I'm second for fail2ban. I block IP addresses with failed registration attempts for 1 hour. Here is my setup:
kamailio.cfg: if (is_method("REGISTER")) { if(www_authorize("", "subscriber") < 0) { if($rc == -1) { xlog("L_INFO","Invalid username from $proto:$si:$sp\n"); sl_send_reply("200","OK"); } else www_challenge("", "0"); exit; } .... /etc/fail2ban/filter.d/openser.conf: [Definition] #_daemon = kamailio failregex = Invalid username from ...:<HOST>: /etc/fail2ban/jail.conf: findtime = 600 [openser-iptables] enabled = true filter = openser action = iptables-allports[name=OPENSER, protocol=all] logpath = /var/log/openser/openser # Replace with your sr log location maxretry = 10 bantime = 3600 On Sunday 24 October 2010, Uriel Rozenbaum wrote: > Juha, > > I think we should be specially careful about black-lists. We receive > many of these attacks in a per-day basis and a lot of them are from > residential addresses or university, so I'm guessing some kind of worm > or trojan performing the attack from various IPs. > > If you have the time, try fail2ban deamon. It can relate some > brute-force events and act accordingly blocking an IP on iptables, > executing a script. You send to "jail" those addresses for a period of > time, then you can get them out again; and of course you can manually > revert. > > Last, as a description of the attacks I saw, first it runs an NMAP > like scan checking which IPs answer from 5060, then it starts sending > registers (usually asterisk answers 404 if the user does not exist), > then when the proxy challenges, it interprets the user is found and > starts making dictionary attacks on the password (1234, admin, and so > on). Keep safe complicated passwords, make kamailio challenge > everything and you'll be safe. and again, fail2ban is a pretty good > solution for brute force. > > This might help you finding a solution for your attacks. > > Cheers, > Uriel > > On Sun, Oct 24, 2010 at 8:54 AM, Juha Heinanen <j...@tutpro.com> wrote: > > while doing some tests, i noticed that one of my proxies started to > > receive lots of register requests with different user names starting > > from a letter. there was also invite attempts in the logs. they came > > from ip 202.82.16.99 which according to traceroute is somewhere in > > china. > > > > should we start publishing a black list of these attack ip addresses? > > > > -- juha > > > > _______________________________________________ > > SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list > > sr-users@lists.sip-router.org > > http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users > > _______________________________________________ > SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list > sr-users@lists.sip-router.org > http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users > _______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users