<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<title></title>
</head>
<body text="#000000" bgcolor="#ffffff">
Hi!<br>
<br>
I had some issues with fail2ban running on OpenSuSE (different
versions) when monitoring more than 1 log files. While tracking down
the problem I found other reports on the internet about the similar
problems. Eventually I found OSSEC from TrendMicro
(<a class="moz-txt-link-freetext" href="http://www.ossec.net/main/downloads/">http://www.ossec.net/main/downloads/</a>) which is much more powerfull and
robust than fail2ban.<br>
Just FYI :-)<br>
<br>
--<br>
Regards,<br>
Alexandr<br>
<br>
<br>
03.11.2010 08:56, James Mbuthia пишет:
<blockquote class="cite"
id="mid_AANLkTinpbW2EauKTuiKFw3LWrcBBTqiO0kCw2JRrcUp5_mail_gmail_com"
cite="mid:AANLkTinpbW2EauKTuiKFw3LWrcBBTqiO0kCw2JRrcUp5@mail.gmail.com"
type="cite">I had the same problem with register attacks, almost
crashed my server coz log files became too huge, a temporary solution
is to change the port number from 5060 to something else as it seems
the register scanners attack sip servers listening on the 5060 port.
Adding fail2ban on top of this and blocking all registers which don't
come from your servers adds another layer of security<br>
<br>
<div class="gmail_quote">On Wed, Nov 3, 2010 at 5:33 AM, Brett
Nemeroff <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:brett@nemeroff.com">brett@nemeroff.com</a>></span>
wrote:<br>
<blockquote id="StationeryCiteGenerated_1" class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div bgcolor="#FFFFFF">
<div>Kennard,</div>
<div>I personally write a log entry each time i get a REGISTER
failure. Then use fail2ban on top of that log. Pike could probably also
be used.</div>
<div><br>
</div>
<font color="#888888">
<div>-Brett</div>
</font>
<div>
<div class="h5">
<div><br>
<br>
On Nov 2, 2010, at 10:30 PM, Kennard White <<a moz-do-not-send="true"
href="mailto:kennard_white@logitech.com" target="_blank">kennard_white@logitech.com</a>>
wrote:<br>
<br>
</div>
<blockquote class="cite" id="StationeryCiteGenerated_2" type="cite">
<div>Hi Flavio,<br>
<br>
How did you originally detect these register attacks? Are you using the
pike module or notice them some other way?<br>
<br>
Thanks,<br>
Kennard<br>
<br>
<div class="gmail_quote">On Tue, Nov 2, 2010 at 10:40 AM, Flavio
Goncalves <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:flavio@asteriskguide.com" target="_blank">flavio@asteriskguide.com</a>></span>
wrote:<br>
<blockquote id="StationeryCiteGenerated_3" class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Hi,<br>
<br>
Register attacks are now an epidemy. In most cases they are using the<br>
friendly-scanner (svcrack.py) from <a moz-do-not-send="true"
href="http://sipvicious.org" target="_blank">sipvicious.org</a>. One
easy way to<br>
block is to check the user agent for the words "friendly-scanner"and<br>
drop the packets (an attacker could easily change the user agent, but<br>
most of them are just script kiddies). There is a good tutorial in the<br>
opensips website on how to use fail2ban to block the IP address of the<br>
offenders (I think this is the best long term solution).<br>
<br>
<a moz-do-not-send="true"
href="http://www.opensips.org/Resources/DocsTutFail2ban"
target="_blank">http://www.opensips.org/Resources/DocsTutFail2ban</a>
(posted in sept/2010<br>
by the user named aseques)<br>
<br>
In some cases, when the attacker uses an old version of svcrack.py it<br>
floods your server. I have received four gigs of traffic in a single<br>
day from just one source. There is a small utility from <a
moz-do-not-send="true" href="http://sipvicious.org" target="_blank">sipvicious.org</a><br>
called svcrash.py capable to crash the attacker sending a malformed<br>
packet.<br>
<br>
I hope it helps, it has been a pain to handle these attacks everyday.<br>
In a normal day we are receiving from 4 to 8 attacks from different<br>
sources.<br>
<br>
Best regards,<br>
<br>
--------------------------------------------------<br>
Flavio E. Goncalves<br>
CEO - V.Office<br>
Fone: +554830258590/+554884085000<br>
OpenSIPS Bootcamp (Frankfurt Sep 20-24)<br>
<br>
<br>
<br>
<br>
2010/11/2 Hung Nguyen <<a moz-do-not-send="true"
href="mailto:hungbk546@gmail.com" target="_blank">hungbk546@gmail.com</a>>:<br>
<div>
<div>> Hi every body!<br>
><br>
> I have a problem with attacker as following:<br>
><br>
><br>
> attack registrar<br>
><br>
> register -------------><br>
> register -------------><br>
> ...<br>
> register -------------><br>
><br>
><br>
> Attacker send 200 registers/second so registrar server is error.
This<br>
> is configuration for register method:<br>
><br>
> route[2] {<br>
><br>
> # ----------------------------------------------------------<br>
> # REGISTER Message Handler<br>
> # ----------------------------------------------------------<br>
><br>
> if (!search("^Contact:[ ]*\*") && nat_uac_test("7")) {<br>
> setflag(6);<br>
> fix_nated_register();<br>
> fix_nated_contact();<br>
> force_rport();<br>
> };<br>
><br>
> if (!radius_www_authorize("<a moz-do-not-send="true"
href="http://abc.com" target="_blank">abc.com</a>")) {<br>
> www_challenge("<a moz-do-not-send="true" href="http://abc.com"
target="_blank">abc.com</a>", "0");<br>
> exit;<br>
> };<br>
> consume_credentials();<br>
><br>
> if (!save("location")) {<br>
> sl_reply_error();<br>
> };<br>
> }<br>
><br>
> Please help me,<br>
><br>
> Thanks.<br>
><br>
> Hung<br>
><br>
> _______________________________________________<br>
> Users mailing list<br>
> <a moz-do-not-send="true" href="mailto:Users@lists.opensips.org"
target="_blank">Users@lists.opensips.org</a><br>
> <a moz-do-not-send="true"
href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users"
target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
><br>
<br>
_______________________________________________<br>
Users mailing list<br>
<a moz-do-not-send="true" href="mailto:Users@lists.opensips.org"
target="_blank">Users@lists.opensips.org</a><br>
<a moz-do-not-send="true"
href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users"
target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<blockquote class="cite" id="StationeryCiteGenerated_4" type="cite">
<div><span>_______________________________________________</span><br>
<span>Users mailing list</span><br>
<span><a moz-do-not-send="true"
href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a></span><br>
<span><a moz-do-not-send="true"
href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users"
target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a></span><br>
</div>
</blockquote>
</div>
</div>
</div>
<br>
_______________________________________________<br>
Users mailing list<br>
<a moz-do-not-send="true" href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>
<a moz-do-not-send="true"
href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users"
target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
<br>
</blockquote>
</div>
<br>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a>
<a class="moz-txt-link-freetext" href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
<br>
</body>
</html>