I'm second for fail2ban. I block IP addresses with failed registration
attempts for 1 hour. Here is my setup:
kamailio.cfg:
if (is_method("REGISTER")) {
if(www_authorize("", "subscriber") < 0) {
if($rc == -1) {
xlog("L_INFO","Invalid username from $proto:$si:$sp\n");
sl_send_reply("200","OK");
} else
www_challenge("", "0");
exit;
}
....
/etc/fail2ban/filter.d/openser.conf:
[Definition]
#_daemon = kamailio
failregex = Invalid username from ...:<HOST>:
/etc/fail2ban/jail.conf:
findtime = 600
[openser-iptables]
enabled = true
filter = openser
action = iptables-allports[name=OPENSER, protocol=all]
logpath = /var/log/openser/openser # Replace with your sr log location
maxretry = 10
bantime = 3600
On Sunday 24 October 2010, Uriel Rozenbaum wrote:
> Juha,
>
> I think we should be specially careful about black-lists. We receive
> many of these attacks in a per-day basis and a lot of them are from
> residential addresses or university, so I'm guessing some kind of worm
> or trojan performing the attack from various IPs.
>
> If you have the time, try fail2ban deamon. It can relate some
> brute-force events and act accordingly blocking an IP on iptables,
> executing a script. You send to "jail" those addresses for a period of
> time, then you can get them out again; and of course you can manually
> revert.
>
> Last, as a description of the attacks I saw, first it runs an NMAP
> like scan checking which IPs answer from 5060, then it starts sending
> registers (usually asterisk answers 404 if the user does not exist),
> then when the proxy challenges, it interprets the user is found and
> starts making dictionary attacks on the password (1234, admin, and so
> on). Keep safe complicated passwords, make kamailio challenge
> everything and you'll be safe. and again, fail2ban is a pretty good
> solution for brute force.
>
> This might help you finding a solution for your attacks.
>
> Cheers,
> Uriel
>
> On Sun, Oct 24, 2010 at 8:54 AM, Juha Heinanen <j...@tutpro.com> wrote:
> > while doing some tests, i noticed that one of my proxies started to
> > receive lots of register requests with different user names starting
> > from a letter. there was also invite attempts in the logs. they came
> > from ip 202.82.16.99 which according to traceroute is somewhere in
> > china.
> >
> > should we start publishing a black list of these attack ip addresses?
> >
> > -- juha
> >
> > _______________________________________________
> > SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> > sr-users@lists.sip-router.org
> > http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users@lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
