[Spce-user] Kamailio spam requests identify problem

Andy Clark andyclark05251978 at gmail.com
Wed Apr 3 10:06:47 EDT 2019 

Daniel and Sipwise,
I read your link but have a quick question
Any way of blocking request that don't respond 407 after X number of
request from a certain IP? if so, how would I be able to do that?

These dialers will just ignore 407 request and keep trying random numbers
to call


On Tue, Apr 2, 2019 at 7:44 AM Daniel-Constantin Mierla <miconda at gmail.com>
wrote:

> Hello,
>
> see my comment inline ...
> On 01.04.19 18:18, Hohl Matthias wrote:
>
> Hello,
>
>
>
> i found out, that there are a lot of spam requests on proxy and lb from
> the same IP address witch was trying to connect with different users every
> few seconds.
>
>
>
> The problem: also if this was always successfully rejected, it would be
> fine if fail2ban would ban the IP from them requests also, but I have no
> possibility to block the ip, cause the log-string with the “authentication
> failed, no credentials” has no UA IP information inside.
>
> I thought about to add this UA IP information into the log string for
> “Authentication failed, no credentials” but this failure string happens
> also for valid subsribers like here:
>
>
>
> *Apr  1 18:06:06 spce proxy[2106]: NOTICE: <script>: New request on proxy
> - M=REGISTER R=sip:sip.telematica.at F=sip:xxxxxxxx at sip.telematica.at
> T=sip:xxxxxxxx at sip.telematica.at IP=144.xxx.xxx.xxx:49152 (127.0.0.1:5060
> <http://127.0.0.1:5060>) ID=3533311694 at 10_0_0_1 UA='N510 IP
> PRO/42.243.00.000.000' DESTIP=127.0.0.1:5062 <http://127.0.0.1:5062>*
>
> *Apr  1 18:06:06 spce proxy[2106]: NOTICE: <script>: Sending reply S=100
> Trying fs='127.0.0.1:5062 <http://127.0.0.1:5062>' du='127.0.0.1:5060
> <http://127.0.0.1:5060>' - R=sip:sip.telematica.at ID=3533311694 at 10_0_0_1
> UA='N510 IP PRO/42.243.00.000.000'*
>
> *Apr  1 18:06:06 spce proxy[2106]: NOTICE: <script>: Authentication
> failed, no credentials - R=sip:sip.telematica.at ID=3533311694 at 10_0_0_1
> UA='N510 IP PRO/42.243.00.000.000' Auth=<null>*
>
> *Apr  1 18:06:06 spce proxy[2106]: NOTICE: <script>: Sending reply S=401
> fs='127.0.0.1:5062 <http://127.0.0.1:5062>' du='127.0.0.1:5060
> <http://127.0.0.1:5060>' - ID=3533311694 at 10_0_0_1 UA='N510 IP
> PRO/42.243.00.000.000'*
>
> *Apr  1 18:06:06 spce proxy[2109]: NOTICE: <script>: New request on proxy
> - M=REGISTER R=sip:sip.telematica.at F=sip:xxxxxxxx at sip.telematica.at
> T=sip:xxxxxxxx at sip.telematica.at IP=144.xxx.xxx.xxx:49152 (127.0.0.1:5060
> <http://127.0.0.1:5060>) ID=3533311694 at 10_0_0_1 UA='N510 IP
> PRO/42.243.00.000.000' DESTIP=127.0.0.1:5062 <http://127.0.0.1:5062>*
>
> *Apr  1 18:06:06 spce proxy[2109]: NOTICE: <script>: Sending reply S=100
> Trying fs='127.0.0.1:5062 <http://127.0.0.1:5062>' du='127.0.0.1:5060
> <http://127.0.0.1:5060>' - R=sip:sip.telematica.at ID=3533311694 at 10_0_0_1
> UA='N510 IP PRO/42.243.00.000.000'*
>
> *Apr  1 18:06:06 spce proxy[2109]: NOTICE: <script>: Contacts successfully
> updated, expires in 600s - R=sip:sip.telematica.at ID=3533311694 at 10_0_0_1
> UA='N510 IP PRO/42.243.00.000.000'*
>
> *Apr  1 18:06:06 spce proxy[2109]: NOTICE: <script>: Sending reply S=200
> OK fs='127.0.0.1:5062 <http://127.0.0.1:5062>' du='127.0.0.1:5060
> <http://127.0.0.1:5060>' - R=sip:sip.telematica.at ID=3533311694 at 10_0_0_1
> UA='N510 IP PRO/42.243.00.000.000'*
>
>
>
>
>
> So how to deal with this kind of requests to block the IP address
> correctly with fail2ban?
>
> At the moment, I can’t distinguish if this is a “vald” authentication
> failed or if this is from a spam request.
>
>
>
> Does anybody has an idea?
>
>
>
> Thanks.
>
>
>
>
>
>
>
> *Kamailio-lb*
>
>
>
> *Apr  1 09:16:03 spce lb[1267]: NOTICE: <script>: Sending reply from
> inbound, fs='udp:176.123.xxx.xxx:5060' du='102.165.51.10:60560
> <http://102.165.51.10:60560>' - ID=1672410852-1750384450-124595706
> UA='<null>'*
>
> *Apr  1 09:16:03 spce lb[1265]: NOTICE: <script>: Sending reply from
> inbound, fs='udp:176.123.xxx.xxx:5060' du='102.165.51.10:60560
> <http://102.165.51.10:60560>' - ID=1672410852-1750384450-124595706
> UA='<null>'*
>
> *Apr  1 09:16:03 spce lb[1245]: NOTICE: <script>: New request on lb -
> M=INVITE R=sip:00180048893076001 at 176.123.yyy.yyy
> F=sip:800003 at 176.123.yyy.yyy T=sip:00180048893076001 at 176.123.yyy.yyy
> IP=udp:102.165.51.10:60684 ID=1796109365-625332604-148124457
> UA='Linksys-SPA942' DESTIP=176.123.yyy.yyy:5060*
>
> *Apr  1 09:16:03 spce lb[1267]: NOTICE: <script>: Sending reply from
> inbound, fs='udp:176.123.yyy.yyy:5060' du='102.165.51.10:60684
> <http://102.165.51.10:60684>' - ID=1796109365-625332604-148124457
> UA='<null>'*
>
> *Apr  1 09:16:03 spce lb[1265]: NOTICE: <script>: Sending reply from
> inbound, fs='udp:176.123.yyy.yyy:5060' du='102.165.51.10:60684
> <http://102.165.51.10:60684>' - ID=1796109365-625332604-148124457
> UA='<null>'*
>
> *Apr  1 09:16:46 spce lb[1236]: NOTICE: <script>: New request on lb -
> M=INVITE R=sip:00190048893076001 at 176.123.xxx.xxx
> F=sip:800003 at 176.123.xxx.xxx T=sip:00190048893076001 at 176.123.xxx.xxx
> IP=udp:102.165.51.10:63019 ID=1288822511-772044424-1097930615
> UA='Linksys-SPA942' DESTIP=176.123.xxx.xxx:5060*
>
> *Apr  1 09:16:46 spce lb[1262]: NOTICE: <script>: Sending reply from
> inbound, fs='udp:176.123.xxx.xxx:5060' du='102.165.51.10:63019
> <http://102.165.51.10:63019>' - ID=1288822511-772044424-1097930615
> UA='<null>'*
>
> *Apr  1 09:16:46 spce lb[1268]: NOTICE: <script>: Sending reply from
> inbound, fs='udp:176.123.xxx.xxx:5060' du='102.165.51.10:63019
> <http://102.165.51.10:63019>' - ID=1288822511-772044424-1097930615
> UA='<null>'*
>
> *Apr  1 09:16:46 spce lb[1241]: NOTICE: <script>: New request on lb -
> M=INVITE R=sip:00190048893076001 at 176.123.yyy.yyy
> F=sip:800003 at 176.123.yyy.yyy T=sip:00190048893076001 at 176.123.yyy.yyy
> IP=udp:102.165.51.10:63172 ID=106321133-2131130927-801675635
> UA='Linksys-SPA942' DESTIP=176.123.yyy.yyy:5060*
>
> *Apr  1 09:16:46 spce lb[1267]: NOTICE: <script>: Sending reply from
> inbound, fs='udp:176.123.yyy.yyy:5060' du='102.165.51.10:63172
> <http://102.165.51.10:63172>' - ID=106321133-2131130927-801675635
> UA='<null>'*
>
> *Apr  1 09:16:46 spce lb[1264]: NOTICE: <script>: Sending reply from
> inbound, fs='udp:176.123.yyy.yyy:5060' du='102.165.51.10:63172
> <http://102.165.51.10:63172>' - ID=106321133-2131130927-801675635
> UA='<null>'*
>
> *Apr  1 09:17:31 spce lb[1231]: NOTICE: <script>: New request on lb -
> M=INVITE R=sip:00210048893076001 at 176.123.xxx.xxx
> F=sip:800003 at 176.123.xxx.xxx T=sip:00210048893076001 at 176.123.xxx.xxx
> IP=udp:102.165.51.10:53471 ID=11643804-699651008-1420889866
> UA='Linksys-SPA942' DESTIP=176.123.xxx.xxx:5060*
>
>
>
>
>
> *Kamailio-proxy*
>
>
>
> *Apr  1 09:25:32 spce proxy[2114]: NOTICE: <script>: New request on proxy
> - M=INVITE R=sip:00350048893076001 at 176.123.yyy.yyy
> F=sip:800003 at 176.123.yyy.yyy T=sip:00350048893076001 at 176.123.yyy.yyy
> IP=102.165.51.10:58694 <http://102.165.51.10:58694> (127.0.0.1:5060
> <http://127.0.0.1:5060>) ID=758118326-653611733-771601277
> UA='Linksys-SPA942' DESTIP=127.0.0.1:5062 <http://127.0.0.1:5062>*
>
> *Apr  1 09:26:14 spce proxy[2113]: NOTICE: <script>: New request on proxy
> - M=INVITE R=sip:00360048893076001 at 176.123.xxx.xxx
> F=sip:800003 at 176.123.xxx.xxx T=sip:00360048893076001 at 176.123.xxx.xxx
> IP=102.165.51.10:57072 <http://102.165.51.10:57072> (127.0.0.1:5060
> <http://127.0.0.1:5060>) ID=1313552761-549894790-1246968706
> UA='Linksys-SPA942' DESTIP=127.0.0.1:5062 <http://127.0.0.1:5062>*
>
> *Apr  1 09:26:14 spce proxy[2120]: NOTICE: <script>: New request on proxy
> - M=INVITE R=sip:00360048893076001 at 176.123.yyy.yyy
> F=sip:800003 at 176.123.yyy.yyy T=sip:00360048893076001 at 176.123.yyy.yyy
> IP=102.165.51.10:57257 <http://102.165.51.10:57257> (127.0.0.1:5060
> <http://127.0.0.1:5060>) ID=543892649-1826253356-1114326864
> UA='Linksys-SPA942' DESTIP=127.0.0.1:5062 <http://127.0.0.1:5062>*
>
> *Apr  1 09:26:56 spce proxy[2113]: NOTICE: <script>: New request on proxy
> - M=INVITE R=sip:00370048893076001 at 176.123.xxx.xxx
> F=sip:800003 at 176.123.xxx.xxx T=sip:00370048893076001 at 176.123.xxx.xxx
> IP=102.165.51.10:53653 <http://102.165.51.10:53653> (127.0.0.1:5060
> <http://127.0.0.1:5060>) ID=216044731-1767486066-1766299769
> UA='Linksys-SPA942' DESTIP=127.0.0.1:5062 <http://127.0.0.1:5062>*
>
> *Apr  1 09:26:56 spce proxy[2114]: NOTICE: <script>: New request on proxy
> - M=INVITE R=sip:00370048893076001 at 176.123.yyy.yyy
> F=sip:800003 at 176.123.yyy.yyy T=sip:00370048893076001 at 176.123.yyy.yyy
> IP=102.165.51.10:57149 <http://102.165.51.10:57149> (127.0.0.1:5060
> <http://127.0.0.1:5060>) ID=1129853686-565291733-1459199345
> UA='Linksys-SPA942' DESTIP=127.0.0.1:5062 <http://127.0.0.1:5062>*
>
> *Apr  1 09:27:38 spce proxy[2106]: NOTICE: <script>: New request on proxy
> - M=INVITE R=sip:00380048893076001 at 176.123.xxx.xxx
> F=sip:800003 at 176.123.xxx.xxx T=sip:00380048893076001 at 176.123.xxx.xxx
> IP=102.165.51.10:49934 <http://102.165.51.10:49934> (127.0.0.1:5060
> <http://127.0.0.1:5060>) ID=1744315013-324263357-1391421940
> UA='Linksys-SPA942' DESTIP=127.0.0.1:5062 <http://127.0.0.1:5062>*
>
> *Apr  1 09:27:38 spce proxy[2119]: NOTICE: <script>: New request on proxy
> - M=INVITE R=sip:00380048893076001 at 176.123.yyy.yyy
> F=sip:800003 at 176.123.yyy.yyy T=sip:00380048893076001 at 176.123.yyy.yyy
> IP=102.165.51.10:50073 <http://102.165.51.10:50073> (127.0.0.1:5060
> <http://127.0.0.1:5060>) ID=912346842-169557483-295698979
> UA='Linksys-SPA942' DESTIP=127.0.0.1:5062 <http://127.0.0.1:5062>*
>
> *Apr  1 09:28:19 spce proxy[2109]: NOTICE: <script>: New request on proxy
> - M=INVITE R=sip:00390048893076001 at 176.123.xxx.xxx
> F=sip:800003 at 176.123.xxx.xxx T=sip:00390048893076001 at 176.123.xxx.xxx
> IP=102.165.51.10:62577 <http://102.165.51.10:62577> (127.0.0.1:5060
> <http://127.0.0.1:5060>) ID=218036742-1902467074-1213502867
> UA='Linksys-SPA942' DESTIP=127.0.0.1:5062 <http://127.0.0.1:5062>*
>
> *Apr  1 09:28:19 spce proxy[2119]: NOTICE: <script>: New request on proxy
> - M=INVITE R=sip:00390048893076001 at 176.123.yyy.yyy
> F=sip:800003 at 176.123.yyy.yyy T=sip:00390048893076001 at 176.123.yyy.yyy
> IP=102.165.51.10:65059 <http://102.165.51.10:65059> (127.0.0.1:5060
> <http://127.0.0.1:5060>) ID=1844126573-2124940025-382233674
> UA='Linksys-SPA942' DESTIP=127.0.0.1:5062 <http://127.0.0.1:5062>*
>
>
>
>
>
>
>
> *root at spce:~# cat /var/log/ngcp/kamailio-lb.log | grep -i
> '912346842-169557483-295698979'*
>
> *Apr  1 09:27:38 spce lb[1241]: NOTICE: <script>: New request on lb -
> M=INVITE R=sip:00380048893076001 at 176.123.yyy.yyy
> F=sip:800003 at 176.123.yyy.yyy T=sip:00380048893076001 at 176.123.yyy.yyy
> IP=udp:102.165.51.10:50073 ID=912346842-169557483-295698979
> UA='Linksys-SPA942' DESTIP=176.123.yyy.yyy:5060*
>
> *Apr  1 09:27:38 spce lb[1241]: NOTICE: <script>: Relaying request,
> fs='udp:127.0.0.1:5060' du='sip:127.0.0.1:5062' -
> R=sip:00380048893076001 at 176.123.yyy.yyy ID=912346842-169557483-295698979
> UA='Linksys-SPA942'*
>
> *Apr  1 09:27:38 spce lb[1268]: NOTICE: <script>: Reply from Inbound -
> S=100 - Trying M=INVITE IP=udp:127.0.0.1:5062
> ID=912346842-169557483-295698979 UA='<null>' DESTIP=127.0.0.1:5060
> <http://127.0.0.1:5060>*
>
> *Apr  1 09:27:38 spce lb[1268]: NOTICE: <script>: Sending reply from
> inbound, fs='udp:176.123.yyy.yyy:5060' du='102.165.51.10:50073
> <http://102.165.51.10:50073>' - ID=912346842-169557483-295698979
> UA='<null>'*
>
> *Apr  1 09:27:38 spce lb[1263]: NOTICE: <script>: Reply from Inbound -
> S=407 - Proxy Authentication Required M=INVITE IP=udp:127.0.0.1:5062
> ID=912346842-169557483-295698979 UA='<null>' DESTIP=127.0.0.1:5060
> <http://127.0.0.1:5060>*
>
> *Apr  1 09:27:38 spce lb[1263]: NOTICE: <script>: Sending reply from
> inbound, fs='udp:176.123.yyy.yyy:5060' du='102.165.51.10:50073
> <http://102.165.51.10:50073>' - ID=912346842-169557483-295698979
> UA='<null>'*
>
> *root at spce:~#*
>
>
>
> *root at spce:~# cat /var/log/ngcp/kamailio-proxy.log | grep -i
> '912346842-169557483-295698979'*
>
> *Apr  1 09:27:38 spce proxy[2119]: NOTICE: <script>: New request on proxy
> - M=INVITE R=sip:00380048893076001 at 176.123.yyy.yyy
> F=sip:800003 at 176.123.yyy.yyy T=sip:00380048893076001 at 176.123.yyy.yyy
> IP=102.165.51.10:50073 <http://102.165.51.10:50073> (127.0.0.1:5060
> <http://127.0.0.1:5060>) ID=912346842-169557483-295698979
> UA='Linksys-SPA942' DESTIP=127.0.0.1:5062 <http://127.0.0.1:5062>*
>
> *Apr  1 09:27:38 spce proxy[2119]: NOTICE: <script>: Sending reply S=100
> Trying fs='127.0.0.1:5062 <http://127.0.0.1:5062>' du='127.0.0.1:5060
> <http://127.0.0.1:5060>' - R=sip:00380048893076001 at 176.123.yyy.yyy
> ID=912346842-169557483-295698979 UA='Linksys-SPA942'*
>
> *Apr  1 09:27:38 spce proxy[2119]: NOTICE: <script>: Authentication
> failed, no credentials - R=sip:00380048893076001 at 176.123.yyy.yyy
> ID=912346842-169557483-295698979 UA='Linksys-SPA942' Auth=<null>*
>
> *Apr  1 09:27:38 spce proxy[2119]: NOTICE: <script>: Sending reply S=407
> fs='127.0.0.1:5062 <http://127.0.0.1:5062>' du='127.0.0.1:5060
> <http://127.0.0.1:5060>' - ID=912346842-169557483-295698979
> UA='Linksys-SPA942'*
>
> *Apr  1 09:27:38 spce proxy[2113]: NOTICE: <script>: New request on proxy
> - M=ACK R=sip:00380048893076001 at 176.123.yyy.yyy
> F=sip:800003 at 176.123.yyy.yyy T=sip:00380048893076001 at 176.123.yyy.yyy
> IP=<null>:<null> (127.0.0.1:5060 <http://127.0.0.1:5060>)
> ID=912346842-169557483-295698979 UA='<null>' DESTIP=127.0.0.1:5062
> <http://127.0.0.1:5062>*
>
> there are some hints on security to use in kamailio.cfg collected in our
> wiki at:
>
>   * https://www.kamailio.org/wiki/tutorials/security/kamailio-security
>
> Fail2ban is an option as well. I would suggest to count the failed
> authentication per user per IP and then block the IP using htable or
> fail2ban. The link above has suggestions for failed authentication per
> user, I would also add condition on ip there...
>
> Cheers,
> Daniel
>
> --
> Daniel-Constantin Mierla -- www.asipto.comwww.twitter.com/miconda -- www.linkedin.com/in/miconda
> Kamailio World Conference - May 6-8, 2019 -- www.kamailioworld.com
>
> _______________________________________________
> Spce-user mailing list
> Spce-user at lists.sipwise.com
> https://lists.sipwise.com/listinfo/spce-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/mailman/private/spce-user_lists.sipwise.com/attachments/20190403/5bc55dbf/attachment.html>

More information about the Spce-user mailing list