[Spce-user] Block sip attacks

Daniel Grotti dgrotti at sipwise.com
Mon Feb 4 09:02:36 EST 2019


Hi Henk,
I checked that, and that's not the proper way to add that.
You should go in constant.yml, under kamailio.lb.log or 
kamailio.proxy.log (depends where you want to add the field) and add the 
new info there under "request" and/or "request_init" and/or "response", 
for example:

request:
       - R=$ru
       - ID=$ci
       - CT=$ct
       - UA='$ua'
       request_init:
       - M=$rm
       - R=$ru
       - F=$fu
       - T=$tu
       - IP=$pr:$si:$sp
       - CT =$ct
       - ID=$ci
       - UA='$ua'
       - DESTIP=$Ri:$Rp
       response:



--
Daniel Grotti

Head of Customer Support                               Sipwise GmbH
e: dgrotti at sipwise.com                               Europaring F15
t: +43(0)130120332                          A-2345 Brunn Am Gebirge
w: www.sipwise.com          FN: 305595f      FG: LG Wiener Neustadt

On 2/4/19 2:17 PM, Henk wrote:
>
> Hi Daniel,
>
> I have read the warning, so I changed kamailio.cfg.customtt.tt2 and 
> did *not* make a tags_header.customtt.tt2. This time with the $ct 
> variable.
> As [%logreq -%] is expanded to R=$ru ID=$ci UA='$ua' I added the _new_ 
> CT=$ct with escaped quotes and ; as terminator as specified:
>
> [% argv.service='proxy'; PROCESS 
> '/etc/ngcp-config/templates/etc/kamailio/tags_header.tt2' -%]
> [% # Add here your customizations to parameters evaluated in file 
> kamailio/tags_header.tt2 -%]
> logreq="R=$ru ID=$ci *CT=$ct* UA=\'$ua\'";
>
> #!KAMAILIO
>
> So I think exactly as specified, but no result, as the first log in 
> the generated auth.cfg still is
> xlog("L_NOTICE", "Extracted caller info from PAI, 
> subscriber=$var(realm_user)@$var(realm_domain) - *R=$ru ID=$ci 
> UA='$ua'*\n");
>
> I can also change constants.yml, or will this be overwritten by an 
> upgrade?
>
> Regards,
>
> Henk
>
> On 4-2-2019 13:07, Daniel Grotti wrote:
>> Hi,
>> have you read the ATTENTION warning at the beginning of tags_header.tt2 ?
>> You can find there how to change it.
>>
>> Also, please DO NOT change the IP= , but rather ADD a new parameter 
>> like CT=$ct
>>
>> --
>> Daniel Grotti
>>
>> Head of Customer Support                               Sipwise GmbH
>> e:dgrotti at sipwise.com                                Europaring F15
>> t: +43(0)130120332                          A-2345 Brunn Am Gebirge
>> w:www.sipwise.com           FN: 305595f      FG: LG Wiener Neustadt
>> On 2/4/19 1:01 PM, Henk wrote:
>>>
>>> Hi Daniel,
>>>
>>> It looks I have to overwrite logreq from tag_header.tt2, but if I 
>>> add the following line in kamailio.cfg.tt2 and build the 
>>> configuration it does not have any effect:
>>>
>>> logreq="R=$ru ID=$ci IP=$ct UA=\'$ua\'";
>>>
>>> Any advise on what to change exactly?
>>>
>>> Regards,
>>>
>>> Henk
>>>
>>> On 4-2-2019 11:43, Daniel Grotti wrote:
>>>> Hi Henk,
>>>> you can either block the call by User Agent or you can print out 
>>>> the Contact header in the log, if you want.
>>>> You can use the "$ct" variable in the kamailio.cfg
>>>>
>>>> Cheers,
>>>>
>>>>
>>>> --
>>>> Daniel Grotti
>>>>
>>>> Head of Customer Support                               Sipwise GmbH
>>>> e:dgrotti at sipwise.com                                Europaring F15
>>>> t: +43(0)130120332                          A-2345 Brunn Am Gebirge
>>>> w:www.sipwise.com           FN: 305595f      FG: LG Wiener Neustadt
>>>> On 2/2/19 3:50 PM, Henk wrote:
>>>>>
>>>>> Hi all,
>>>>>
>>>>> I'm using fail2ban and ipset-blocklist to protect my Sipwise 
>>>>> system. But lately scanners are not detected by fail2ban anymore, 
>>>>> as they are using local or random addresses like this:
>>>>>
>>>>> INVITE sip:0001130046423112923 at 172.31.1.100:5060 SIP/2.0
>>>>> Via: SIP/2.0/TCP 
>>>>> 102.165.36.71:10959;branch=z9hG4bK-524287-1---5918c9179145ae4f;rport
>>>>> Max-Forwards: 70
>>>>> Contact: 
>>>>> <sip:1234 at 102.165.36.71:10959;ob;transport=tcp>;+sip.instance="<urn:uuid:502A48A2-928D-7B59-1365-6A5BD8F30393>"
>>>>> To: <sip:0001130046423112923 at 172.31.1.100:5060>
>>>>> From: "1234"<sip:1234 at 172.31.1.100:5060>;tag=a9398072
>>>>>
>>>>> So only the contact header contains the real IP address. The proxy 
>>>>> logs this (other request):
>>>>>
>>>>> Feb  2 00:01:23 spce proxy[15788]: NOTICE: <script>: New request 
>>>>> on proxy - M=INVITE R=sip:988891046423112923 at 172.31.1.100:5060 
>>>>> F=sip:1234 at 172.31.1.100:5060 
>>>>> T=sip:988891046423112923 at 172.31.1.100:5060 IP=102.165.36.71:60384 
>>>>> (127.0.0.1:5060) ID=qeClERktVcCMa3Srchan0g.. UA='PortSIP VoIP SDK 
>>>>> 11.2' DESTIP=127.0.0.1:5062
>>>>> Feb  2 00:01:23 spce proxy[15788]: NOTICE: <script>: Sending reply 
>>>>> S=100 Trying fs='127.0.0.1:5062' du='127.0.0.1:5060' - 
>>>>> R=sip:988891046423112923 at 172.31.1.100:5060 
>>>>> ID=qeClERktVcCMa3Srchan0g.. UA='PortSIP VoIP SDK 11.2'
>>>>> Feb  2 00:01:23 spce proxy[15788]: NOTICE: <script>: 
>>>>> Authentication failed, no credentials - 
>>>>> R=sip:988891046423112923@*172.31.1.100*:5060 
>>>>> ID=qeClERktVcCMa3Srchan0g.. UA='PortSIP VoIP SDK 11.2' Auth=<null>
>>>>>
>>>>> So this cannot be used for fail2ban. Is there a way to log the 
>>>>> real address of the attacker?
>>>>>
>>>>> Regards,
>>>>>
>>>>> Henk
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Spce-user mailing list
>>>>> Spce-user at lists.sipwise.com
>>>>> https://lists.sipwise.com/listinfo/spce-user
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Spce-user mailing list
>>>> Spce-user at lists.sipwise.com
>>>> https://lists.sipwise.com/listinfo/spce-user
>>>
>>>
>>> _______________________________________________
>>> Spce-user mailing list
>>> Spce-user at lists.sipwise.com
>>> https://lists.sipwise.com/listinfo/spce-user
>>
>>
>>
>> _______________________________________________
>> Spce-user mailing list
>> Spce-user at lists.sipwise.com
>> https://lists.sipwise.com/listinfo/spce-user
>
>
> _______________________________________________
> Spce-user mailing list
> Spce-user at lists.sipwise.com
> https://lists.sipwise.com/listinfo/spce-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20190204/a95469a9/attachment-0001.html>


More information about the Spce-user mailing list