[Spce-user] Block sip attacks

Henk henk at voipdigit.nl
Mon Feb 4 09:11:13 EST 2019 

Thanks, it's working now.

Regards,

Henk


On 4-2-2019 15:02, Daniel Grotti wrote:
> Hi Henk,
> I checked that, and that's not the proper way to add that.
> You should go in constant.yml, under kamailio.lb.log or 
> kamailio.proxy.log (depends where you want to add the field) and add 
> the new info there under "request" and/or "request_init" and/or 
> "response", for example:
>
> request:
>       - R=$ru
>       - ID=$ci
>       - CT=$ct
>       - UA='$ua'
>       request_init:
>       - M=$rm
>       - R=$ru
>       - F=$fu
>       - T=$tu
>       - IP=$pr:$si:$sp
>       - CT =$ct
>       - ID=$ci
>       - UA='$ua'
>       - DESTIP=$Ri:$Rp
>       response:
>
>
>
> --
> Daniel Grotti
>
> Head of Customer Support                               Sipwise GmbH
> e:dgrotti at sipwise.com                                Europaring F15
> t: +43(0)130120332                          A-2345 Brunn Am Gebirge
> w:www.sipwise.com           FN: 305595f      FG: LG Wiener Neustadt
> On 2/4/19 2:17 PM, Henk wrote:
>>
>> Hi Daniel,
>>
>> I have read the warning, so I changed kamailio.cfg.customtt.tt2 and 
>> did *not* make a tags_header.customtt.tt2. This time with the $ct 
>> variable.
>> As [%logreq -%] is expanded to R=$ru ID=$ci UA='$ua' I added the 
>> _new_ CT=$ct with escaped quotes and ; as terminator as specified:
>>
>> [% argv.service='proxy'; PROCESS 
>> '/etc/ngcp-config/templates/etc/kamailio/tags_header.tt2' -%]
>> [% # Add here your customizations to parameters evaluated in file 
>> kamailio/tags_header.tt2 -%]
>> logreq="R=$ru ID=$ci *CT=$ct* UA=\'$ua\'";
>>
>> #!KAMAILIO
>>
>> So I think exactly as specified, but no result, as the first log in 
>> the generated auth.cfg still is
>> xlog("L_NOTICE", "Extracted caller info from PAI, 
>> subscriber=$var(realm_user)@$var(realm_domain) - *R=$ru ID=$ci 
>> UA='$ua'*\n");
>>
>> I can also change constants.yml, or will this be overwritten by an 
>> upgrade?
>>
>> Regards,
>>
>> Henk
>>
>> On 4-2-2019 13:07, Daniel Grotti wrote:
>>> Hi,
>>> have you read the ATTENTION warning at the beginning of 
>>> tags_header.tt2 ?
>>> You can find there how to change it.
>>>
>>> Also, please DO NOT change the IP= , but rather ADD a new parameter 
>>> like CT=$ct
>>>
>>> --
>>> Daniel Grotti
>>>
>>> Head of Customer Support                               Sipwise GmbH
>>> e:dgrotti at sipwise.com                                Europaring F15
>>> t: +43(0)130120332                          A-2345 Brunn Am Gebirge
>>> w:www.sipwise.com           FN: 305595f      FG: LG Wiener Neustadt
>>> On 2/4/19 1:01 PM, Henk wrote:
>>>>
>>>> Hi Daniel,
>>>>
>>>> It looks I have to overwrite logreq from tag_header.tt2, but if I 
>>>> add the following line in kamailio.cfg.tt2 and build the 
>>>> configuration it does not have any effect:
>>>>
>>>> logreq="R=$ru ID=$ci IP=$ct UA=\'$ua\'";
>>>>
>>>> Any advise on what to change exactly?
>>>>
>>>> Regards,
>>>>
>>>> Henk
>>>>
>>>> On 4-2-2019 11:43, Daniel Grotti wrote:
>>>>> Hi Henk,
>>>>> you can either block the call by User Agent or you can print out 
>>>>> the Contact header in the log, if you want.
>>>>> You can use the "$ct" variable in the kamailio.cfg
>>>>>
>>>>> Cheers,
>>>>>
>>>>>
>>>>> --
>>>>> Daniel Grotti
>>>>>
>>>>> Head of Customer Support                               Sipwise GmbH
>>>>> e:dgrotti at sipwise.com                                Europaring F15
>>>>> t: +43(0)130120332                          A-2345 Brunn Am Gebirge
>>>>> w:www.sipwise.com           FN: 305595f      FG: LG Wiener Neustadt
>>>>> On 2/2/19 3:50 PM, Henk wrote:
>>>>>>
>>>>>> Hi all,
>>>>>>
>>>>>> I'm using fail2ban and ipset-blocklist to protect my Sipwise 
>>>>>> system. But lately scanners are not detected by fail2ban anymore, 
>>>>>> as they are using local or random addresses like this:
>>>>>>
>>>>>> INVITE sip:0001130046423112923 at 172.31.1.100:5060 SIP/2.0
>>>>>> Via: SIP/2.0/TCP 
>>>>>> 102.165.36.71:10959;branch=z9hG4bK-524287-1---5918c9179145ae4f;rport
>>>>>> Max-Forwards: 70
>>>>>> Contact: 
>>>>>> <sip:1234 at 102.165.36.71:10959;ob;transport=tcp>;+sip.instance="<urn:uuid:502A48A2-928D-7B59-1365-6A5BD8F30393>"
>>>>>> To: <sip:0001130046423112923 at 172.31.1.100:5060>
>>>>>> From: "1234"<sip:1234 at 172.31.1.100:5060>;tag=a9398072
>>>>>>
>>>>>> So only the contact header contains the real IP address. The 
>>>>>> proxy logs this (other request):
>>>>>>
>>>>>> Feb  2 00:01:23 spce proxy[15788]: NOTICE: <script>: New request 
>>>>>> on proxy - M=INVITE R=sip:988891046423112923 at 172.31.1.100:5060 
>>>>>> F=sip:1234 at 172.31.1.100:5060 
>>>>>> T=sip:988891046423112923 at 172.31.1.100:5060 IP=102.165.36.71:60384 
>>>>>> (127.0.0.1:5060) ID=qeClERktVcCMa3Srchan0g.. UA='PortSIP VoIP SDK 
>>>>>> 11.2' DESTIP=127.0.0.1:5062
>>>>>> Feb  2 00:01:23 spce proxy[15788]: NOTICE: <script>: Sending 
>>>>>> reply S=100 Trying fs='127.0.0.1:5062' du='127.0.0.1:5060' - 
>>>>>> R=sip:988891046423112923 at 172.31.1.100:5060 
>>>>>> ID=qeClERktVcCMa3Srchan0g.. UA='PortSIP VoIP SDK 11.2'
>>>>>> Feb  2 00:01:23 spce proxy[15788]: NOTICE: <script>: 
>>>>>> Authentication failed, no credentials - 
>>>>>> R=sip:988891046423112923@*172.31.1.100*:5060 
>>>>>> ID=qeClERktVcCMa3Srchan0g.. UA='PortSIP VoIP SDK 11.2' Auth=<null>
>>>>>>
>>>>>> So this cannot be used for fail2ban. Is there a way to log the 
>>>>>> real address of the attacker?
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> Henk
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Spce-user mailing list
>>>>>> Spce-user at lists.sipwise.com
>>>>>> https://lists.sipwise.com/listinfo/spce-user
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Spce-user mailing list
>>>>> Spce-user at lists.sipwise.com
>>>>> https://lists.sipwise.com/listinfo/spce-user
>>>>
>>>>
>>>> _______________________________________________
>>>> Spce-user mailing list
>>>> Spce-user at lists.sipwise.com
>>>> https://lists.sipwise.com/listinfo/spce-user
>>>
>>>
>>>
>>> _______________________________________________
>>> Spce-user mailing list
>>> Spce-user at lists.sipwise.com
>>> https://lists.sipwise.com/listinfo/spce-user
>>
>>
>> _______________________________________________
>> Spce-user mailing list
>> Spce-user at lists.sipwise.com
>> https://lists.sipwise.com/listinfo/spce-user
>
>
>
> _______________________________________________
> Spce-user mailing list
> Spce-user at lists.sipwise.com
> https://lists.sipwise.com/listinfo/spce-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20190204/1507092f/attachment-0001.html>

More information about the Spce-user mailing list