[Spce-user] SPCE Security alert

Marcin Kowalczyk marcin at architekci.it
Wed Apr 30 11:33:02 EDT 2014 

Hi,

 You can make use of Simwood honeypot as data source for CIDR blocks
http://mirror.simwood.com/honeypot/

Cheers,
Maricn



2014-04-30 16:50 GMT+02:00 Anibal Cañada <anibal at hercom.es>:

> Hi,
> I have a fake sip server listenning on port 5060 on a linux machine in the
> same subnet, made in perl , which execute a perl script than ban the ip
> from our principal router.
> It´s adapted for mikrotik , using its api , but can be easily modified for
> make a ssh to a cisco or quagga server.
>
> I have attached the perl script , copy from linux to a txt.
>
> Regards.
>
> ------------------------------
> *De: *"Tabi Tabe Tabi" <tabi.tabe at gmail.com>
> *Para: *"Derrick Bradbury" <derrickb at halex.com>
> *CC: *spce-user at lists.sipwise.com
> *Enviados: *Miércoles, 30 de Abril 2014 16:17:46
> *Asunto: *Re: [Spce-user] SPCE Security alert
>
>
> Thanks Derrick.
>
> You all make me smile.
>
> Much appreciated. Will revert with update.
>
> Regards,
>
> Tabi
>
>
> On Wed, Apr 30, 2014 at 3:47 PM, Derrick Bradbury <derrickb at halex.com>wrote:
>
>> Also you can do GeoIP at the IPTABLES level:
>>
>> One way is:
>> http://terminal28.com/how-to-block-countries-using-iptables-debian/
>>
>> Slightly modified to be a bit easier...
>>
>> sudo apt-get install xtables-addons-common unzip module-assistant
>>
>> sudo module-assistant --verbose --text-mode auto-install xtables-addons
>>
>> mkdir -p /tmp/xt
>> cd /tmp/xt
>>
>> /usr/lib/xtables-addons/xt_geoip_dlro
>> unzip *.zip
>> sudo mkdir -p /usr/share/xt_geoip
>> sudo /usr/lib/xtables-addons/xt_geoip_build -D /usr/share/xt_geoip *.csv
>>
>>
>> and a sample for what I have is:
>>
>> iptables -I INPUT -p udp --dport 5060 -m geoip ! --src-cc CA,US -j DROP
>> -i em2
>> iptables -I INPUT -p tcp --dport 5060 -m geoip ! --src-cc CA,US -j DROP
>> -i em2
>>
>>
>>
>> ________________________________________
>> From: spce-user-bounces at lists.sipwise.com [
>> spce-user-bounces at lists.sipwise.com] on behalf of Daniel Grotti [
>> dgrotti at sipwise.com]
>> Sent: Wednesday, April 30, 2014 8:39 AM
>> To: spce-user at lists.sipwise.com
>> Subject: Re: [Spce-user] SPCE Security alert
>>
>> Hi Tabi,
>> another easy solution, just add in LB config file the following lines:
>>
>>
>> if ($ua=~"friendly-scanner" || $ua=~"sipvicious" )
>> {
>>      drop();
>> }
>>
>> Also, regarding svcrash.py:
>> http://keithcroxford.wordpress.com/2012/01/08/sip-registerdos-attacks/
>>
>>
>>
>> Daniel
>>
>>
>>
>>
>> On 04/30/2014 01:39 PM, Lorenzo Mangani wrote:
>> > You could also consider actively crashing the offenders IP on log hits
>> > alongside the banning (using either svcrash.py, Homer Kill-Vicious tool,
>> > or sipgrep 2.0 -J or your own solution)
>> >
>> > Best,
>> >
>> > Lorenzo Mangani
>> >
>> > HOMER DEV TEAM
>> > QXIP - Capture Engineering
>> > Desk: +1 (202) 470-5312
>> > Mobile: +31 6 4603-2730
>> >
>> >
>> >
>> >
>> > On Wed, Apr 30, 2014 at 1:26 PM, Norbert Piper
>> > <norbert.piper at telenoise.de <mailto:norbert.piper at telenoise.de>> wrote:
>> >
>> >     USE GEOIP ban instead of fail2ban____
>> >
>> >     __ __
>> >
>> >     J____
>> >
>> >     __ __
>> >
>> >     *Von:*spce-user-bounces at lists.sipwise.com
>> >     <mailto:spce-user-bounces at lists.sipwise.com>
>> >     [mailto:spce-user-bounces at lists.sipwise.com
>> >     <mailto:spce-user-bounces at lists.sipwise.com>] *Im Auftrag von *Tabi
>> >     Tabe Tabi
>> >     *Gesendet:* Mittwoch, 30. April 2014 13:18
>> >     *An:* spce-user at lists.sipwise.com <mailto:
>> spce-user at lists.sipwise.com>
>> >     *Betreff:* [Spce-user] SPCE Security alert____
>> >
>> >     __ __
>> >
>> >     Hi,____
>> >
>> >     __ __
>> >
>> >     I just realized one of my test SPCE servers is under heavy friendly
>> >     scanner and SIPViscious attack. This happened 30 minutes after I
>> >     exposed the server to the Internet. I found the following IP
>> >     addresses in Banned IP:____
>> >
>> >     __ __
>> >
>> >     1.       199.231.48.5____
>> >
>> >     2.       188.138.4.216____
>> >
>> >     3.       109.230.245.113____
>> >
>> >     4.       31.3.240.251____
>> >
>> >     5.       41.221.11.46____
>> >
>> >     6.       46.165.220.215____
>> >
>> >     7.       70.34..120.248____
>> >
>> >     8.       79.143.83.4____
>> >
>> >          I am using iptables to drop the packets and have seen drop in
>> >     resource utilization on the server.____
>> >
>> >     Does any one have recommendation for implementation of fail2ban on
>> >     SIPWise?____
>> >
>> >     __ __
>> >
>> >     Thanks.____
>> >
>> >     __ __
>> >
>> >     --
>> >     ...Tabi____
>> >
>> >     __ __
>> >
>> >
>> >     _______________________________________________
>> >     Spce-user mailing list
>> >     Spce-user at lists.sipwise.com <mailto:Spce-user at lists.sipwise.com>
>> >     http://lists.sipwise.com/listinfo/spce-user
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> > Spce-user mailing list
>> > Spce-user at lists.sipwise.com
>> > http://lists.sipwise.com/listinfo/spce-user
>> >
>>
>> _______________________________________________
>> Spce-user mailing list
>> Spce-user at lists.sipwise.com
>> http://lists.sipwise.com/listinfo/spce-user
>>
>> _______________________________________________
>> Spce-user mailing list
>> Spce-user at lists.sipwise.com
>> http://lists.sipwise.com/listinfo/spce-user
>>
>
>
>
> --
> ...Tabi
>
>
> _______________________________________________
> Spce-user mailing list
> Spce-user at lists.sipwise.com
> http://lists.sipwise.com/listinfo/spce-user
>
>
> _______________________________________________
> Spce-user mailing list
> Spce-user at lists.sipwise.com
> http://lists.sipwise.com/listinfo/spce-user
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20140430/ec860341/attachment-0001.html>

More information about the Spce-user mailing list