[OpenSIPS-Users] attack from friendly-scanner

SamyGo govoiper at gmail.com
Wed Oct 10 10:17:20 CEST 2012 

Hi,

Funny thing, I just used sipvicious and in less that 10 minutes I changed
the user-agent field from "friendly-scanner" to "Google-Chrome" .. Where is
our "friendly-scanner" condition now ?

So a 10,000 extensions scan All went directly to my DB and put everyone in
trouble, had there been a pike module to capture first 10-15/30 attempts it
could've saved us from getting the DB chocked.

Moreover, if I had an action trigger if(pike == true){avp_exec(my-blocker.sh
ip.of.hack.er);} to put the newly captured IP into the IPtables list as
well as push the IP address into a custom web-service to alert all the
neighbours of this new hacker IP everything could've been perfect.

You are welcome Mr. VoIP  Engineer, I really hope this thread helped you a
little bit.

BR
Sammy



On Wed, Oct 10, 2012 at 12:29 PM, Engineer voip <forvoip4 at gmail.com> wrote:

> Hi,
> Thank you all for the reply.
>
> 2012/10/9 Adam Raszynski <netcentrica at gmail.com>
>
>> I use the following code on all my production OpenSIPS servers.
>> It's CPU friendly and avoids being spotted by bots searching for
>> open-relay VoIP servers.
>>
>> route{
>>      # put it at the very beginning of route section
>>      if($ua=~"friendly-scanner") {
>>         xlog("L_ERROR", "Auth error for $fU@$fd from $si method $rm
>> user-agent (friendly-scanner)\n");
>>         drop();
>>         exit;
>>      }
>> (...)
>>
>> Since I added that code problem with friendly scanner is over.
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>>
>
>
> --
>
> Best Regards.
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20121010/c361253b/attachment-0001.htm>

More information about the Users mailing list