[Spce-user] Block sip attacks

Henk henk at voipdigit.nl
Mon Feb 4 07:01:44 EST 2019 

Hi Daniel,

It looks I have to overwrite logreq from tag_header.tt2, but if I add 
the following line in kamailio.cfg.tt2 and build the configuration it 
does not have any effect:

logreq="R=$ru ID=$ci IP=$ct UA=\'$ua\'";

Any advise on what to change exactly?

Regards,

Henk

On 4-2-2019 11:43, Daniel Grotti wrote:
> Hi Henk,
> you can either block the call by User Agent or you can print out the 
> Contact header in the log, if you want.
> You can use the "$ct" variable in the kamailio.cfg
>
> Cheers,
>
>
> --
> Daniel Grotti
>
> Head of Customer Support                               Sipwise GmbH
> e:dgrotti at sipwise.com                                Europaring F15
> t: +43(0)130120332                          A-2345 Brunn Am Gebirge
> w:www.sipwise.com           FN: 305595f      FG: LG Wiener Neustadt
> On 2/2/19 3:50 PM, Henk wrote:
>>
>> Hi all,
>>
>> I'm using fail2ban and ipset-blocklist to protect my Sipwise system. 
>> But lately scanners are not detected by fail2ban anymore, as they are 
>> using local or random addresses like this:
>>
>> INVITE sip:0001130046423112923 at 172.31.1.100:5060 SIP/2.0
>> Via: SIP/2.0/TCP 
>> 102.165.36.71:10959;branch=z9hG4bK-524287-1---5918c9179145ae4f;rport
>> Max-Forwards: 70
>> Contact: 
>> <sip:1234 at 102.165.36.71:10959;ob;transport=tcp>;+sip.instance="<urn:uuid:502A48A2-928D-7B59-1365-6A5BD8F30393>"
>> To: <sip:0001130046423112923 at 172.31.1.100:5060>
>> From: "1234"<sip:1234 at 172.31.1.100:5060>;tag=a9398072
>>
>> So only the contact header contains the real IP address. The proxy 
>> logs this (other request):
>>
>> Feb  2 00:01:23 spce proxy[15788]: NOTICE: <script>: New request on 
>> proxy - M=INVITE R=sip:988891046423112923 at 172.31.1.100:5060 
>> F=sip:1234 at 172.31.1.100:5060 
>> T=sip:988891046423112923 at 172.31.1.100:5060 IP=102.165.36.71:60384 
>> (127.0.0.1:5060) ID=qeClERktVcCMa3Srchan0g.. UA='PortSIP VoIP SDK 
>> 11.2' DESTIP=127.0.0.1:5062
>> Feb  2 00:01:23 spce proxy[15788]: NOTICE: <script>: Sending reply 
>> S=100 Trying fs='127.0.0.1:5062' du='127.0.0.1:5060' - 
>> R=sip:988891046423112923 at 172.31.1.100:5060 
>> ID=qeClERktVcCMa3Srchan0g.. UA='PortSIP VoIP SDK 11.2'
>> Feb  2 00:01:23 spce proxy[15788]: NOTICE: <script>: Authentication 
>> failed, no credentials - R=sip:988891046423112923@*172.31.1.100*:5060 
>> ID=qeClERktVcCMa3Srchan0g.. UA='PortSIP VoIP SDK 11.2' Auth=<null>
>>
>> So this cannot be used for fail2ban. Is there a way to log the real 
>> address of the attacker?
>>
>> Regards,
>>
>> Henk
>>
>>
>> _______________________________________________
>> Spce-user mailing list
>> Spce-user at lists.sipwise.com
>> https://lists.sipwise.com/listinfo/spce-user
>
>
>
> _______________________________________________
> Spce-user mailing list
> Spce-user at lists.sipwise.com
> https://lists.sipwise.com/listinfo/spce-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20190204/1c033724/attachment-0001.html>

More information about the Spce-user mailing list