<div class="gmail_quote"><br><div class="gmail_quote"><div class="im">2011/6/28 Brett Nemeroff <span dir="ltr"><<a href="mailto:brett@nemeroff.com" target="_blank">brett@nemeroff.com</a>></span><br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div><br></div><div><div class="gmail_quote"><div>On Tue, Jun 28, 2011 at 4:55 PM, Mike Tesliuk <span dir="ltr"><<a href="mailto:mike@ultra.net.br" target="_blank">mike@ultra.net.br</a>></span> wrote:<br>
</div><div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
Hello, <br><div class="gmail_quote"><br><br>Im new to Opensips and im getting an attack that i can read the ip just on the first register, the attacker are sending my own ip on the sip package<br><br></div></blockquote><div>
<br></div></div><div>Welcome to the community!! :) Sorry for the doom and gloom reply....</div><div><br></div>This is a sipvicious attack. It's a very aggressive type of brute force attack. Fail2ban is a great intrusion detection system. Google it...<div>
<br></div></div></div></blockquote></div><div><br>yeah i have fail2ban implemented , but how im on a loop my rules are not working, now i will correct everything<br><br> </div><div class="im"><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div><div class="gmail_quote"><div></div><div>Quick word of advice. These attacks are brutal and very effective. If you put a SIP server on the internet, it's just a matter of time before you see this attack. Once they break into your box, they'll stick you on a call center calling cellphones in Neru which will probably cost you a few dollars USD per minute. It only takes an hour or so to rack up several thousand dollars of phone bills. So take it seriously.. I'm *not* exaggerating.</div>
<div><br></div></div></div></blockquote></div><div><br>Yeas i now, im comming from the asterisk world , i have some experiencie with some kind of problems, thanks for the advice<br><br> </div><div class="im"><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div><div class="gmail_quote"><div></div><div>Alternatively, if you are comfortable with checking UA, I'd just drop the packet rather than put in CPU cycles and reply:</div><div> if($ua=~"friendly-scanner"){<br>
drop();<br>
}<br><br></div></div></div></blockquote><div> </div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><div><div class="gmail_quote"><div>
</div><div>These guys will hit your server with a few hundred CPS (I've seen 300CPS before from this). So don't let your server get wrapped up in replying to it. Especially don't log each attempt. FWIW, normal syslog writes are fairly expensive. Be sure to enable async logging in syslog (stick a "-" before the log file name and restart syslog on many systems..)</div>
</div></div></blockquote></div><div><br>Ok i will do this, thanks<br> </div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><div><div class="gmail_quote">
<div><br></div><div>-Brett</div><div><br></div><div> </div></div></div><div class="im">
<br>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
<br></div></blockquote></div><br>
</div><br>