[Spce-user] Block sip attacks

Daniel Grotti dgrotti at sipwise.com
Mon Feb 4 05:43:48 EST 2019 

Hi Henk,
you can either block the call by User Agent or you can print out the 
Contact header in the log, if you want.
You can use the "$ct" variable in the kamailio.cfg

Cheers,


--
Daniel Grotti

Head of Customer Support                               Sipwise GmbH
e: dgrotti at sipwise.com                               Europaring F15
t: +43(0)130120332                          A-2345 Brunn Am Gebirge
w: www.sipwise.com          FN: 305595f      FG: LG Wiener Neustadt

On 2/2/19 3:50 PM, Henk wrote:
>
> Hi all,
>
> I'm using fail2ban and ipset-blocklist to protect my Sipwise system. 
> But lately scanners are not detected by fail2ban anymore, as they are 
> using local or random addresses like this:
>
> INVITE sip:0001130046423112923 at 172.31.1.100:5060 SIP/2.0
> Via: SIP/2.0/TCP 
> 102.165.36.71:10959;branch=z9hG4bK-524287-1---5918c9179145ae4f;rport
> Max-Forwards: 70
> Contact: 
> <sip:1234 at 102.165.36.71:10959;ob;transport=tcp>;+sip.instance="<urn:uuid:502A48A2-928D-7B59-1365-6A5BD8F30393>"
> To: <sip:0001130046423112923 at 172.31.1.100:5060>
> From: "1234"<sip:1234 at 172.31.1.100:5060>;tag=a9398072
>
> So only the contact header contains the real IP address. The proxy 
> logs this (other request):
>
> Feb  2 00:01:23 spce proxy[15788]: NOTICE: <script>: New request on 
> proxy - M=INVITE R=sip:988891046423112923 at 172.31.1.100:5060 
> F=sip:1234 at 172.31.1.100:5060 
> T=sip:988891046423112923 at 172.31.1.100:5060 IP=102.165.36.71:60384 
> (127.0.0.1:5060) ID=qeClERktVcCMa3Srchan0g.. UA='PortSIP VoIP SDK 
> 11.2' DESTIP=127.0.0.1:5062
> Feb  2 00:01:23 spce proxy[15788]: NOTICE: <script>: Sending reply 
> S=100 Trying fs='127.0.0.1:5062' du='127.0.0.1:5060' - 
> R=sip:988891046423112923 at 172.31.1.100:5060 ID=qeClERktVcCMa3Srchan0g.. 
> UA='PortSIP VoIP SDK 11.2'
> Feb  2 00:01:23 spce proxy[15788]: NOTICE: <script>: Authentication 
> failed, no credentials - R=sip:988891046423112923@*172.31.1.100*:5060 
> ID=qeClERktVcCMa3Srchan0g.. UA='PortSIP VoIP SDK 11.2' Auth=<null>
>
> So this cannot be used for fail2ban. Is there a way to log the real 
> address of the attacker?
>
> Regards,
>
> Henk
>
>
> _______________________________________________
> Spce-user mailing list
> Spce-user at lists.sipwise.com
> https://lists.sipwise.com/listinfo/spce-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20190204/684b9fb2/attachment-0001.html>

More information about the Spce-user mailing list