I'm concerned about others reverse engineering their way into my project's sip network. Is there anyway to prevent others from finding out that the SIP protocol is being used and prevent others to reverse engineer their way into my sip network?
Hi Aryn,
changing the standard Listen Port 5060 to something like 5871 will keep approximately 50% of the bad boys away.
Log user agent client name like
if ($ua=~"friendly-scanner"||$ua=~"sipcli"||$ua=~"sundayddr"||$ua=~"sipsak"||$ua=~"sipvicious"||$ua=~"iWar"||$ua=~"sip-scan") { sl_send_reply("403", "Forbidden"); xlog("L_ALERT","IPTABLES: blocking $si $ua\n"); drop(); }
Let fail2ban put the source IP of the bad boy in your firewall for 1h or longer drop time like
fail2ban filter:
[INCLUDES]
#before = common.conf
[Definition] # filter for kamailio messages failregex = IPTABLES: blocking <HOST>
Hide your server name like server_header="Server: sipserver-007"
use strong passwords and don't configure an open relay ;-)
this is just one way ...
Regards Rainer
Am 26.03.2014 03:13, schrieb Arya Farzan:
I'm concerned about others reverse engineering their way into my project's sip network. Is there anyway to prevent others from finding out that the SIP protocol is being used and prevent others to reverse engineer their way into my sip network?
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
ps:
you can use xlog("L_ALERT","IPTABLES: blocking $si \n"); anywhere you like ... for example wrong login password/username
and fail2ban will drop the source IP for a 1h or longer drop time
Regards Rainer
Am 26.03.2014 07:27, schrieb Rainer Piper:
xlog("L_ALERT","IPTABLES: blocking $si $ua\n");
On 3/26/14, 2:27 AM, Rainer Piper wrote:
Hi Aryn,
changing the standard Listen Port 5060 to something like 5871 will keep approximately 50% of the bad boys away.
Log user agent client name like
if ($ua=~"friendly-scanner"||$ua=~"sipcli"||$ua=~"sundayddr"||$ua=~"sipsak"||$ua=~"sipvicious"||$ua=~"iWar"||$ua=~"sip-scan") { sl_send_reply("403", "Forbidden"); xlog("L_ALERT","IPTABLES: blocking $si $ua\n"); drop(); }
I like this! Does anybody else have more User Agents to share?
Let fail2ban put the source IP of the bad boy in your firewall for 1h or longer drop time like
fail2ban filter:
[INCLUDES]
#before = common.conf
[Definition] # filter for kamailio messages failregex = IPTABLES: blocking <HOST>
Hide your server name like server_header="Server: sipserver-007"
use strong passwords and don't configure an open relay ;-)
this is just one way ...
Regards Rainer
Am 26.03.2014 03:13, schrieb Arya Farzan:
I'm concerned about others reverse engineering their way into my project's sip network. Is there anyway to prevent others from finding out that the SIP protocol is being used and prevent others to reverse engineer their way into my sip network?
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-- *Rainer Piper* NOC - +49 (0)228 97167161 - sip.soho-piper.de NOC - +49 (0)2247 9064188 - sip.tele33.de - sip.tefonix.de - D293
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Thx Andres,
I have ... 90% friendly-scanner from all over the world 7% sipcli and 3% sundayddr mainly used in China
Am 26.03.2014 16:33, schrieb Andres:
On 3/26/14, 2:27 AM, Rainer Piper wrote:
Hi Aryn,
changing the standard Listen Port 5060 to something like 5871 will keep approximately 50% of the bad boys away.
Log user agent client name like
if ($ua=~"friendly-scanner"||$ua=~"sipcli"||$ua=~"sundayddr"||$ua=~"sipsak"||$ua=~"sipvicious"||$ua=~"iWar"||$ua=~"sip-scan") { sl_send_reply("403", "Forbidden"); xlog("L_ALERT","IPTABLES: blocking $si $ua\n"); drop(); }
I like this! Does anybody else have more User Agents to share?
Let fail2ban put the source IP of the bad boy in your firewall for 1h or longer drop time like
fail2ban filter:
[INCLUDES]
#before = common.conf
[Definition] # filter for kamailio messages failregex = IPTABLES: blocking <HOST>
Hide your server name like server_header="Server: sipserver-007"
use strong passwords and don't configure an open relay ;-)
this is just one way ...
Regards Rainer
Am 26.03.2014 03:13, schrieb Arya Farzan:
I'm concerned about others reverse engineering their way into my project's sip network. Is there anyway to prevent others from finding out that the SIP protocol is being used and prevent others to reverse engineer their way into my sip network?
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-- *Rainer Piper* NOC - +49 (0)228 97167161 - sip.soho-piper.de NOC - +49 (0)2247 9064188 - sip.tele33.de - sip.tefonix.de - D293
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-- Technical Support http://www.cellroute.net
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Hi Andres,
today I had a very funny one ... an amazon server tried to relay over my server.
LOG Data: Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: WARNING: pike [pike_funcs.c:164]: pike_check_req(): PIKE - BLOCKing ip 184.72.211.251, node=0x7f90dd8abcb8 Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: ALERT: <script>: ALERT: pike blocking INVITE from sip:448099999999@184.72.211.251 (IP:184.72.211.251:5060) Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: ALERT: <script>: IPTABLES: blocking 184.72.211.251 antiflood
-------- Original-Nachricht --------
Hi,
The IP 184.72.211.251 has just been banned by Fail2Ban after 1 attempts against KAMAILIO.
Here are more information about 184.72.211.251:
# # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html #
# # Query terms are ambiguous. The query is assumed to be: # "n 184.72.211.251" # # Use "?" to get help. #
# # The following results may also be obtained via: # http://whois.arin.net/rest/nets;q=184.72.211.251?showDetails=true&showAR...
#
NetRange: 184.72.0.0 - 184.73.255.255 CIDR: 184.72.0.0/15 OriginAS: NetName: AMAZON-EC2-7 NetHandle: NET-184-72-0-0-1 Parent: NET-184-0-0-0-0 NetType: Direct Assignment Comment: The activity you have detected originates from a Comment: dynamic hosting environment. Comment: For fastest response, please submit abuse reports at Comment: http://aws-portal.amazon.com/gp/aws/html-forms-controller/contactus/AWSAbuse
Comment: For more information regarding EC2 see: Comment: http://ec2.amazonaws.com/ Comment: All reports MUST include: Comment: * src IP Comment: * dest IP (your IP) Comment: * dest port Comment: * Accurate date/timestamp and timezone of activity Comment: * Intensity/frequency (short log extracts) Comment: * Your contact details (phone and email) Comment: Without these we will be unable to identify Comment: the correct owner of the IP address at that Comment: point in time. RegDate: 2010-01-26 Updated: 2012-03-02 Ref: http://whois.arin.net/rest/net/NET-184-72-0-0-1
OrgName: Amazon.com, Inc. OrgId: AMAZO-4 Address: Amazon Web Services, Elastic Compute Cloud, EC2 Address: 1200 12th Avenue South City: Seattle StateProv: WA PostalCode: 98144 Country: US RegDate: 2005-09-29 Updated: 2009-06-02 Comment: For details of this service please see Comment: http://ec2.amazonaws.com/ Ref: http://whois.arin.net/rest/org/AMAZO-4
OrgAbuseHandle: AEA8-ARIN OrgAbuseName: Amazon EC2 Abuse OrgAbusePhone: +1-206-266-4064 callto:0012062664064 OrgAbuseEmail: ec2-abuse@amazon.com OrgAbuseRef: http://whois.arin.net/rest/poc/AEA8-ARIN
OrgTechHandle: ANO24-ARIN OrgTechName: Amazon EC2 Network Operations OrgTechPhone: +1-206-266-4064 callto:0012062664064 OrgTechEmail: aes-noc@amazon.com OrgTechRef: http://whois.arin.net/rest/poc/ANO24-ARIN
RNOCHandle: ANO24-ARIN RNOCName: Amazon EC2 Network Operations RNOCPhone: +1-206-266-4064 callto:0012062664064 RNOCEmail: aes-noc@amazon.com RNOCRef: http://whois.arin.net/rest/poc/ANO24-ARIN
RTechHandle: ANO24-ARIN RTechName: Amazon EC2 Network Operations RTechPhone: +1-206-266-4064 callto:0012062664064 RTechEmail: aes-noc@amazon.com RTechRef: http://whois.arin.net/rest/poc/ANO24-ARIN
RAbuseHandle: AEA8-ARIN RAbuseName: Amazon EC2 Abuse RAbusePhone: +1-206-266-4064 callto:0012062664064 RAbuseEmail: ec2-abuse@amazon.com RAbuseRef: http://whois.arin.net/rest/poc/AEA8-ARIN
# # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html #
Lines containing IP:184.72.211.251 in /var/log/kamailio.log
Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: WARNING: pike [pike_funcs.c:164]: pike_check_req(): PIKE - BLOCKing ip 184.72.211.251, node=0x7f90dd8abcb8 Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: ALERT: <script>: ALERT: pike blocking INVITE from sip:448099999999@184.72.211.251 (IP:184.72.211.251:5060) Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: ALERT: <script>: IPTABLES: blocking 184.72.211.251 antiflood
Regards,
Fail2Ban
On 3/26/14, 2:40 PM, Rainer Piper wrote:
Hi Andres,
today I had a very funny one ... an amazon server tried to relay over my server.
I see that. Its cheap and easy to use an Amazon server for this purpose. Plus you can change its public IP by shutting down and starting the instance again.
LOG Data: Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: WARNING: pike [pike_funcs.c:164]: pike_check_req(): PIKE - BLOCKing ip 184.72.211.251, node=0x7f90dd8abcb8 Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: ALERT: <script>: ALERT: pike blocking INVITE from sip:448099999999@184.72.211.251 (IP:184.72.211.251:5060) Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: ALERT: <script>: IPTABLES: blocking 184.72.211.251 antiflood
-------- Original-Nachricht --------
Hi,
The IP 184.72.211.251 has just been banned by Fail2Ban after 1 attempts against KAMAILIO.
Here are more information about 184.72.211.251:
# # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html #
# # Query terms are ambiguous. The query is assumed to be: # "n 184.72.211.251" # # Use "?" to get help. #
# # The following results may also be obtained via: # http://whois.arin.net/rest/nets;q=184.72.211.251?showDetails=true&showAR...
#
NetRange: 184.72.0.0 - 184.73.255.255 CIDR: 184.72.0.0/15 OriginAS: NetName: AMAZON-EC2-7 NetHandle: NET-184-72-0-0-1 Parent: NET-184-0-0-0-0 NetType: Direct Assignment Comment: The activity you have detected originates from a Comment: dynamic hosting environment. Comment: For fastest response, please submit abuse reports at Comment: http://aws-portal.amazon.com/gp/aws/html-forms-controller/contactus/AWSAbuse
Comment: For more information regarding EC2 see: Comment: http://ec2.amazonaws.com/ Comment: All reports MUST include: Comment: * src IP Comment: * dest IP (your IP) Comment: * dest port Comment: * Accurate date/timestamp and timezone of activity Comment: * Intensity/frequency (short log extracts) Comment: * Your contact details (phone and email) Comment: Without these we will be unable to identify Comment: the correct owner of the IP address at that Comment: point in time. RegDate: 2010-01-26 Updated: 2012-03-02 Ref: http://whois.arin.net/rest/net/NET-184-72-0-0-1
OrgName: Amazon.com, Inc. OrgId: AMAZO-4 Address: Amazon Web Services, Elastic Compute Cloud, EC2 Address: 1200 12th Avenue South City: Seattle StateProv: WA PostalCode: 98144 Country: US RegDate: 2005-09-29 Updated: 2009-06-02 Comment: For details of this service please see Comment: http://ec2.amazonaws.com/ Ref: http://whois.arin.net/rest/org/AMAZO-4
OrgAbuseHandle: AEA8-ARIN OrgAbuseName: Amazon EC2 Abuse OrgAbusePhone: +1-206-266-4064 callto:0012062664064 OrgAbuseEmail: ec2-abuse@amazon.com OrgAbuseRef: http://whois.arin.net/rest/poc/AEA8-ARIN
OrgTechHandle: ANO24-ARIN OrgTechName: Amazon EC2 Network Operations OrgTechPhone: +1-206-266-4064 callto:0012062664064 OrgTechEmail: aes-noc@amazon.com OrgTechRef: http://whois.arin.net/rest/poc/ANO24-ARIN
RNOCHandle: ANO24-ARIN RNOCName: Amazon EC2 Network Operations RNOCPhone: +1-206-266-4064 callto:0012062664064 RNOCEmail: aes-noc@amazon.com RNOCRef: http://whois.arin.net/rest/poc/ANO24-ARIN
RTechHandle: ANO24-ARIN RTechName: Amazon EC2 Network Operations RTechPhone: +1-206-266-4064 callto:0012062664064 RTechEmail: aes-noc@amazon.com RTechRef: http://whois.arin.net/rest/poc/ANO24-ARIN
RAbuseHandle: AEA8-ARIN RAbuseName: Amazon EC2 Abuse RAbusePhone: +1-206-266-4064 callto:0012062664064 RAbuseEmail: ec2-abuse@amazon.com RAbuseRef: http://whois.arin.net/rest/poc/AEA8-ARIN
# # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html #
Lines containing IP:184.72.211.251 in /var/log/kamailio.log
Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: WARNING: pike [pike_funcs.c:164]: pike_check_req(): PIKE - BLOCKing ip 184.72.211.251, node=0x7f90dd8abcb8 Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: ALERT: <script>: ALERT: pike blocking INVITE from sip:448099999999@184.72.211.251 (IP:184.72.211.251:5060) Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: ALERT: <script>: IPTABLES: blocking 184.72.211.251 antiflood
Regards,
Fail2Ban
-- *Rainer Piper* NOC - +49 (0)228 97167161 - sip.soho-piper.de NOC - +49 (0)2247 9064188 - sip.tele33.de - sip.tefonix.de - D293
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-
Andres -
Arya Farzan -
Rainer Piper