[Spce-user] Block sip attacks

Henk henk at voipdigit.nl
Mon Feb 4 08:17:35 EST 2019 

Hi Daniel,

I have read the warning, so I changed kamailio.cfg.customtt.tt2 and did 
*not* make a tags_header.customtt.tt2. This time with the $ct variable.
As [%logreq -%] is expanded to R=$ru ID=$ci UA='$ua' I added the _new_ 
CT=$ct with escaped quotes and ; as terminator as specified:

[% argv.service='proxy'; PROCESS 
'/etc/ngcp-config/templates/etc/kamailio/tags_header.tt2' -%]
[% # Add here your customizations to parameters evaluated in file 
kamailio/tags_header.tt2 -%]
logreq="R=$ru ID=$ci *CT=$ct* UA=\'$ua\'";

#!KAMAILIO

So I think exactly as specified, but no result, as the first log in the 
generated auth.cfg still is
xlog("L_NOTICE", "Extracted caller info from PAI, 
subscriber=$var(realm_user)@$var(realm_domain) - *R=$ru ID=$ci 
UA='$ua'*\n");

I can also change constants.yml, or will this be overwritten by an upgrade?

Regards,

Henk

On 4-2-2019 13:07, Daniel Grotti wrote:
> Hi,
> have you read the ATTENTION warning at the beginning of tags_header.tt2 ?
> You can find there how to change it.
>
> Also, please DO NOT change the IP= , but rather ADD a new parameter 
> like CT=$ct
>
> --
> Daniel Grotti
>
> Head of Customer Support                               Sipwise GmbH
> e:dgrotti at sipwise.com                                Europaring F15
> t: +43(0)130120332                          A-2345 Brunn Am Gebirge
> w:www.sipwise.com           FN: 305595f      FG: LG Wiener Neustadt
> On 2/4/19 1:01 PM, Henk wrote:
>>
>> Hi Daniel,
>>
>> It looks I have to overwrite logreq from tag_header.tt2, but if I add 
>> the following line in kamailio.cfg.tt2 and build the configuration it 
>> does not have any effect:
>>
>> logreq="R=$ru ID=$ci IP=$ct UA=\'$ua\'";
>>
>> Any advise on what to change exactly?
>>
>> Regards,
>>
>> Henk
>>
>> On 4-2-2019 11:43, Daniel Grotti wrote:
>>> Hi Henk,
>>> you can either block the call by User Agent or you can print out the 
>>> Contact header in the log, if you want.
>>> You can use the "$ct" variable in the kamailio.cfg
>>>
>>> Cheers,
>>>
>>>
>>> --
>>> Daniel Grotti
>>>
>>> Head of Customer Support                               Sipwise GmbH
>>> e:dgrotti at sipwise.com                                Europaring F15
>>> t: +43(0)130120332                          A-2345 Brunn Am Gebirge
>>> w:www.sipwise.com           FN: 305595f      FG: LG Wiener Neustadt
>>> On 2/2/19 3:50 PM, Henk wrote:
>>>>
>>>> Hi all,
>>>>
>>>> I'm using fail2ban and ipset-blocklist to protect my Sipwise 
>>>> system. But lately scanners are not detected by fail2ban anymore, 
>>>> as they are using local or random addresses like this:
>>>>
>>>> INVITE sip:0001130046423112923 at 172.31.1.100:5060 SIP/2.0
>>>> Via: SIP/2.0/TCP 
>>>> 102.165.36.71:10959;branch=z9hG4bK-524287-1---5918c9179145ae4f;rport
>>>> Max-Forwards: 70
>>>> Contact: 
>>>> <sip:1234 at 102.165.36.71:10959;ob;transport=tcp>;+sip.instance="<urn:uuid:502A48A2-928D-7B59-1365-6A5BD8F30393>"
>>>> To: <sip:0001130046423112923 at 172.31.1.100:5060>
>>>> From: "1234"<sip:1234 at 172.31.1.100:5060>;tag=a9398072
>>>>
>>>> So only the contact header contains the real IP address. The proxy 
>>>> logs this (other request):
>>>>
>>>> Feb  2 00:01:23 spce proxy[15788]: NOTICE: <script>: New request on 
>>>> proxy - M=INVITE R=sip:988891046423112923 at 172.31.1.100:5060 
>>>> F=sip:1234 at 172.31.1.100:5060 
>>>> T=sip:988891046423112923 at 172.31.1.100:5060 IP=102.165.36.71:60384 
>>>> (127.0.0.1:5060) ID=qeClERktVcCMa3Srchan0g.. UA='PortSIP VoIP SDK 
>>>> 11.2' DESTIP=127.0.0.1:5062
>>>> Feb  2 00:01:23 spce proxy[15788]: NOTICE: <script>: Sending reply 
>>>> S=100 Trying fs='127.0.0.1:5062' du='127.0.0.1:5060' - 
>>>> R=sip:988891046423112923 at 172.31.1.100:5060 
>>>> ID=qeClERktVcCMa3Srchan0g.. UA='PortSIP VoIP SDK 11.2'
>>>> Feb  2 00:01:23 spce proxy[15788]: NOTICE: <script>: Authentication 
>>>> failed, no credentials - 
>>>> R=sip:988891046423112923@*172.31.1.100*:5060 
>>>> ID=qeClERktVcCMa3Srchan0g.. UA='PortSIP VoIP SDK 11.2' Auth=<null>
>>>>
>>>> So this cannot be used for fail2ban. Is there a way to log the real 
>>>> address of the attacker?
>>>>
>>>> Regards,
>>>>
>>>> Henk
>>>>
>>>>
>>>> _______________________________________________
>>>> Spce-user mailing list
>>>> Spce-user at lists.sipwise.com
>>>> https://lists.sipwise.com/listinfo/spce-user
>>>
>>>
>>>
>>> _______________________________________________
>>> Spce-user mailing list
>>> Spce-user at lists.sipwise.com
>>> https://lists.sipwise.com/listinfo/spce-user
>>
>>
>> _______________________________________________
>> Spce-user mailing list
>> Spce-user at lists.sipwise.com
>> https://lists.sipwise.com/listinfo/spce-user
>
>
>
> _______________________________________________
> Spce-user mailing list
> Spce-user at lists.sipwise.com
> https://lists.sipwise.com/listinfo/spce-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20190204/d9cd4faa/attachment-0001.html>

More information about the Spce-user mailing list