
> Desk: +1 (202) 470-5312
> Mobile: +31 6 4603-2730
>
>
>
>
> On Wed, Apr 30, 2014 at 1:26 PM, Norbert Piper
> < norbert.piper at telenoise.de <mailto: norbert.piper at telenoise.de >> wrote:
>
> USE GEOIP ban instead of fail2ban____
>
> __ __
>
> J____
>
> __ __
>
> *Von:* spce-user-bounces at lists.sipwise.com
> <mailto: spce-user-bounces at lists.sipwise.com >
> [mailto: spce-user-bounces at lists.sipwise.com
> <mailto: spce-user-bounces at lists.sipwise.com >] *Im Auftrag von *Tabi
> Tabe Tabi
> *Gesendet:* Mittwoch, 30. April 2014 13:18
> *An:* spce-user at lists.sipwise.com <mailto: spce-user at lists.sipwise.com >
> *Betreff:* [Spce-user] SPCE Security alert____
>
> __ __
>
> Hi,____
>
> __ __
>
> I just realized one of my test SPCE servers is under heavy friendly
> scanner and SIPViscious attack. This happened 30 minutes after I
> exposed the server to the Internet. I found the following IP
> addresses in Banned IP:____
>
> __ __
>
> 1. 199.231.48.5____
>
> 2. 188.138.4.216____
>
> 3. 109.230.245.113____
>
> 4. 31.3.240.251____
>
> 5. 41.221.11.46____
>
> 6. 46.165.220.215____
>
> 7. 70.34..120.248____
>
> 8. 79.143.83.4____
>
> I am using iptables to drop the packets and have seen drop in
> resource utilization on the server.____
>
> Does any one have recommendation for implementation of fail2ban on
> SIPWise?____
>
> __ __
>
> Thanks.____
>
> __ __
>
> --
> ...Tabi____
>
> __ __
>
>
> _______________________________________________
> Spce-user mailing list
> Spce-user at lists.sipwise.com <mailto: Spce-user at lists.sipwise.com >
> http://lists.sipwise.com/listinfo/spce-user
>
>
>
>
> _______________________________________________
> Spce-user mailing list
> Spce-user at lists.sipwise.com
> http://lists.sipwise.com/listinfo/spce-user
>
_______________________________________________
Spce-user mailing list
Spce-user at lists.sipwise.com
http://lists.sipwise.com/listinfo/spce-user
_______________________________________________
Spce-user mailing list
Spce-user at lists.sipwise.com
http://lists.sipwise.com/listinfo/spce-user
--
...Tabi
_______________________________________________
Spce-user mailing list
Spce-user at lists.sipwise.com
http://lists.sipwise.com/listinfo/spce-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20140430/5cdeab91/attachment-0001.html>
-------------- next part --------------
my $me = "LISTENING IP"; #write here your IP address
use IO::Socket;
$server = IO::Socket::INET->new(LocalPort=>'5060',Proto=>"udp")
or die "Couldn't be a udp server: $@\n";
my $MAX_TO_READ = 2048;
sub header
{
my $field = shift;
my $headers = shift;
my $s;
$s=$headers;
$s=~s/(^|\n)(?!$field)[^\n]*/$1/gs;
$s=~s/(^\n*|\n*$)//gs;
$s=~s/\n+/\n/gs;
return $s
}
sub sender_ip
{
my $headers = shift;
my $contact = header("Contact",$headers);
my $s;
$s=$contact;
$s=~s/^.*\@(\d+(\.\d+){3})\D.*$/$1/s;
return $s;
}
%location=();
sub save
{
my $headers = shift;
my $contact = header("Contact",$headers);
my $to = header("To",$headers);
$to=~s/^.*<(.*)>.*$/$1/;
$contact=~s/^.*<(.*)>.*$/$1/;
$ip=sender_ip($headers);
$location{$to}=$ip;
}
sub send_msg
{
my $ip = shift;
my $infoline = shift;
my $headers = shift;
my $body = shift;
my $msg=$infoline."\r\n".$headers.$body;
my $sock = new IO::Socket::INET (
PeerAddr =>$ip,
PeerPort => '5060',
Proto => 'udp');
die "Could not create socket: $!\n" unless $sock;
print $sock $msg;
close($sock);
}
my $datagram;
my $infoline;
my $headers;
my $body;
my $ip;
my $uri;
my $msg;
while ($user=$server->recv($datagram,$MAX_TO_READ))
{
print "---\n";
$infoline=$datagram;
$headers=$datagram;
$body=$datagram;
$method=$datagram;
$infoline=~s/^([^\r\n]*).*$/$1/s;
$headers=~s/^[^\r\n]*\r?\n(.*(\r?\n){2}).*$/$1/s;
$body=~s/^.*(\r?\n){2}(.*)$/$2/s;
$method=~s/^([^ ]*) .*$/$1/s;
print "Message: $infoline\n...\n";
if($method eq "REGISTER")
{
print "$method\n";
$ip=sender_ip($headers);
$msg=$headers;
$msg=~s/(^|\n)Via:[^\n]*\n/$1/s;
$ip2=~s/.*(^|\n)(Via: +[^ ]+ +)(\d+(\.\d+){3}).*$/$3/s;
$ip2=$msg;
print $ip2;
system("perl","SCRIPT TO EXECUTE WITH SOURCE IP AS PARAMETER",$ip);
save($headers);
while(($key,$val)=each(%location))
{
print "$key => $val\n";
}
send_msg($ip,"SIP/2.0 200 OK",$headers,"");
}
if($method eq "INVITE")
{
print "$method\n";
$uri=$datagram;
$uri=~s/^INVITE +([^ ]*) .*$/$1/s;
print "$uri => $location{$uri}\n";
if($location{$uri} eq "")
{
print "Unknown URI $uri\n";
$ip=sender_ip($headers);
$msg=$headers;
$msg=~s/\nContent-Length:[^\n]*\n/\n/s;
$msg=~s/\nContent-Type:[^\n]*\n/\n/s;
system("perl","SCRIPT TO EXECUTE WITH SOURCE IP AS PARAMETER",$ip);
send_msg($ip,"SIP/2.0 500 Error",$msg,"");
}
else
{
print "Known URI $uri\n";
$ip=sender_ip($headers);
$msg=$headers;
$msg=~s/\nContent-Length:[^\n]*\n/\n/s;
$msg=~s/\nContent-Type:[^\n]*\n/\n/s;
system("perl","SCRIPT TO EXECUTE WITH SOURCE IP AS PARAMETER",$ip);
send_msg($ip,"SIP/2.0 100 Trying",$msg,"");
#adding the Via header
$msg=$headers;
$msg=~s/(^|\n)(Via[^\n]*\n)/$1$2$2/s;
$msg=~s/(^|\n)(Via: +[^ ]+ +)\d+(\.\d+){3}/$1$2$me/s;
$ip=$location{$uri};
print "Forwarding to $ip\n";
send_msg($ip,$infoline,$msg,$body);
}
}
if($method eq "SIP/2.0")
{
#handling replies of the transaction
$msg=$headers;
$msg=~s/(^|\n)Via:[^\n]*\n/$1/s;
$ip=~s/.*(^|\n)(Via: +[^ ]+ +)(\d+(\.\d+){3}).*$/$3/s;
$ip=$msg;
system("perl","SCRIPT TO EXECUTE WITH SOURCE IP AS PARAMETER",$ip);
send_msg($ip,$infoline,$msg,$body);
}
}
close($server);
More information about the Spce-user
mailing list