Thanks,
that worked.
On Nov 27, 2013, at 3:47 AM, Muhammad Shahzad <shaherya...@gmail.com> wrote:
> Never give any SIP response to any malicious SIP request, ignore it
> completely. Usually such malicious attacks are done through bots (with
> identifiable user--agent header), which send a basic / harmless SIP request
> such as SIP OPTIONS and see if they get response, if they do then they
> proceed with sending SIP REGISTER or INVITE and start actual brute-force
> attack to crack the server. If on the other hand, you completely ignore them
> and do not respond to them then they ignore you too and move on to next
> target server.
>
> if ($ua=="friendly-scanner") {
> exit;
> }
>
> Thank you.
>
>
>
>
> On Wed, Nov 27, 2013 at 9:31 AM, Daniel Grotti <dgro...@sipwise.com> wrote:
> Do you have some example about malicious messages ?
>
> D.
>
> On 11/27/2013 12:00 AM, Joli Martinez wrote:
> > I have placed the code below right underneath the route portion in the
> > kamailio.cfg file restarted kamailio and I am still being attacked.
> >
> > ####### Routing Logic ########
> >
> >
> > # main request routing logic
> >
> > route{
> >
> > if ($ua=="friendly-scanner") {
> > sl_send_reply("200","OK");
> > exit;
> > }
> >
> > On Nov 26, 2013, at 5:29 PM, Daniel Grotti <dgro...@sipwise.com
> > <mailto:dgro...@sipwise.com>> wrote:
> >
> >> Hi,
> >> you can check the User-Agent reference $ua, if it is equal to
> >> "friendly-scanner", just send back a reply with sl_send_reply("200", "OK")
> >>
> >> Daniel
> >>
> >>
> >>
> >> On 11/26/2013 10:53 PM, Joli Martinez wrote:
> >>> How can I do this? Is there an article I can reference or something?
> >>> I am new to kamailio and not sure how to do this.
> >>>
> >>> Thanks,
> >>>
> >>> On Nov 26, 2013, at 4:41 PM, Ovidiu Sas <o...@voipembedded.com
> >>> <mailto:o...@voipembedded.com>> wrote:
> >>>
> >>>> Google around for "friendly-scanner" to learn more about it.
> >>>> In the mean time, allow the packets to be handled by kamailio and send
> >>>> a 200ok back - maybe this will stop the attack.
> >>>> After the attack is stopped, simply drop all "friendly-scanner" SIP
> >>>> requests :)
> >>>>
> >>>> Regards,
> >>>> Ovidiu Sas
> >>>>
> >>>> On Tue, Nov 26, 2013 at 4:32 PM, Joli Martinez <mrjoli...@gmail.com
> >>>> <mailto:mrjoli...@gmail.com>> wrote:
> >>>>> it is comming from "friendly-scanner" The other issue I have is
> >>>>> that "/var/log/secure" is not getting the sip requests so the only
> >>>>> way I realize it is happeing is from tcpdump. If the secure file
> >>>>> is not picking it up then iptables wont know about it. How can I
> >>>>> tell iptables to listen for sip requests? I have already added the
> >>>>> IP to the blocked IP's but he still keeps on comming.
> >>>>>
> >>>>> Thanks,
> >>>>>
> >>>>> On Nov 26, 2013, at 4:28 PM, Ovidiu Sas <o...@voipembedded.com
> >>>>> <mailto:o...@voipembedded.com>> wrote:
> >>>>>
> >>>>>> Most likely it's a bogus script.
> >>>>>> Sometimes just sending a dummy reply, will stop the script sending
> >>>>>> SIP requests.
> >>>>>> Check the User-Agent header and from username to see if you can
> >>>>>> identify the script and google around for it.
> >>>>>>
> >>>>>> Regards,
> >>>>>> Ovidiu Sas
> >>>>>>
> >>>>>> On Tue, Nov 26, 2013 at 4:17 PM, Joli Martinez
> >>>>>> <mrjoli...@gmail.com <mailto:mrjoli...@gmail.com>> wrote:
> >>>>>>> I am running Kamailio in CentOS. I ran tcpdump and noticed that
> >>>>>>> we are getting attacked from IP 188.138.32.72. I have already
> >>>>>>> blocked it on IPtables, but he keeps on attacking the server. If
> >>>>>>> I look at "/var/log/secure" there are no SIP messages. My
> >>>>>>> question is where is the log file for Kamailio and how can I
> >>>>>>> prevent this type of attacks in the future.
> >>>>>>>
> >>>>>>> Thanks,
> >>>>>>> _______________________________________________
> >>>>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users
> >>>>>>> mailing list
> >>>>>>> sr-users@lists.sip-router.org <mailto:sr-users@lists.sip-router.org>
> >>>>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> --
> >>>>>> VoIP Embedded, Inc.
> >>>>>> http://www.voipembedded.com
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing
> >>>>>> list
> >>>>>> sr-users@lists.sip-router.org
> >>>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
> >>>>>
> >>>>>
> >>>>> _______________________________________________
> >>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> >>>>> sr-users@lists.sip-router.org <mailto:sr-users@lists.sip-router.org>
> >>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>> VoIP Embedded, Inc.
> >>>> http://www.voipembedded.com
> >>>>
> >>>> _______________________________________________
> >>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> >>>> sr-users@lists.sip-router.org
> >>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
> >>>
> >>>
> >>> _______________________________________________
> >>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> >>> sr-users@lists.sip-router.org <mailto:sr-users@lists.sip-router.org>
> >>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
> >>>
> >>
> >> _______________________________________________
> >> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> >> sr-users@lists.sip-router.org <mailto:sr-users@lists.sip-router.org>
> >> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
> >
> >
> >
> > _______________________________________________
> > SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> > sr-users@lists.sip-router.org
> > http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
> >
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users@lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>
>
>
> --
> Mit freundlichen Grüßen
> Muhammad Shahzad
> -----------------------------------
> CISCO Rich Media Communication Specialist (CRMCS)
> CISCO Certified Network Associate (CCNA)
> Cell: +49 176 99 83 10 85
> MSN: shari_78...@hotmail.com
> Email: shaherya...@googlemail.com
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users@lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
