[Spce-user] Kamailio spam requests identify problem

Daniel-Constantin Mierla miconda at gmail.com
Tue Apr 2 10:44:16 EDT 2019


Hello,

see my comment inline ...

On 01.04.19 18:18, Hohl Matthias wrote:
>
> Hello,
>
>  
>
> i found out, that there are a lot of spam requests on proxy and lb
> from the same IP address witch was trying to connect with different
> users every few seconds.
>
>  
>
> The problem: also if this was always successfully rejected, it would
> be fine if fail2ban would ban the IP from them requests also, but I
> have no possibility to block the ip, cause the log-string with the
> “authentication failed, no credentials” has no UA IP information inside.
>
> I thought about to add this UA IP information into the log string for
> “Authentication failed, no credentials” but this failure string
> happens also for valid subsribers like here:
>
> / /
>
> /Apr  1 18:06:06 spce proxy[2106]: NOTICE: <script>: New request on
> proxy - M=REGISTER R=sip:sip.telematica.at
> F=sip:xxxxxxxx at sip.telematica.at T=sip:xxxxxxxx at sip.telematica.at
> IP=144.xxx.xxx.xxx:49152 (127.0.0.1:5060) ID=3533311694 at 10_0_0_1
> UA='N510 IP PRO/42.243.00.000.000' DESTIP=127.0.0.1:5062/
>
> /Apr  1 18:06:06 spce proxy[2106]: NOTICE: <script>: Sending reply
> S=100 Trying fs='127.0.0.1:5062' du='127.0.0.1:5060' -
> R=sip:sip.telematica.at ID=3533311694 at 10_0_0_1 UA='N510 IP
> PRO/42.243.00.000.000'/
>
> /Apr  1 18:06:06 spce proxy[2106]: NOTICE: <script>: Authentication
> failed, no credentials - R=sip:sip.telematica.at
> ID=3533311694 at 10_0_0_1 UA='N510 IP PRO/42.243.00.000.000' Auth=<null>/
>
> /Apr  1 18:06:06 spce proxy[2106]: NOTICE: <script>: Sending reply
> S=401 fs='127.0.0.1:5062' du='127.0.0.1:5060' - ID=3533311694 at 10_0_0_1
> UA='N510 IP PRO/42.243.00.000.000'/
>
> /Apr  1 18:06:06 spce proxy[2109]: NOTICE: <script>: New request on
> proxy - M=REGISTER R=sip:sip.telematica.at
> F=sip:xxxxxxxx at sip.telematica.at T=sip:xxxxxxxx at sip.telematica.at
> IP=144.xxx.xxx.xxx:49152 (127.0.0.1:5060) ID=3533311694 at 10_0_0_1
> UA='N510 IP PRO/42.243.00.000.000' DESTIP=127.0.0.1:5062/
>
> /Apr  1 18:06:06 spce proxy[2109]: NOTICE: <script>: Sending reply
> S=100 Trying fs='127.0.0.1:5062' du='127.0.0.1:5060' -
> R=sip:sip.telematica.at ID=3533311694 at 10_0_0_1 UA='N510 IP
> PRO/42.243.00.000.000'/
>
> /Apr  1 18:06:06 spce proxy[2109]: NOTICE: <script>: Contacts
> successfully updated, expires in 600s - R=sip:sip.telematica.at
> ID=3533311694 at 10_0_0_1 UA='N510 IP PRO/42.243.00.000.000'/
>
> /Apr  1 18:06:06 spce proxy[2109]: NOTICE: <script>: Sending reply
> S=200 OK fs='127.0.0.1:5062' du='127.0.0.1:5060' -
> R=sip:sip.telematica.at ID=3533311694 at 10_0_0_1 UA='N510 IP
> PRO/42.243.00.000.000'/
>
>  
>
>  
>
> So how to deal with this kind of requests to block the IP address
> correctly with fail2ban?
>
> At the moment, I can’t distinguish if this is a “vald” authentication
> failed or if this is from a spam request.
>
>  
>
> Does anybody has an idea?
>
>  
>
> Thanks.
>
>  
>
>  
>
>  
>
> /Kamailio-lb/
>
>  
>
> /Apr  1 09:16:03 spce lb[1267]: NOTICE: <script>: Sending reply from
> inbound, fs='udp:176.123.xxx.xxx:5060' du='102.165.51.10:60560' -
> ID=1672410852-1750384450-124595706 UA='<null>'/
>
> /Apr  1 09:16:03 spce lb[1265]: NOTICE: <script>: Sending reply from
> inbound, fs='udp:176.123.xxx.xxx:5060' du='102.165.51.10:60560' -
> ID=1672410852-1750384450-124595706 UA='<null>'/
>
> /Apr  1 09:16:03 spce lb[1245]: NOTICE: <script>: New request on lb -
> M=INVITE R=sip:00180048893076001 at 176.123.yyy.yyy
> F=sip:800003 at 176.123.yyy.yyy T=sip:00180048893076001 at 176.123.yyy.yyy
> IP=udp:102.165.51.10:60684 ID=1796109365-625332604-148124457
> UA='Linksys-SPA942' DESTIP=176.123.yyy.yyy:5060/
>
> /Apr  1 09:16:03 spce lb[1267]: NOTICE: <script>: Sending reply from
> inbound, fs='udp:176.123.yyy.yyy:5060' du='102.165.51.10:60684' -
> ID=1796109365-625332604-148124457 UA='<null>'/
>
> /Apr  1 09:16:03 spce lb[1265]: NOTICE: <script>: Sending reply from
> inbound, fs='udp:176.123.yyy.yyy:5060' du='102.165.51.10:60684' -
> ID=1796109365-625332604-148124457 UA='<null>'/
>
> /Apr  1 09:16:46 spce lb[1236]: NOTICE: <script>: New request on lb -
> M=INVITE R=sip:00190048893076001 at 176.123.xxx.xxx
> F=sip:800003 at 176.123.xxx.xxx T=sip:00190048893076001 at 176.123.xxx.xxx
> IP=udp:102.165.51.10:63019 ID=1288822511-772044424-1097930615
> UA='Linksys-SPA942' DESTIP=176.123.xxx.xxx:5060/
>
> /Apr  1 09:16:46 spce lb[1262]: NOTICE: <script>: Sending reply from
> inbound, fs='udp:176.123.xxx.xxx:5060' du='102.165.51.10:63019' -
> ID=1288822511-772044424-1097930615 UA='<null>'/
>
> /Apr  1 09:16:46 spce lb[1268]: NOTICE: <script>: Sending reply from
> inbound, fs='udp:176.123.xxx.xxx:5060' du='102.165.51.10:63019' -
> ID=1288822511-772044424-1097930615 UA='<null>'/
>
> /Apr  1 09:16:46 spce lb[1241]: NOTICE: <script>: New request on lb -
> M=INVITE R=sip:00190048893076001 at 176.123.yyy.yyy
> F=sip:800003 at 176.123.yyy.yyy T=sip:00190048893076001 at 176.123.yyy.yyy
> IP=udp:102.165.51.10:63172 ID=106321133-2131130927-801675635
> UA='Linksys-SPA942' DESTIP=176.123.yyy.yyy:5060/
>
> /Apr  1 09:16:46 spce lb[1267]: NOTICE: <script>: Sending reply from
> inbound, fs='udp:176.123.yyy.yyy:5060' du='102.165.51.10:63172' -
> ID=106321133-2131130927-801675635 UA='<null>'/
>
> /Apr  1 09:16:46 spce lb[1264]: NOTICE: <script>: Sending reply from
> inbound, fs='udp:176.123.yyy.yyy:5060' du='102.165.51.10:63172' -
> ID=106321133-2131130927-801675635 UA='<null>'/
>
> /Apr  1 09:17:31 spce lb[1231]: NOTICE: <script>: New request on lb -
> M=INVITE R=sip:00210048893076001 at 176.123.xxx.xxx
> F=sip:800003 at 176.123.xxx.xxx T=sip:00210048893076001 at 176.123.xxx.xxx
> IP=udp:102.165.51.10:53471 ID=11643804-699651008-1420889866
> UA='Linksys-SPA942' DESTIP=176.123.xxx.xxx:5060/
>
> / /
>
> / /
>
> /Kamailio-proxy/
>
> / /
>
> /Apr  1 09:25:32 spce proxy[2114]: NOTICE: <script>: New request on
> proxy - M=INVITE R=sip:00350048893076001 at 176.123.yyy.yyy
> F=sip:800003 at 176.123.yyy.yyy T=sip:00350048893076001 at 176.123.yyy.yyy
> IP=102.165.51.10:58694 (127.0.0.1:5060)
> ID=758118326-653611733-771601277 UA='Linksys-SPA942'
> DESTIP=127.0.0.1:5062/
>
> /Apr  1 09:26:14 spce proxy[2113]: NOTICE: <script>: New request on
> proxy - M=INVITE R=sip:00360048893076001 at 176.123.xxx.xxx
> F=sip:800003 at 176.123.xxx.xxx T=sip:00360048893076001 at 176.123.xxx.xxx
> IP=102.165.51.10:57072 (127.0.0.1:5060)
> ID=1313552761-549894790-1246968706 UA='Linksys-SPA942'
> DESTIP=127.0.0.1:5062/
>
> /Apr  1 09:26:14 spce proxy[2120]: NOTICE: <script>: New request on
> proxy - M=INVITE R=sip:00360048893076001 at 176.123.yyy.yyy
> F=sip:800003 at 176.123.yyy.yyy T=sip:00360048893076001 at 176.123.yyy.yyy
> IP=102.165.51.10:57257 (127.0.0.1:5060)
> ID=543892649-1826253356-1114326864 UA='Linksys-SPA942'
> DESTIP=127.0.0.1:5062/
>
> /Apr  1 09:26:56 spce proxy[2113]: NOTICE: <script>: New request on
> proxy - M=INVITE R=sip:00370048893076001 at 176.123.xxx.xxx
> F=sip:800003 at 176.123.xxx.xxx T=sip:00370048893076001 at 176.123.xxx.xxx
> IP=102.165.51.10:53653 (127.0.0.1:5060)
> ID=216044731-1767486066-1766299769 UA='Linksys-SPA942'
> DESTIP=127.0.0.1:5062/
>
> /Apr  1 09:26:56 spce proxy[2114]: NOTICE: <script>: New request on
> proxy - M=INVITE R=sip:00370048893076001 at 176.123.yyy.yyy
> F=sip:800003 at 176.123.yyy.yyy T=sip:00370048893076001 at 176.123.yyy.yyy
> IP=102.165.51.10:57149 (127.0.0.1:5060)
> ID=1129853686-565291733-1459199345 UA='Linksys-SPA942'
> DESTIP=127.0.0.1:5062/
>
> /Apr  1 09:27:38 spce proxy[2106]: NOTICE: <script>: New request on
> proxy - M=INVITE R=sip:00380048893076001 at 176.123.xxx.xxx
> F=sip:800003 at 176.123.xxx.xxx T=sip:00380048893076001 at 176.123.xxx.xxx
> IP=102.165.51.10:49934 (127.0.0.1:5060)
> ID=1744315013-324263357-1391421940 UA='Linksys-SPA942'
> DESTIP=127.0.0.1:5062/
>
> /Apr  1 09:27:38 spce proxy[2119]: NOTICE: <script>: New request on
> proxy - M=INVITE R=sip:00380048893076001 at 176.123.yyy.yyy
> F=sip:800003 at 176.123.yyy.yyy T=sip:00380048893076001 at 176.123.yyy.yyy
> IP=102.165.51.10:50073 (127.0.0.1:5060)
> ID=912346842-169557483-295698979 UA='Linksys-SPA942'
> DESTIP=127.0.0.1:5062/
>
> /Apr  1 09:28:19 spce proxy[2109]: NOTICE: <script>: New request on
> proxy - M=INVITE R=sip:00390048893076001 at 176.123.xxx.xxx
> F=sip:800003 at 176.123.xxx.xxx T=sip:00390048893076001 at 176.123.xxx.xxx
> IP=102.165.51.10:62577 (127.0.0.1:5060)
> ID=218036742-1902467074-1213502867 UA='Linksys-SPA942'
> DESTIP=127.0.0.1:5062/
>
> /Apr  1 09:28:19 spce proxy[2119]: NOTICE: <script>: New request on
> proxy - M=INVITE R=sip:00390048893076001 at 176.123.yyy.yyy
> F=sip:800003 at 176.123.yyy.yyy T=sip:00390048893076001 at 176.123.yyy.yyy
> IP=102.165.51.10:65059 (127.0.0.1:5060)
> ID=1844126573-2124940025-382233674 UA='Linksys-SPA942'
> DESTIP=127.0.0.1:5062/
>
> / /
>
> / /
>
> / /
>
> /root at spce:~# cat /var/log/ngcp/kamailio-lb.log | grep -i
> '912346842-169557483-295698979'/
>
> /Apr  1 09:27:38 spce lb[1241]: NOTICE: <script>: New request on lb -
> M=INVITE R=sip:00380048893076001 at 176.123.yyy.yyy
> F=sip:800003 at 176.123.yyy.yyy T=sip:00380048893076001 at 176.123.yyy.yyy
> IP=udp:102.165.51.10:50073 ID=912346842-169557483-295698979
> UA='Linksys-SPA942' DESTIP=176.123.yyy.yyy:5060/
>
> /Apr  1 09:27:38 spce lb[1241]: NOTICE: <script>: Relaying request,
> fs='udp:127.0.0.1:5060' du='sip:127.0.0.1:5062' -
> R=sip:00380048893076001 at 176.123.yyy.yyy
> ID=912346842-169557483-295698979 UA='Linksys-SPA942'/
>
> /Apr  1 09:27:38 spce lb[1268]: NOTICE: <script>: Reply from Inbound -
> S=100 - Trying M=INVITE IP=udp:127.0.0.1:5062
> ID=912346842-169557483-295698979 UA='<null>' DESTIP=127.0.0.1:5060/
>
> /Apr  1 09:27:38 spce lb[1268]: NOTICE: <script>: Sending reply from
> inbound, fs='udp:176.123.yyy.yyy:5060' du='102.165.51.10:50073' -
> ID=912346842-169557483-295698979 UA='<null>'/
>
> /Apr  1 09:27:38 spce lb[1263]: NOTICE: <script>: Reply from Inbound -
> S=407 - Proxy Authentication Required M=INVITE IP=udp:127.0.0.1:5062
> ID=912346842-169557483-295698979 UA='<null>' DESTIP=127.0.0.1:5060/
>
> /Apr  1 09:27:38 spce lb[1263]: NOTICE: <script>: Sending reply from
> inbound, fs='udp:176.123.yyy.yyy:5060' du='102.165.51.10:50073' -
> ID=912346842-169557483-295698979 UA='<null>'/
>
> /root at spce:~#/
>
> / /
>
> /root at spce:~# cat /var/log/ngcp/kamailio-proxy.log | grep -i
> '912346842-169557483-295698979'/
>
> /Apr  1 09:27:38 spce proxy[2119]: NOTICE: <script>: New request on
> proxy - M=INVITE R=sip:00380048893076001 at 176.123.yyy.yyy
> F=sip:800003 at 176.123.yyy.yyy T=sip:00380048893076001 at 176.123.yyy.yyy
> IP=102.165.51.10:50073 (127.0.0.1:5060)
> ID=912346842-169557483-295698979 UA='Linksys-SPA942'
> DESTIP=127.0.0.1:5062/
>
> /Apr  1 09:27:38 spce proxy[2119]: NOTICE: <script>: Sending reply
> S=100 Trying fs='127.0.0.1:5062' du='127.0.0.1:5060' -
> R=sip:00380048893076001 at 176.123.yyy.yyy
> ID=912346842-169557483-295698979 UA='Linksys-SPA942'/
>
> /Apr  1 09:27:38 spce proxy[2119]: NOTICE: <script>: Authentication
> failed, no credentials - R=sip:00380048893076001 at 176.123.yyy.yyy
> ID=912346842-169557483-295698979 UA='Linksys-SPA942' Auth=<null>/
>
> /Apr  1 09:27:38 spce proxy[2119]: NOTICE: <script>: Sending reply
> S=407 fs='127.0.0.1:5062' du='127.0.0.1:5060' -
> ID=912346842-169557483-295698979 UA='Linksys-SPA942'/
>
> /Apr  1 09:27:38 spce proxy[2113]: NOTICE: <script>: New request on
> proxy - M=ACK R=sip:00380048893076001 at 176.123.yyy.yyy
> F=sip:800003 at 176.123.yyy.yyy T=sip:00380048893076001 at 176.123.yyy.yyy
> IP=<null>:<null> (127.0.0.1:5060) ID=912346842-169557483-295698979
> UA='<null>' DESTIP=127.0.0.1:5062/
>
there are some hints on security to use in kamailio.cfg collected in our
wiki at:

  * https://www.kamailio.org/wiki/tutorials/security/kamailio-security

Fail2ban is an option as well. I would suggest to count the failed
authentication per user per IP and then block the IP using htable or
fail2ban. The link above has suggestions for failed authentication per
user, I would also add condition on ip there...

Cheers,
Daniel

-- 
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio World Conference - May 6-8, 2019 -- www.kamailioworld.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20190402/b813bc3f/attachment-0001.html>


More information about the Spce-user mailing list