[OpenSIPS-Users] How to protect OpenSIPS from undesidered requests (DoS attack?)
leo
uzcudunl at yahoo.it
Wed Mar 6 19:58:29 CET 2013
Hello Bakko:
I've it configured as you but i'm still not having events in opensips.log file like "Auth error for $fU@$fd from $si cause" for packets:
19:52:41.100695 00:08:e3:20:fb:b6 > 00:0c:29:fc:95:e1, ethertype IPv4 (0x0800), length 384: (tos 0x0, ttl 52, id 0, offset 0, flags [DF], proto UDP (17), length 370)
199.217.115.214.5981 > [my SIP Server].5060: [udp sum ok] SIP, length: 342
REGISTER sip:[my SIP Server] SIP/2.0
Via: SIP/2.0/UDP 199.217.115.214:5981;branch=z9hG4bK-2068012690;rport
Content-Length: 0
From: "5988" <sip:5988@[my SIP Server]>
Accept: application/sdp
User-Agent: friendly-scanner
To: "5988" <sip:5988@[my SIP Server]>
Contact: sip:123 at 1.1.1.1
CSeq: 1 REGISTER
Call-ID: 1787915151
Max-Forwards: 70
I've also added Nick's suggestion:
if ($ua =~ "friendly-scanner") {
xlog("L_ERR", "Attack attempt - Request dropped");
drop();
}
But i don't have neither those events in the opensips.log file.
Any clue?
Thanks,
Leo
________________________________
Da: bakko [via OpenSIPS (Open SIP Server)] <ml-node+s1449251n7585097h85 at n2.nabble.com>
A: leo <uzcudunl at yahoo.it>
Inviato: Mercoledì 6 Marzo 2013 11:49
Oggetto: Re: How to protect OpenSIPS from undesidered requests (DoS attack?)
Hello,
I'm using this configuration:
if (is_method("REGISTER")) {
$var(auth_code) = www_authorize("", "subscriber");
if ( $var(auth_code) == -1 || $var(auth_code) == -2 ) {
xlog("L_NOTICE","Auth error for $fU@$fd from $si cause
$var(auth_code)");
}
if ( $var(auth_code) < 0 ) {
www_challenge("", "0");
exit;
}
save("location");
exit;
on
/etc/fail2ban/filter.d/opensips.conf
# Fail2Ban configuration file
#
#
# $Revision: 250 $
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf
[Definition]
#_daemon = opensips
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag
"<HOST>" can
# be used for standard IP/hostname matching and is only an
alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex = Auth error for .* from <HOST> cause -[0-9]
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
and on /etc/fail2ban/jail.conf
[opensips]
enabled = true
filter = opensips
action = iptables-allports[name=opensips, protocol=all]
sendmail-whois[name=opensips, dest=[hidden email],
sender=[hidden email]]
logpath = /var/log/opensips.log
maxretry = 3
bantime = 7200
Regards
_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
________________________________
If you reply to this email, your message will be added to the discussion below:http://opensips-open-sip-server.1449251.n2.nabble.com/How-to-protect-OpenSIPS-from-undesidered-requests-DoS-attack-tp7585091p7585097.html
To unsubscribe from How to protect OpenSIPS from undesidered requests (DoS attack?), click here.
NAML
--
View this message in context: http://opensips-open-sip-server.1449251.n2.nabble.com/How-to-protect-OpenSIPS-from-undesidered-requests-DoS-attack-tp7585091p7585123.html
Sent from the OpenSIPS - Users mailing list archive at Nabble.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20130306/a0972f68/attachment-0001.htm>
More information about the Users
mailing list