[Spce-user] Block sip attacks
Daniel Grotti
dgrotti at sipwise.com
Mon Feb 4 05:43:48 EST 2019
Hi Henk,
you can either block the call by User Agent or you can print out the
Contact header in the log, if you want.
You can use the "$ct" variable in the kamailio.cfg
Cheers,
--
Daniel Grotti
Head of Customer Support Sipwise GmbH
e: dgrotti at sipwise.com Europaring F15
t: +43(0)130120332 A-2345 Brunn Am Gebirge
w: www.sipwise.com FN: 305595f FG: LG Wiener Neustadt
On 2/2/19 3:50 PM, Henk wrote:
>
> Hi all,
>
> I'm using fail2ban and ipset-blocklist to protect my Sipwise system.
> But lately scanners are not detected by fail2ban anymore, as they are
> using local or random addresses like this:
>
> INVITE sip:0001130046423112923 at 172.31.1.100:5060 SIP/2.0
> Via: SIP/2.0/TCP
> 102.165.36.71:10959;branch=z9hG4bK-524287-1---5918c9179145ae4f;rport
> Max-Forwards: 70
> Contact:
> <sip:1234 at 102.165.36.71:10959;ob;transport=tcp>;+sip.instance="<urn:uuid:502A48A2-928D-7B59-1365-6A5BD8F30393>"
> To: <sip:0001130046423112923 at 172.31.1.100:5060>
> From: "1234"<sip:1234 at 172.31.1.100:5060>;tag=a9398072
>
> So only the contact header contains the real IP address. The proxy
> logs this (other request):
>
> Feb 2 00:01:23 spce proxy[15788]: NOTICE: <script>: New request on
> proxy - M=INVITE R=sip:988891046423112923 at 172.31.1.100:5060
> F=sip:1234 at 172.31.1.100:5060
> T=sip:988891046423112923 at 172.31.1.100:5060 IP=102.165.36.71:60384
> (127.0.0.1:5060) ID=qeClERktVcCMa3Srchan0g.. UA='PortSIP VoIP SDK
> 11.2' DESTIP=127.0.0.1:5062
> Feb 2 00:01:23 spce proxy[15788]: NOTICE: <script>: Sending reply
> S=100 Trying fs='127.0.0.1:5062' du='127.0.0.1:5060' -
> R=sip:988891046423112923 at 172.31.1.100:5060 ID=qeClERktVcCMa3Srchan0g..
> UA='PortSIP VoIP SDK 11.2'
> Feb 2 00:01:23 spce proxy[15788]: NOTICE: <script>: Authentication
> failed, no credentials - R=sip:988891046423112923@*172.31.1.100*:5060
> ID=qeClERktVcCMa3Srchan0g.. UA='PortSIP VoIP SDK 11.2' Auth=<null>
>
> So this cannot be used for fail2ban. Is there a way to log the real
> address of the attacker?
>
> Regards,
>
> Henk
>
>
> _______________________________________________
> Spce-user mailing list
> Spce-user at lists.sipwise.com
> https://lists.sipwise.com/listinfo/spce-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20190204/684b9fb2/attachment-0001.html>
More information about the Spce-user
mailing list