26 Nov
2013
26 Nov
'13
11:17 p.m.
I am running Kamailio in CentOS. I ran tcpdump and noticed that we are getting attacked
from IP 188.138.32.72. I have already blocked it on IPtables, but he keeps on attacking
the server. If I look at "/var/log/secure" there are no SIP messages. My
question is where is the log file for Kamailio and how can I prevent this type of attacks
in the future.
Thanks,
26 Nov
26 Nov
11:28 p.m.
Most likely it's a bogus script.
Sometimes just sending a dummy reply, will stop the script sending SIP requests.
Check the User-Agent header and from username to see if you can
identify the script and google around for it.
Regards,
Ovidiu Sas
On Tue, Nov 26, 2013 at 4:17 PM, Joli Martinez <mrjoli021(a)gmail.com> wrote:
I am running Kamailio in CentOS. I ran tcpdump and
noticed that we are getting attacked from IP 188.138.32.72. I have already blocked it on
IPtables, but he keeps on attacking the server. If I look at "/var/log/secure"
there are no SIP messages. My question is where is the log file for Kamailio and how can
I prevent this type of attacks in the future.
Thanks,
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
VoIP Embedded, Inc.
http://www.voipembedded.com
11:32 p.m.
it is comming from "friendly-scanner" The other issue I have is that
"/var/log/secure" is not getting the sip requests so the only way I realize it
is happeing is from tcpdump. If the secure file is not picking it up then iptables wont
know about it. How can I tell iptables to listen for sip requests? I have already added
the IP to the blocked IP's but he still keeps on comming.
Thanks,
On Nov 26, 2013, at 4:28 PM, Ovidiu Sas <osas(a)voipembedded.com> wrote:
Most likely it's a bogus script.
Sometimes just sending a dummy reply, will stop the script sending SIP requests.
Check the User-Agent header and from username to see if you can
identify the script and google around for it.
Regards,
Ovidiu Sas
On Tue, Nov 26, 2013 at 4:17 PM, Joli Martinez <mrjoli021(a)gmail.com> wrote:
I am running Kamailio in CentOS. I ran tcpdump
and noticed that we are getting attacked from IP 188.138.32.72. I have already blocked it
on IPtables, but he keeps on attacking the server. If I look at
"/var/log/secure" there are no SIP messages. My question is where is the log
file for Kamailio and how can I prevent this type of attacks in the future.
Thanks,
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
VoIP Embedded, Inc.
http://www.voipembedded.com
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
11:41 p.m.
Google around for "friendly-scanner" to learn more about it.
In the mean time, allow the packets to be handled by kamailio and send
a 200ok back - maybe this will stop the attack.
After the attack is stopped, simply drop all "friendly-scanner" SIP requests :)
Regards,
Ovidiu Sas
On Tue, Nov 26, 2013 at 4:32 PM, Joli Martinez <mrjoli021(a)gmail.com> wrote:
it is comming from "friendly-scanner" The
other issue I have is that "/var/log/secure" is not getting the sip requests so
the only way I realize it is happeing is from tcpdump. If the secure file is not picking
it up then iptables wont know about it. How can I tell iptables to listen for sip
requests? I have already added the IP to the blocked IP's but he still keeps on
comming.
Thanks,
On Nov 26, 2013, at 4:28 PM, Ovidiu Sas <osas(a)voipembedded.com> wrote:
--
VoIP Embedded, Inc.
http://www.voipembedded.com
Most likely it's a bogus script.
Sometimes just sending a dummy reply, will stop the script sending SIP requests.
Check the User-Agent header and from username to see if you can
identify the script and google around for it.
Regards,
Ovidiu Sas
On Tue, Nov 26, 2013 at 4:17 PM, Joli Martinez <mrjoli021(a)gmail.com> wrote:
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users I am running Kamailio in CentOS. I ran tcpdump
and noticed that we are getting attacked from IP 188.138.32.72. I have already blocked it
on IPtables, but he keeps on attacking the server. If I look at
"/var/log/secure" there are no SIP messages. My question is where is the log
file for Kamailio and how can I prevent this type of attacks in the future.
Thanks,
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
VoIP Embedded, Inc.
http://www.voipembedded.com
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
11:53 p.m.
How can I do this? Is there an article I can reference or something? I am new to
kamailio and not sure how to do this.
Thanks,
On Nov 26, 2013, at 4:41 PM, Ovidiu Sas <osas(a)voipembedded.com> wrote:
Google around for "friendly-scanner" to
learn more about it.
In the mean time, allow the packets to be handled by kamailio and send
a 200ok back - maybe this will stop the attack.
After the attack is stopped, simply drop all "friendly-scanner" SIP requests
:)
Regards,
Ovidiu Sas
On Tue, Nov 26, 2013 at 4:32 PM, Joli Martinez <mrjoli021(a)gmail.com> wrote:
it is comming from "friendly-scanner"
The other issue I have is that "/var/log/secure" is not getting the sip requests
so the only way I realize it is happeing is from tcpdump. If the secure file is not
picking it up then iptables wont know about it. How can I tell iptables to listen for sip
requests? I have already added the IP to the blocked IP's but he still keeps on
comming.
Thanks,
On Nov 26, 2013, at 4:28 PM, Ovidiu Sas <osas(a)voipembedded.com> wrote:
--
VoIP Embedded, Inc.
http://www.voipembedded.com
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users Most likely it's a bogus script.
Sometimes just sending a dummy reply, will stop the script sending SIP requests.
Check the User-Agent header and from username to see if you can
identify the script and google around for it.
Regards,
Ovidiu Sas
On Tue, Nov 26, 2013 at 4:17 PM, Joli Martinez <mrjoli021(a)gmail.com> wrote:
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users I am running Kamailio in CentOS. I ran tcpdump
and noticed that we are getting attacked from IP 188.138.32.72. I have already blocked it
on IPtables, but he keeps on attacking the server. If I look at
"/var/log/secure" there are no SIP messages. My question is where is the log
file for Kamailio and how can I prevent this type of attacks in the future.
Thanks,
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
VoIP Embedded, Inc.
http://www.voipembedded.com
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users 
11:59 p.m.
Hello
please follow this link
http://kb.asipto.com/kamailio:usage:k31-sip-scanning-attack this is a good
tuturial about preventing sip attack's
Regards
2013/11/26 Joli Martinez <mrjoli021(a)gmail.com>
How can I do this? Is there an article I can
reference or something? I
am new to kamailio and not sure how to do this.
Thanks,
On Nov 26, 2013, at 4:41 PM, Ovidiu Sas <osas(a)voipembedded.com> wrote:
--
VoIP Embedded, Inc.
http://www.voipembedded.com
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
Cumprimentos
José Seabra
Google around for "friendly-scanner" to
learn more about it.
In the mean time, allow the packets to be handled by kamailio and send
a 200ok back - maybe this will stop the attack.
After the attack is stopped, simply drop all "friendly-scanner" SIP
requests :)
Regards,
Ovidiu Sas
On Tue, Nov 26, 2013 at 4:32 PM, Joli Martinez <mrjoli021(a)gmail.com>
wrote:
> it is comming from
"friendly-scanner" The other issue I have is that
"/var/log/secure" is not getting the sip requests so the only way I realize
it is happeing is from tcpdump. If the secure file is not picking it up
then iptables wont know about it. How can I tell iptables to listen for
sip requests? I have already added the IP to the blocked IP's but he still
keeps on comming.
>
> Thanks,
>
> On Nov 26, 2013, at 4:28 PM, Ovidiu Sas <osas(a)voipembedded.com> wrote:
>
>> Most likely it's a bogus script.
>> Sometimes just sending a dummy reply, will stop the script sending SIP
requests.
>> Check the User-Agent header and from
username to see if you can
>> identify the script and google around for it.
>>
>> Regards,
>> Ovidiu Sas
>>
>> On Tue, Nov 26, 2013 at 4:17 PM, Joli Martinez <mrjoli021(a)gmail.com>
wrote:
>>> I am running Kamailio in CentOS. I
ran tcpdump and noticed that we
are getting attacked from IP 188.138.32.72. I have
already blocked it on
IPtables, but he keeps on attacking the server. If I look at
"/var/log/secure" there are no SIP messages. My question is where is the
log file for Kamailio and how can I prevent this type of attacks in the
future.
>>>
>>> Thanks,
>>> _______________________________________________
>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing
list
> sr-users(a)lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
VoIP Embedded, Inc.
http://www.voipembedded.com
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users 
27 Nov
27 Nov
12:29 a.m.
Hi,
you can check the User-Agent reference $ua, if it is equal to
"friendly-scanner", just send back a reply with sl_send_reply("200",
"OK")
Daniel
On 11/26/2013 10:53 PM, Joli Martinez wrote:
How can I do this? Is there an article I can
reference or something? I am new to kamailio and not sure how to do this.
Thanks,
On Nov 26, 2013, at 4:41 PM, Ovidiu Sas <osas(a)voipembedded.com> wrote:
Google around for "friendly-scanner" to
learn more about it.
In the mean time, allow the packets to be handled by kamailio and send
a 200ok back - maybe this will stop the attack.
After the attack is stopped, simply drop all "friendly-scanner" SIP requests
:)
Regards,
Ovidiu Sas
On Tue, Nov 26, 2013 at 4:32 PM, Joli Martinez <mrjoli021(a)gmail.com> wrote:
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
it is comming from "friendly-scanner"
The other issue I have is that "/var/log/secure" is not getting the sip requests
so the only way I realize it is happeing is from tcpdump. If the secure file is not
picking it up then iptables wont know about it. How can I tell iptables to listen for sip
requests? I have already added the IP to the blocked IP's but he still keeps on
comming.
Thanks,
On Nov 26, 2013, at 4:28 PM, Ovidiu Sas <osas(a)voipembedded.com> wrote:
--
VoIP Embedded, Inc.
http://www.voipembedded.com
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users Most likely it's a bogus script.
Sometimes just sending a dummy reply, will stop the script sending SIP requests.
Check the User-Agent header and from username to see if you can
identify the script and google around for it.
Regards,
Ovidiu Sas
On Tue, Nov 26, 2013 at 4:17 PM, Joli Martinez <mrjoli021(a)gmail.com> wrote:
> I am running Kamailio in CentOS. I ran tcpdump and noticed that we are getting
attacked from IP 188.138.32.72. I have already blocked it on IPtables, but he keeps on
attacking the server. If I look at "/var/log/secure" there are no SIP messages.
My question is where is the log file for Kamailio and how can I prevent this type of
attacks in the future.
>
> Thanks,
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users(a)lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
VoIP Embedded, Inc.
http://www.voipembedded.com
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
1 a.m.
I have placed the code below right underneath the route portion in the kamailio.cfg file
restarted kamailio and I am still being attacked.
####### Routing Logic ########
# main request routing logic
route{
if ($ua=="friendly-scanner") {
sl_send_reply("200","OK");
exit;
}
On Nov 26, 2013, at 5:29 PM, Daniel Grotti <dgrotti(a)sipwise.com> wrote:
Hi,
you can check the User-Agent reference $ua, if it is equal to
"friendly-scanner", just send back a reply with sl_send_reply("200",
"OK")
Daniel
On 11/26/2013 10:53 PM, Joli Martinez wrote:
How can I do this? Is there an article I can
reference or something? I am new to kamailio and not sure how to do this.
Thanks,
On Nov 26, 2013, at 4:41 PM, Ovidiu Sas <osas(a)voipembedded.com> wrote:
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users Google around for "friendly-scanner" to
learn more about it.
In the mean time, allow the packets to be handled by kamailio and send
a 200ok back - maybe this will stop the attack.
After the attack is stopped, simply drop all "friendly-scanner" SIP requests
:)
Regards,
Ovidiu Sas
On Tue, Nov 26, 2013 at 4:32 PM, Joli Martinez <mrjoli021(a)gmail.com> wrote:
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
it is comming from "friendly-scanner"
The other issue I have is that "/var/log/secure" is not getting the sip requests
so the only way I realize it is happeing is from tcpdump. If the secure file is not
picking it up then iptables wont know about it. How can I tell iptables to listen for sip
requests? I have already added the IP to the blocked IP's but he still keeps on
comming.
Thanks,
On Nov 26, 2013, at 4:28 PM, Ovidiu Sas <osas(a)voipembedded.com> wrote:
> Most likely it's a bogus script.
> Sometimes just sending a dummy reply, will stop the script sending SIP requests.
> Check the User-Agent header and from username to see if you can
> identify the script and google around for it.
>
> Regards,
> Ovidiu Sas
>
> On Tue, Nov 26, 2013 at 4:17 PM, Joli Martinez <mrjoli021(a)gmail.com> wrote:
>> I am running Kamailio in CentOS. I ran tcpdump and noticed that we are getting
attacked from IP 188.138.32.72. I have already blocked it on IPtables, but he keeps on
attacking the server. If I look at "/var/log/secure" there are no SIP messages.
My question is where is the log file for Kamailio and how can I prevent this type of
attacks in the future.
>>
>> Thanks,
>> _______________________________________________
>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>> sr-users(a)lists.sip-router.org
>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>
>
>
> --
> VoIP Embedded, Inc.
> http://www.voipembedded.com
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users(a)lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
VoIP Embedded, Inc.
http://www.voipembedded.com
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
10:31 a.m.
Do you have some example about malicious messages ?
D.
On 11/27/2013 12:00 AM, Joli Martinez wrote:
I have placed the code below right underneath the
route portion in the
kamailio.cfg file restarted kamailio and I am still being attacked.
####### Routing Logic ########
# main request routing logic
route{
if ($ua=="friendly-scanner") {
sl_send_reply("200","OK");
exit;
}
On Nov 26, 2013, at 5:29 PM, Daniel Grotti <dgrotti(a)sipwise.com
<mailto:dgrotti@sipwise.com>> wrote:
Hi,
you can check the User-Agent reference $ua, if it is equal to
"friendly-scanner", just send back a reply with sl_send_reply("200",
"OK")
Daniel
On 11/26/2013 10:53 PM, Joli Martinez wrote:
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
How can I do this? Is there an article I can
reference or something?
I am new to kamailio and not sure how to do this.
Thanks,
On Nov 26, 2013, at 4:41 PM, Ovidiu Sas <osas(a)voipembedded.com
<mailto:osas@voipembedded.com>> wrote:
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org <mailto:sr-users@lists.sip-router.org>
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users Google around for "friendly-scanner" to
learn more about it.
In the mean time, allow the packets to be handled by kamailio and send
a 200ok back - maybe this will stop the attack.
After the attack is stopped, simply drop all "friendly-scanner" SIP
requests :)
Regards,
Ovidiu Sas
On Tue, Nov 26, 2013 at 4:32 PM, Joli Martinez <mrjoli021(a)gmail.com
<mailto:mrjoli021@gmail.com>> wrote:
> it is comming from "friendly-scanner" The other issue I have is
> that "/var/log/secure" is not getting the sip requests so the only
> way I realize it is happeing is from tcpdump. If the secure file
> is not picking it up then iptables wont know about it. How can I
> tell iptables to listen for sip requests? I have already added the
> IP to the blocked IP's but he still keeps on comming.
>
> Thanks,
>
> On Nov 26, 2013, at 4:28 PM, Ovidiu Sas <osas(a)voipembedded.com
> <mailto:osas@voipembedded.com>> wrote:
>
>> Most likely it's a bogus script.
>> Sometimes just sending a dummy reply, will stop the script sending
>> SIP requests.
>> Check the User-Agent header and from username to see if you can
>> identify the script and google around for it.
>>
>> Regards,
>> Ovidiu Sas
>>
>> On Tue, Nov 26, 2013 at 4:17 PM, Joli Martinez
>> <mrjoli021(a)gmail.com <mailto:mrjoli021@gmail.com>> wrote:
>>> I am running Kamailio in CentOS. I ran tcpdump and noticed that
>>> we are getting attacked from IP 188.138.32.72. I have already
>>> blocked it on IPtables, but he keeps on attacking the server. If
>>> I look at "/var/log/secure" there are no SIP messages. My
>>> question is where is the log file for Kamailio and how can I
>>> prevent this type of attacks in the future.
>>>
>>> Thanks,
>>> _______________________________________________
>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users
>>> mailing list
>>> sr-users(a)lists.sip-router.org <mailto:sr-users@lists.sip-router.org>
>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>
>>
>>
>> --
>> VoIP Embedded, Inc.
>> http://www.voipembedded.com
>>
>> _______________________________________________
>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing
>> list
>> sr-users(a)lists.sip-router.org
>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users(a)lists.sip-router.org <mailto:sr-users@lists.sip-router.org>
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
VoIP Embedded, Inc.
http://www.voipembedded.com
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org <mailto:sr-users@lists.sip-router.org>
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
10:47 a.m.
Never give any SIP response to any malicious SIP request, ignore it
completely. Usually such malicious attacks are done through bots (with
identifiable user--agent header), which send a basic / harmless SIP request
such as SIP OPTIONS and see if they get response, if they do then they
proceed with sending SIP REGISTER or INVITE and start actual brute-force
attack to crack the server. If on the other hand, you completely ignore
them and do not respond to them then they ignore you too and move on to
next target server.
if ($ua=="friendly-scanner") {
exit;
}
Thank you.
On Wed, Nov 27, 2013 at 9:31 AM, Daniel Grotti <dgrotti(a)sipwise.com> wrote:
Do you have some example about malicious messages ?
D.
On 11/27/2013 12:00 AM, Joli Martinez wrote:
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
Mit freundlichen Grüßen
Muhammad Shahzad
-----------------------------------
CISCO Rich Media Communication Specialist (CRMCS)
CISCO Certified Network Associate (CCNA)
Cell: +49 176 99 83 10 85
MSN: shari_786pk(a)hotmail.com
Email: shaheryarkh(a)googlemail.com
I have placed the code below right underneath the
route portion in the
kamailio.cfg file restarted kamailio and I am still being attacked.
####### Routing Logic ########
# main request routing logic
route{
if ($ua=="friendly-scanner") {
sl_send_reply("200","OK");
exit;
}
On Nov 26, 2013, at 5:29 PM, Daniel Grotti <dgrotti(a)sipwise.com
<mailto:dgrotti@sipwise.com>> wrote:
> Hi,
> you can check the User-Agent reference $ua, if it is equal to
> "friendly-scanner", just send back a reply with
sl_send_reply("200",
"OK")
>
> Daniel
>
>
>
> On 11/26/2013 10:53 PM, Joli Martinez wrote:
>> How can I do this? Is there an article I can reference or something?
>> I am new to kamailio and not sure how to do this.
>>
>> Thanks,
>>
>> On Nov 26, 2013, at 4:41 PM, Ovidiu Sas <osas(a)voipembedded.com
>> <mailto:osas@voipembedded.com>> wrote:
>>
>>> Google around for "friendly-scanner" to learn more about it.
>>> In the mean time, allow the packets to be handled by kamailio and send
>>> a 200ok back - maybe this will stop the attack.
>>> After the attack is stopped, simply drop all "friendly-scanner"
SIP
>>> requests :)
>>>
>>> Regards,
>>> Ovidiu Sas
>>>
>>> On Tue, Nov 26, 2013 at 4:32 PM, Joli Martinez <mrjoli021(a)gmail.com
>>> <mailto:mrjoli021@gmail.com>> wrote:
>>>> it is comming from "friendly-scanner" The other issue I have
is
>>>> that "/var/log/secure" is not getting the sip requests so the
only
>>>> way I realize it is happeing is from tcpdump. If the secure file
>>>> is not picking it up then iptables wont know about it. How can I
>>>> tell iptables to listen for sip requests? I have already added the
>>>> IP to the blocked IP's but he still keeps on comming.
>>>>
>>>> Thanks,
>>>>
>>>> On Nov 26, 2013, at 4:28 PM, Ovidiu Sas <osas(a)voipembedded.com
>>>> <mailto:osas@voipembedded.com>> wrote:
>>>>
>>>>> Most likely it's a bogus script.
>>>>> Sometimes just sending a dummy reply, will stop the script sending
>>>>> SIP requests.
>>>>> Check the User-Agent header and from username to see if you can
>>>>> identify the script and google around for it.
>>>>>
>>>>> Regards,
>>>>> Ovidiu Sas
>>>>>
>>>>> On Tue, Nov 26, 2013 at 4:17 PM, Joli Martinez
>>>>> <mrjoli021(a)gmail.com <mailto:mrjoli021@gmail.com>>
wrote:
>>>>>> I am running Kamailio in CentOS. I ran tcpdump and noticed that
>>>>>> we are getting attacked from IP 188.138.32.72. I have already
>>>>>> blocked it on IPtables, but he keeps on attacking the server.
If
>>>>>> I look at "/var/log/secure" there are no SIP messages.
My
>>>>>> question is where is the log file for Kamailio and how can I
>>>>>> prevent this type of attacks in the future.
>>>>>>
>>>>>> Thanks,
>>>>>> _______________________________________________
>>>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users
>>>>>> mailing list
>>>>>> sr-users(a)lists.sip-router.org <mailto:
sr-users(a)lists.sip-router.org>
>>>>>>
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> VoIP Embedded, Inc.
>>>>> http://www.voipembedded.com
>>>>>
>>>>> _______________________________________________
>>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing
>>>>> list
>>>>> sr-users(a)lists.sip-router.org
>>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>>
>>>>
>>>> _______________________________________________
>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing
list
>>>> sr-users(a)lists.sip-router.org
<mailto:sr-users@lists.sip-router.org>
>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>
>>>
>>>
>>> --
>>> VoIP Embedded, Inc.
>>> http://www.voipembedded.com
>>>
>>> _______________________________________________
>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing
list
> sr-users(a)lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org <mailto:sr-users@lists.sip-router.org>
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org <mailto:sr-users@lists.sip-router.org>
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
6:25 p.m.
Thanks,
that worked.
On Nov 27, 2013, at 3:47 AM, Muhammad Shahzad <shaheryarkh(a)gmail.com> wrote:
Never give any SIP response to any malicious SIP
request, ignore it completely. Usually such malicious attacks are done through bots (with
identifiable user--agent header), which send a basic / harmless SIP request such as SIP
OPTIONS and see if they get response, if they do then they proceed with sending SIP
REGISTER or INVITE and start actual brute-force attack to crack the server. If on the
other hand, you completely ignore them and do not respond to them then they ignore you too
and move on to next target server.
if ($ua=="friendly-scanner") {
exit;
}
Thank you.
On Wed, Nov 27, 2013 at 9:31 AM, Daniel Grotti <dgrotti(a)sipwise.com> wrote:
Do you have some example about malicious messages ?
D.
On 11/27/2013 12:00 AM, Joli Martinez wrote:
I have placed the code below right underneath the
route portion in the
kamailio.cfg file restarted kamailio and I am still being attacked.
####### Routing Logic ########
# main request routing logic
route{
if ($ua=="friendly-scanner") {
sl_send_reply("200","OK");
exit;
}
On Nov 26, 2013, at 5:29 PM, Daniel Grotti <dgrotti(a)sipwise.com
<mailto:dgrotti@sipwise.com>> wrote:
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
Mit freundlichen Grüßen
Muhammad Shahzad
-----------------------------------
CISCO Rich Media Communication Specialist (CRMCS)
CISCO Certified Network Associate (CCNA)
Cell: +49 176 99 83 10 85
MSN: shari_786pk(a)hotmail.com
Email: shaheryarkh(a)googlemail.com
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users Hi,
you can check the User-Agent reference $ua, if it is equal to
"friendly-scanner", just send back a reply with sl_send_reply("200",
"OK")
Daniel
On 11/26/2013 10:53 PM, Joli Martinez wrote:
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
How can I do this? Is there an article I can
reference or something?
I am new to kamailio and not sure how to do this.
Thanks,
On Nov 26, 2013, at 4:41 PM, Ovidiu Sas <osas(a)voipembedded.com
<mailto:osas@voipembedded.com>> wrote:
> Google around for "friendly-scanner" to learn more about it.
> In the mean time, allow the packets to be handled by kamailio and send
> a 200ok back - maybe this will stop the attack.
> After the attack is stopped, simply drop all "friendly-scanner" SIP
> requests :)
>
> Regards,
> Ovidiu Sas
>
> On Tue, Nov 26, 2013 at 4:32 PM, Joli Martinez <mrjoli021(a)gmail.com
> <mailto:mrjoli021@gmail.com>> wrote:
>> it is comming from "friendly-scanner" The other issue I have is
>> that "/var/log/secure" is not getting the sip requests so the only
>> way I realize it is happeing is from tcpdump. If the secure file
>> is not picking it up then iptables wont know about it. How can I
>> tell iptables to listen for sip requests? I have already added the
>> IP to the blocked IP's but he still keeps on comming.
>>
>> Thanks,
>>
>> On Nov 26, 2013, at 4:28 PM, Ovidiu Sas <osas(a)voipembedded.com
>> <mailto:osas@voipembedded.com>> wrote:
>>
>>> Most likely it's a bogus script.
>>> Sometimes just sending a dummy reply, will stop the script sending
>>> SIP requests.
>>> Check the User-Agent header and from username to see if you can
>>> identify the script and google around for it.
>>>
>>> Regards,
>>> Ovidiu Sas
>>>
>>> On Tue, Nov 26, 2013 at 4:17 PM, Joli Martinez
>>> <mrjoli021(a)gmail.com <mailto:mrjoli021@gmail.com>> wrote:
>>>> I am running Kamailio in CentOS. I ran tcpdump and noticed that
>>>> we are getting attacked from IP 188.138.32.72. I have already
>>>> blocked it on IPtables, but he keeps on attacking the server. If
>>>> I look at "/var/log/secure" there are no SIP messages. My
>>>> question is where is the log file for Kamailio and how can I
>>>> prevent this type of attacks in the future.
>>>>
>>>> Thanks,
>>>> _______________________________________________
>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users
>>>> mailing list
>>>> sr-users(a)lists.sip-router.org
<mailto:sr-users@lists.sip-router.org>
>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>
>>>
>>>
>>> --
>>> VoIP Embedded, Inc.
>>> http://www.voipembedded.com
>>>
>>> _______________________________________________
>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing
>>> list
>>> sr-users(a)lists.sip-router.org
>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>
>>
>> _______________________________________________
>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>> sr-users(a)lists.sip-router.org <mailto:sr-users@lists.sip-router.org>
>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>
>
>
> --
> VoIP Embedded, Inc.
> http://www.voipembedded.com
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users(a)lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org <mailto:sr-users@lists.sip-router.org>
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org <mailto:sr-users@lists.sip-router.org>
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
4016
days inactive
4017
days old
10 comments
5 participants
participants (5)
-
Daniel Grotti -
Joli Martinez -
José Seabra -
Muhammad Shahzad -
Ovidiu Sas