I'm second for fail2ban. I block IP addresses with failed registration attempts for 1 hour. Here is my setup:
kamailio.cfg:
if (is_method("REGISTER")) { if(www_authorize("", "subscriber") < 0) { if($rc == -1) { xlog("L_INFO","Invalid username from $proto:$si:$sp\n"); sl_send_reply("200","OK"); } else www_challenge("", "0"); exit; } ....
/etc/fail2ban/filter.d/openser.conf:
[Definition] #_daemon = kamailio failregex = Invalid username from ...:<HOST>:
/etc/fail2ban/jail.conf:
findtime = 600
[openser-iptables] enabled = true filter = openser action = iptables-allports[name=OPENSER, protocol=all] logpath = /var/log/openser/openser # Replace with your sr log location maxretry = 10 bantime = 3600
On Sunday 24 October 2010, Uriel Rozenbaum wrote:
Juha,
I think we should be specially careful about black-lists. We receive many of these attacks in a per-day basis and a lot of them are from residential addresses or university, so I'm guessing some kind of worm or trojan performing the attack from various IPs.
If you have the time, try fail2ban deamon. It can relate some brute-force events and act accordingly blocking an IP on iptables, executing a script. You send to "jail" those addresses for a period of time, then you can get them out again; and of course you can manually revert.
Last, as a description of the attacks I saw, first it runs an NMAP like scan checking which IPs answer from 5060, then it starts sending registers (usually asterisk answers 404 if the user does not exist), then when the proxy challenges, it interprets the user is found and starts making dictionary attacks on the password (1234, admin, and so on). Keep safe complicated passwords, make kamailio challenge everything and you'll be safe. and again, fail2ban is a pretty good solution for brute force.
This might help you finding a solution for your attacks.
Cheers, Uriel
On Sun, Oct 24, 2010 at 8:54 AM, Juha Heinanen jh@tutpro.com wrote:
while doing some tests, i noticed that one of my proxies started to receive lots of register requests with different user names starting from a letter. there was also invite attempts in the logs. they came from ip 202.82.16.99 which according to traceroute is somewhere in china.
should we start publishing a black list of these attack ip addresses?
-- juha
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users