On 3/26/14, 2:40 PM, Rainer Piper wrote:
Hi Andres,
today I had a very funny one ... an amazon server tried to relay over my server.
I see that. Its cheap and easy to use an Amazon server for this purpose. Plus you can change its public IP by shutting down and starting the instance again.
LOG Data: Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: WARNING: pike [pike_funcs.c:164]: pike_check_req(): PIKE - BLOCKing ip 184.72.211.251, node=0x7f90dd8abcb8 Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: ALERT: <script>: ALERT: pike blocking INVITE from sip:448099999999@184.72.211.251 (IP:184.72.211.251:5060) Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: ALERT: <script>: IPTABLES: blocking 184.72.211.251 antiflood
-------- Original-Nachricht --------
Hi,
The IP 184.72.211.251 has just been banned by Fail2Ban after 1 attempts against KAMAILIO.
Here are more information about 184.72.211.251:
# # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html #
# # Query terms are ambiguous. The query is assumed to be: # "n 184.72.211.251" # # Use "?" to get help. #
# # The following results may also be obtained via: # http://whois.arin.net/rest/nets;q=184.72.211.251?showDetails=true&showAR...
#
NetRange: 184.72.0.0 - 184.73.255.255 CIDR: 184.72.0.0/15 OriginAS: NetName: AMAZON-EC2-7 NetHandle: NET-184-72-0-0-1 Parent: NET-184-0-0-0-0 NetType: Direct Assignment Comment: The activity you have detected originates from a Comment: dynamic hosting environment. Comment: For fastest response, please submit abuse reports at Comment: http://aws-portal.amazon.com/gp/aws/html-forms-controller/contactus/AWSAbuse
Comment: For more information regarding EC2 see: Comment: http://ec2.amazonaws.com/ Comment: All reports MUST include: Comment: * src IP Comment: * dest IP (your IP) Comment: * dest port Comment: * Accurate date/timestamp and timezone of activity Comment: * Intensity/frequency (short log extracts) Comment: * Your contact details (phone and email) Comment: Without these we will be unable to identify Comment: the correct owner of the IP address at that Comment: point in time. RegDate: 2010-01-26 Updated: 2012-03-02 Ref: http://whois.arin.net/rest/net/NET-184-72-0-0-1
OrgName: Amazon.com, Inc. OrgId: AMAZO-4 Address: Amazon Web Services, Elastic Compute Cloud, EC2 Address: 1200 12th Avenue South City: Seattle StateProv: WA PostalCode: 98144 Country: US RegDate: 2005-09-29 Updated: 2009-06-02 Comment: For details of this service please see Comment: http://ec2.amazonaws.com/ Ref: http://whois.arin.net/rest/org/AMAZO-4
OrgAbuseHandle: AEA8-ARIN OrgAbuseName: Amazon EC2 Abuse OrgAbusePhone: +1-206-266-4064 callto:0012062664064 OrgAbuseEmail: ec2-abuse@amazon.com OrgAbuseRef: http://whois.arin.net/rest/poc/AEA8-ARIN
OrgTechHandle: ANO24-ARIN OrgTechName: Amazon EC2 Network Operations OrgTechPhone: +1-206-266-4064 callto:0012062664064 OrgTechEmail: aes-noc@amazon.com OrgTechRef: http://whois.arin.net/rest/poc/ANO24-ARIN
RNOCHandle: ANO24-ARIN RNOCName: Amazon EC2 Network Operations RNOCPhone: +1-206-266-4064 callto:0012062664064 RNOCEmail: aes-noc@amazon.com RNOCRef: http://whois.arin.net/rest/poc/ANO24-ARIN
RTechHandle: ANO24-ARIN RTechName: Amazon EC2 Network Operations RTechPhone: +1-206-266-4064 callto:0012062664064 RTechEmail: aes-noc@amazon.com RTechRef: http://whois.arin.net/rest/poc/ANO24-ARIN
RAbuseHandle: AEA8-ARIN RAbuseName: Amazon EC2 Abuse RAbusePhone: +1-206-266-4064 callto:0012062664064 RAbuseEmail: ec2-abuse@amazon.com RAbuseRef: http://whois.arin.net/rest/poc/AEA8-ARIN
# # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html #
Lines containing IP:184.72.211.251 in /var/log/kamailio.log
Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: WARNING: pike [pike_funcs.c:164]: pike_check_req(): PIKE - BLOCKing ip 184.72.211.251, node=0x7f90dd8abcb8 Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: ALERT: <script>: ALERT: pike blocking INVITE from sip:448099999999@184.72.211.251 (IP:184.72.211.251:5060) Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: ALERT: <script>: IPTABLES: blocking 184.72.211.251 antiflood
Regards,
Fail2Ban
-- *Rainer Piper* NOC - +49 (0)228 97167161 - sip.soho-piper.de NOC - +49 (0)2247 9064188 - sip.tele33.de - sip.tefonix.de - D293
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users