At now im just log the connection and do a block with fail2ban.<br><br><div class="gmail_quote">2011/6/29 Brett Nemeroff <span dir="ltr"><<a href="mailto:brett@nemeroff.com">brett@nemeroff.com</a>></span><br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div class="im">On Jun 29, 2011, at 2:01 AM, Saúl Ibarra Corretgé <<a href="mailto:saul@ag-projects.com">saul@ag-projects.com</a>> wrote:<br>
<br>
><br>
> On Jun 29, 2011, at 12:05 AM, <a href="mailto:duane.larson@gmail.com">duane.larson@gmail.com</a> wrote:<br>
><br>
>> I wouldn't even reply back with a "403 - Access Denied". If you do that then you just told whoever that you exist and you are SIP<br>
>><br>
><br>
> So? I would reply 200, so that it believes it has guessed right and will stop the flood. :-)<br>
<br>
</div>Actually, I've seen this do bad things. Makes the hackers think they<br>
got something. It's better if you can just pretend to not be a SIP<br>
server. If you 200 they might think that they have an easy box to<br>
crack and jut need to keep trying extensions until they get one that<br>
works properly. Unless of course you are making a honeypot. That is,<br>
an extension that is easy to crack (or returns an immediate 200 when a<br>
friendly-scanner regs) and then inserts the source ip into your border<br>
router ACL automatically. Bu you can even honeypot it without<br>
returning 200 and you remain stealthy to them which I tend yo still<br>
believe is a better idea.<br>
<font color="#888888">-Brett<br>
</font><div><div></div><div class="h5"><br>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
</div></div></blockquote></div><br>