[Spce-user] Block sip attacks

Daniel Grotti dgrotti at sipwise.com
Mon Feb 4 07:07:12 EST 2019


Hi,
have you read the ATTENTION warning at the beginning of tags_header.tt2 ?
You can find there how to change it.

Also, please DO NOT change the IP= , but rather ADD a new parameter like 
CT=$ct

--
Daniel Grotti

Head of Customer Support                               Sipwise GmbH
e: dgrotti at sipwise.com                               Europaring F15
t: +43(0)130120332                          A-2345 Brunn Am Gebirge
w: www.sipwise.com          FN: 305595f      FG: LG Wiener Neustadt

On 2/4/19 1:01 PM, Henk wrote:
>
> Hi Daniel,
>
> It looks I have to overwrite logreq from tag_header.tt2, but if I add 
> the following line in kamailio.cfg.tt2 and build the configuration it 
> does not have any effect:
>
> logreq="R=$ru ID=$ci IP=$ct UA=\'$ua\'";
>
> Any advise on what to change exactly?
>
> Regards,
>
> Henk
>
> On 4-2-2019 11:43, Daniel Grotti wrote:
>> Hi Henk,
>> you can either block the call by User Agent or you can print out the 
>> Contact header in the log, if you want.
>> You can use the "$ct" variable in the kamailio.cfg
>>
>> Cheers,
>>
>>
>> --
>> Daniel Grotti
>>
>> Head of Customer Support                               Sipwise GmbH
>> e:dgrotti at sipwise.com                                Europaring F15
>> t: +43(0)130120332                          A-2345 Brunn Am Gebirge
>> w:www.sipwise.com           FN: 305595f      FG: LG Wiener Neustadt
>> On 2/2/19 3:50 PM, Henk wrote:
>>>
>>> Hi all,
>>>
>>> I'm using fail2ban and ipset-blocklist to protect my Sipwise system. 
>>> But lately scanners are not detected by fail2ban anymore, as they 
>>> are using local or random addresses like this:
>>>
>>> INVITE sip:0001130046423112923 at 172.31.1.100:5060 SIP/2.0
>>> Via: SIP/2.0/TCP 
>>> 102.165.36.71:10959;branch=z9hG4bK-524287-1---5918c9179145ae4f;rport
>>> Max-Forwards: 70
>>> Contact: 
>>> <sip:1234 at 102.165.36.71:10959;ob;transport=tcp>;+sip.instance="<urn:uuid:502A48A2-928D-7B59-1365-6A5BD8F30393>"
>>> To: <sip:0001130046423112923 at 172.31.1.100:5060>
>>> From: "1234"<sip:1234 at 172.31.1.100:5060>;tag=a9398072
>>>
>>> So only the contact header contains the real IP address. The proxy 
>>> logs this (other request):
>>>
>>> Feb  2 00:01:23 spce proxy[15788]: NOTICE: <script>: New request on 
>>> proxy - M=INVITE R=sip:988891046423112923 at 172.31.1.100:5060 
>>> F=sip:1234 at 172.31.1.100:5060 
>>> T=sip:988891046423112923 at 172.31.1.100:5060 IP=102.165.36.71:60384 
>>> (127.0.0.1:5060) ID=qeClERktVcCMa3Srchan0g.. UA='PortSIP VoIP SDK 
>>> 11.2' DESTIP=127.0.0.1:5062
>>> Feb  2 00:01:23 spce proxy[15788]: NOTICE: <script>: Sending reply 
>>> S=100 Trying fs='127.0.0.1:5062' du='127.0.0.1:5060' - 
>>> R=sip:988891046423112923 at 172.31.1.100:5060 
>>> ID=qeClERktVcCMa3Srchan0g.. UA='PortSIP VoIP SDK 11.2'
>>> Feb  2 00:01:23 spce proxy[15788]: NOTICE: <script>: Authentication 
>>> failed, no credentials - 
>>> R=sip:988891046423112923@*172.31.1.100*:5060 
>>> ID=qeClERktVcCMa3Srchan0g.. UA='PortSIP VoIP SDK 11.2' Auth=<null>
>>>
>>> So this cannot be used for fail2ban. Is there a way to log the real 
>>> address of the attacker?
>>>
>>> Regards,
>>>
>>> Henk
>>>
>>>
>>> _______________________________________________
>>> Spce-user mailing list
>>> Spce-user at lists.sipwise.com
>>> https://lists.sipwise.com/listinfo/spce-user
>>
>>
>>
>> _______________________________________________
>> Spce-user mailing list
>> Spce-user at lists.sipwise.com
>> https://lists.sipwise.com/listinfo/spce-user
>
>
> _______________________________________________
> Spce-user mailing list
> Spce-user at lists.sipwise.com
> https://lists.sipwise.com/listinfo/spce-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20190204/c66ae046/attachment-0001.html>


More information about the Spce-user mailing list