24 Oct
2024
24 Oct
'24
4:08 a.m.
Hi,
I was going through some old company tickets that I am assigned to and
found a case when possibly an attacker flooded our kamailio server with
invalid sip messages like this:
2019-04-27T20:14:05.533554+09:00 IPX051
/usr/local/src/git/sip-router/kamailio[1732]: ERROR: <core>
[parser/msg_parser.c:714]: ERROR: parse_msg:
message=<[F#016sD#026Z<8D>97<F8><B5>;<A9><E7>-<D2>(<E2><F6>
v;/#021k\<CC>8<B1>λ<F4>#004M<B6><BE><EC>#035#003<94><E1>=<A0><FF><E3><AF>Kwzr<8B>A#036B<D7>#027#023cu<82>Y<D4>#037<FB><AC>S_<C4>Qg<AB><DE>F<88>I#006<8C><FA><F4>~#y3G<C7>H<80>b<BC><AD>#035<89>#002<DB><C8>#001U<9E>#007<CB><F9>nT<E5><EE><8E><F1>#0144>
At that time we manually banned the IP.
But it would be helpful to have this done automatically by fail2ban.
So I was thinking this log should include the src IP address.
I looked at the latest kamailio commit and core/parser/msg_parser.c does
this log the same way so I was thinking in opening an issue for this.
But maybe this should be dealt with differently.
Any ideas?
24 Oct
24 Oct
11:57 a.m.
Hi !
you might want to check this APIBAN - Block Bad SIP Traffic
<https://apiban.org/>
Fred Posner is the one to blame for this fantastic tool :)
Atenciosamente / Kind Regards / Cordialement / Un saludo,
*Sérgio Charrua*
On Thu, Oct 24, 2024 at 3:49 AM mayamatakeshi via sr-users <
sr-users(a)lists.kamailio.org> wrote:
Hi,
I was going through some old company tickets that I am assigned to and
found a case when possibly an attacker flooded our kamailio server with
invalid sip messages like this:
2019-04-27T20:14:05.533554+09:00 IPX051
/usr/local/src/git/sip-router/kamailio[1732]: ERROR: <core>
[parser/msg_parser.c:714]: ERROR: parse_msg:
message=<[F#016sD#026Z<8D>97<F8><B5>;<A9><E7>-<D2>(<E2><F6>
v;/#021k\<CC>8<B1>λ<F4>#004M<B6><BE><EC>#035#003<94><E1>=<A0><FF><E3><AF>Kwzr<8B>A#036B<D7>#027#023cu<82>Y<D4>#037<FB><AC>S_<C4>Qg<AB><DE>F<88>I#006<8C><FA><F4>~#y3G<C7>H<80>b<BC><AD>#035<89>#002<DB><C8>#001U<9E>#007<CB><F9>nT<E5><EE><8E><F1>#0144>
At that time we manually banned the IP.
But it would be helpful to have this done automatically by fail2ban.
So I was thinking this log should include the src IP address.
I looked at the latest kamailio commit and core/parser/msg_parser.c does
this log the same way so I was thinking in opening an issue for this.
But maybe this should be dealt with differently.
Any ideas?
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
To unsubscribe send an email to sr-users-leave(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
1:06 p.m.
+1 for APIBAN- its so good for this exact use case.
In the short term you can use something like pike module with some logic to
look for any special characters and block them in a htable and just drop
the traffic whilst you figure APIBAN out though.
Thanks,
John.
On Thu, 24 Oct 2024 at 10:44, Sergio Charrua via sr-users <
sr-users(a)lists.kamailio.org> wrote:
Hi !
you might want to check this APIBAN - Block Bad SIP Traffic
<https://apiban.org/>
Fred Posner is the one to blame for this fantastic tool :)
Atenciosamente / Kind Regards / Cordialement / Un saludo,
*Sérgio Charrua*
On Thu, Oct 24, 2024 at 3:49 AM mayamatakeshi via sr-users <
sr-users(a)lists.kamailio.org> wrote:
Hi,
I was going through some old company tickets that I am assigned to and
found a case when possibly an attacker flooded our kamailio server with
invalid sip messages like this:
2019-04-27T20:14:05.533554+09:00 IPX051
/usr/local/src/git/sip-router/kamailio[1732]: ERROR: <core>
[parser/msg_parser.c:714]: ERROR: parse_msg:
message=<[F#016sD#026Z<8D>97<F8><B5>;<A9><E7>-<D2>(<E2><F6>
v;/#021k\<CC>8<B1>λ<F4>#004M<B6><BE><EC>#035#003<94><E1>=<A0><FF><E3><AF>Kwzr<8B>A#036B<D7>#027#023cu<82>Y<D4>#037<FB><AC>S_<C4>Qg<AB><DE>F<88>I#006<8C><FA><F4>~#y3G<C7>H<80>b<BC><AD>#035<89>#002<DB><C8>#001U<9E>#007<CB><F9>nT<E5><EE><8E><F1>#0144>
At that time we manually banned the IP.
But it would be helpful to have this done automatically by fail2ban.
So I was thinking this log should include the src IP address.
I looked at the latest kamailio commit and core/parser/msg_parser.c does
this log the same way so I was thinking in opening an issue for this.
But maybe this should be dealt with differently.
Any ideas?
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
To unsubscribe send an email to sr-users-leave(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
To unsubscribe send an email to sr-users-leave(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
28 Oct
28 Oct
1:40 a.m.
Indeed, core:receive-parse-error combined with sanity_check is what I
needed.
Thank you.
On Sat, Oct 26, 2024 at 12:56 PM Fred Posner via sr-users <
sr-users(a)lists.kamailio.org> wrote:
Thanks for mentioning APIBAN. You may also want to
consider the core
receive parse error route. I wrote about it here:
[image: kamailio.png]
Handling Non-SIP Attacks With Kamailio
<https://www.fredposner.com/handling-non-sip-kamailio/>
fredposner.com <https://www.fredposner.com/handling-non-sip-kamailio/>
<https://www.fredposner.com/handling-non-sip-kamailio/>
—fred
Fred Posner
Contact info via https://fredoso.com
On Oct 24, 2024, at 6:21 AM, Who AmI via sr-users <
sr-users(a)lists.kamailio.org> wrote:
+1 for APIBAN- its so good for this exact use case.
In the short term you can use something like pike module with some logic
to look for any special characters and block them in a htable and just drop
the traffic whilst you figure APIBAN out though.
Thanks,
John.
On Thu, 24 Oct 2024 at 10:44, Sergio Charrua via sr-users <
sr-users(a)lists.kamailio.org> wrote:
Hi !
you might want to check this APIBAN - Block Bad SIP Traffic
<https://apiban.org/>
Fred Posner is the one to blame for this fantastic tool :)
Atenciosamente / Kind Regards / Cordialement / Un saludo,
*Sérgio Charrua*
On Thu, Oct 24, 2024 at 3:49 AM mayamatakeshi via sr-users <
sr-users(a)lists.kamailio.org> wrote:
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
To unsubscribe send an email to sr-users-leave(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
To unsubscribe send an email to sr-users-leave(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
Hi,
I was going through some old company tickets that I am assigned to and
found a case when possibly an attacker flooded our kamailio server with
invalid sip messages like this:
2019-04-27T20:14:05.533554+09:00 IPX051
/usr/local/src/git/sip-router/kamailio[1732]: ERROR: <core>
[parser/msg_parser.c:714]: ERROR: parse_msg:
message=<[F#016sD#026Z<8D>97<F8><B5>;<A9><E7>-<D2>(<E2><F6>
v;/#021k\<CC>8<B1>λ<F4>#004M<B6><BE><EC>#035#003<94><E1>=<A0><FF><E3><AF>Kwzr<8B>A#036B<D7>#027#023cu<82>Y<D4>#037<FB><AC>S_<C4>Qg<AB><DE>F<88>I#006<8C><FA><F4>~#y3G<C7>H<80>b<BC><AD>#035<89>#002<DB><C8>#001U<9E>#007<CB><F9>nT<E5><EE><8E><F1>#0144>
At that time we manually banned the IP.
But it would be helpful to have this done automatically by fail2ban.
So I was thinking this log should include the src IP address.
I looked at the latest kamailio commit and core/parser/msg_parser.c does
this log the same way so I was thinking in opening an issue for this.
But maybe this should be dealt with differently.
Any ideas?
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
To unsubscribe send an email to sr-users-leave(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
To unsubscribe send an email to sr-users-leave(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
25 Oct
25 Oct
1:51 a.m.
All,
thanks for the suggestions.
APIBAN looks fine but still there is the risk of packets from an unknown IP
to hit the server.
So I was thinking in patching the parser code to log the src IP in case of
error but when I tested sending an invalid message against latest kamailio
I got this in the logs:
2024-10-25T07:30:56.968878+09:00 lab225012
/usr/local/src/git/kamailio-5.8/kamailio[1404214]: ERROR: <core>
[core/parser/msg_parser.c:791]: parse_msg(): ERROR: parse_msg:
message=<NOTIFY sip:305@172.23.112.144 SIP/2.0#012#012Via: SIP/2.0/UDP
172.23.3.5:5060;branch=z9hG4bK7b359876#012From: "no_callerid" <
sip:no_callerid@172.23.3.5>;tag=as78a85cfe#012To:
<sip:305@172.23.112.144>#012Contact:
<sip:no_callerid@172.23.3.5>#012Call-ID:
015118886c22a1a45cb8833b41abf969(a)172.23.3.5#012CSeq: 102
NOTIFY#012User-Agent: Asterisk PBX#012Max-Forwards: 70#012Event:
check-sync#012Content-Length: 0#012>
2024-10-25T07:30:56.970881+09:00 lab225012
/usr/local/src/git/kamailio-5.8/kamailio[1404214]: ERROR: <core>
[core/receive.c:378]: receive_msg(): core parsing of SIP message failed (
10.0.0.1:57005/1)
So the function parse_msg itself will not log the src IP but the subsequent
ERROR log line from function receive_msg will have it (ip 10.0.0.1) and
will also include the port (57005).
So nothing needs to be done as fail2ban can get the ip with the proper
filter definition.
However there is at least one other scenario.
I removed the header Call-ID from a valid SIP message and when I sent it I
got just this:
2024-10-25T07:41:16.825827+09:00 lab225012
/usr/local/src/git/kamailio-5.8/kamailio[1404217]: ERROR: <core>
[core/receive.c:450]: receive_msg(): required headers not found in request
So I could not get the src IP. So am thinking in patching this.
However, meanwhile it seems I can handle this kind of situation generically
by using:
https://www.kamailio.org/docs/modules/devel/modules/nosip.html
26
days inactive
29
days old
6 comments
4 participants
participants (4)
-
Fred Posner -
mayamatakeshi -
Sergio Charrua -
Who AmI