Can't use anything which block IP addresses because my system is behind a gateway and attacker gets the address of that gateway. In this way I will end up blocking myself.
Please suggest something else. On Fri, Jun 27, 2014 at 10:24 PM, Anurag Rana <anuragrana31...@gmail.com> wrote: > Right Mitul. System is behind some gateway. > > > On Fri, Jun 27, 2014 at 10:06 PM, Mitul Limbani <mi...@enterux.in> wrote: > >> I think your asterisk server is behind firewall or some sort of NAT where >> the out to in packets are getting masqueraded with local or DMZ IP of your >> firewall / gateway box. >> >> Fix this first to get fail2ban detect the correct public IP. >> >> Otherwise fail2ban will ban your local GW IP due to which you won't be >> able to access the box even from your local network for ssh. >> >> Hope u know how to fix the firewall snat. >> >> Mitul >> On 27-Jun-2014 9:51 PM, "Jai Rangi" <jpra...@didforsale.com> wrote: >> >>> Anurag, >>> >>> Here is small script, that will check your logs and will block the IPs. >>> http://www.didforsale.com/blog/is-your-asterisk-system-under-heavy-attack >>> >>> This is good if you dont expect any registration. If you do have some >>> valid registration, you might want to add some counter to see how time IP >>> need to fail or how many different users IP is trying to register on before >>> blocking the IP. >>> >>> Jai Rangi >>> www.didforslae.com >>> >>> >>> >>> On Fri, Jun 27, 2014 at 7:37 AM, Anurag Rana <anuragrana31...@gmail.com> >>> wrote: >>> >>>> >>>> Hi All. >>>> >>>> Someone is attacking on my SIP server. >>>> There are lot of requests coming in and I am not able to stop it >>>> because I am unable to detect the IP address. >>>> I used wireshark to capture the packets. >>>> >>>> Although I am using very strong password for my SIP users but still is >>>> there any way to drop these packets and stop this attack. >>>> >>>> I tried dropping packet after matching some string (most of the packets >>>> from attacker contains string 'VaxSIPUserAgent/3.1' ) but it failed. >>>> Packets are still flowing in. >>>> >>>> iptables -I INPUT 1 -p tcp --dport 5060 -m string --string >>>> "VaxSIPUserAgent" --algo bm -j DROP >>>> >>>> >>>> Its something like this >>>> >>>> Registration from '"30" <sp:30@my_public_ip:5060> failed for >>>> '192.168.xxx.xxx:6373' - Wrong Password >>>> >>>> and there are approx 10 request per minute of this type. >>>> >>>> Please suggest some way to stop this. >>>> >>>> >>>> -- >>>> Anurag Rana >>>> http://newbie42.blogspot.in/ >>>> On the trampoline of life's experiences, Striving towards a saintly >>>> life in the midst of these materialistic turbulences. >>>> >>>> >>>> >>>> -- >>>> _____________________________________________________________________ >>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- >>>> New to Asterisk? Join us for a live introductory webinar every Thurs: >>>> http://www.asterisk.org/hello >>>> >>>> asterisk-users mailing list >>>> To UNSUBSCRIBE or update options visit: >>>> http://lists.digium.com/mailman/listinfo/asterisk-users >>>> >>> >>> >>> -- >>> _____________________________________________________________________ >>> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- >>> New to Asterisk? Join us for a live introductory webinar every Thurs: >>> http://www.asterisk.org/hello >>> >>> asterisk-users mailing list >>> To UNSUBSCRIBE or update options visit: >>> http://lists.digium.com/mailman/listinfo/asterisk-users >>> >> >> -- >> _____________________________________________________________________ >> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- >> New to Asterisk? Join us for a live introductory webinar every Thurs: >> http://www.asterisk.org/hello >> >> asterisk-users mailing list >> To UNSUBSCRIBE or update options visit: >> http://lists.digium.com/mailman/listinfo/asterisk-users >> > > > > -- > Anurag Rana > http://newbie42.blogspot.in/ > On the trampoline of life's experiences, Striving towards a saintly life > in the midst of these materialistic turbulences. > > > -- Anurag Rana http://newbie42.blogspot.in/ On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences.
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users