Re: [OpenSIPS-Users] Register attack!

[Alexandr A. Alexandrov]

Hi! I had some issues with fail2ban running on OpenSuSE (different versions) when monitoring more than 1 log files. While tracking down the problem I found other reports on the internet about the similar problems. Eventually I found OSSEC from TrendMicro (http://www.ossec.net/main/downloads/) which is much more powerfull and robust than fail2ban. Just FYI :-) -- Regards, Alexandr 03.11.2010 08:56, James Mbuthia пишет: I had the same problem with register attacks, almost crashed my server coz log files became too huge, a temporary solution is to change the port number from 5060 to something else as it seems the register scanners attack sip servers listening on the 5060 port. Adding fail2ban on top of this and blocking all registers which don't come from your servers adds another layer of security On Wed, Nov 3, 2010 at 5:33 AM, Brett Nemeroff <br...@nemeroff.com> wrote: Kennard, I personally write a log entry each time i get a REGISTER failure. Then use fail2ban on top of that log. Pike could probably also be used. -Brett On Nov 2, 2010, at 10:30 PM, Kennard White <kennard_wh...@logitech.com> wrote: Hi Flavio, How did you originally detect these register attacks? Are you using the pike module or notice them some other way? Thanks, Kennard On Tue, Nov 2, 2010 at 10:40 AM, Flavio Goncalves <fla...@asteriskguide.com> wrote: Hi, Register attacks are now an epidemy. In most cases they are using the friendly-scanner (svcrack.py) from sipvicious.org. One easy way to block is to check the user agent for the words "friendly-scanner"and drop the packets (an attacker could easily change the user agent, but most of them are just script kiddies). There is a good tutorial in the opensips website on how to use fail2ban to block the IP address of the offenders (I think this is the best long term solution). http://www.opensips.org/Resources/DocsTutFail2ban (posted in sept/2010 by the user named aseques) In some cases, when the attacker uses an old version of svcrack.py it floods your server. I have received four gigs of traffic in a single day from just one source. There is a small utility from sipvicious.org called svcrash.py capable to crash the attacker sending a malformed packet. I hope it helps, it has been a pain to handle these attacks everyday. In a normal day we are receiving from 4 to 8 attacks from different sources. Best regards, -------------------------------------------------- Flavio E. Goncalves CEO - V.Office Fone: +554830258590/+554884085000 OpenSIPS Bootcamp (Frankfurt Sep 20-24) 2010/11/2 Hung Nguyen <hungbk...@gmail.com>: > Hi every body! > > I have a problem with attacker as following: > > > attack                   registrar > > register  -------------> > register  -------------> > ... > register  -------------> > > > Attacker send 200 registers/second so registrar server is error. This > is configuration for register method: > > route[2] { > >  # ---------------------------------------------------------- >  # REGISTER Message Handler >  # ---------------------------------------------------------- > >  if (!search("^Contact:[ ]*\*") && nat_uac_test("7")) { >    setflag(6); >    fix_nated_register(); >    fix_nated_contact(); >    force_rport(); >  }; > >  if (!radius_www_authorize("abc.com")) { >    www_challenge("abc.com", "0"); >    exit; >  }; >  consume_credentials(); > >  if (!save("location")) { >    sl_reply_error(); >  }; > } > > Please help me, > > Thanks. > > Hung > > _______________________________________________ > Users mailing list > Users@lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > _______________________________________________ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users _______________________________________________ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users _______________________________________________ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users _______________________________________________ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users

_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users