Anurag, Here is small script, that will check your logs and will block the IPs. http://www.didforsale.com/blog/is-your-asterisk-system-under-heavy-attack
This is good if you dont expect any registration. If you do have some valid registration, you might want to add some counter to see how time IP need to fail or how many different users IP is trying to register on before blocking the IP. Jai Rangi www.didforslae.com On Fri, Jun 27, 2014 at 7:37 AM, Anurag Rana <[email protected]> wrote: > > Hi All. > > Someone is attacking on my SIP server. > There are lot of requests coming in and I am not able to stop it because I > am unable to detect the IP address. > I used wireshark to capture the packets. > > Although I am using very strong password for my SIP users but still is > there any way to drop these packets and stop this attack. > > I tried dropping packet after matching some string (most of the packets > from attacker contains string 'VaxSIPUserAgent/3.1' ) but it failed. > Packets are still flowing in. > > iptables -I INPUT 1 -p tcp --dport 5060 -m string --string "VaxSIPUserAgent" > --algo bm -j DROP > > > Its something like this > > Registration from '"30" <sp:30@my_public_ip:5060> failed for > '192.168.xxx.xxx:6373' - Wrong Password > > and there are approx 10 request per minute of this type. > > Please suggest some way to stop this. > > > -- > Anurag Rana > http://newbie42.blogspot.in/ > On the trampoline of life's experiences, Striving towards a saintly life > in the midst of these materialistic turbulences. > > > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
