<font face="comic sans ms,sans-serif">Hi All,<br>thank you for your reply, Know i want to simulate an attacker to test if my fail2ban and pike module works good.<br>someone has an idea to do that?<br></font><br><div class="gmail_quote">
2012/10/9 SamyGo <span dir="ltr"><<a href="mailto:govoiper@gmail.com" target="_blank">govoiper@gmail.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi,<div><br><div>Very nice suggestions by Brett. I remember there are regular thread like these on the mailing lists and people share a lot of experiences. AFAIR there was some service which contains the IP addresses of known attackers available for users. OP needs to do some searching in this regard to collect more ideas.</div>
<div><br></div><div>* Nothing is _NOT_ CPU cycles free *</div><div><br></div><div>I'm not sure about sip vicious but if I were to detect and hack a SIP server I'd first start by sending OPTIONS on its ports. Mostly that's where things kick off. Changing the user-agent field is nothing big, so question is how do you know a hacker is about to get angry !! </div>
<div><br></div><div>I'd say it needs a time populated repository and a well crafted shell script to maintain the list of Hacker IPs captured in the past and use it across all the servers or devices. Let me explain the idea.</div>
<div><br></div><div><b> ii)</b> - For any incoming packets one needs to look-up the hacker's listing and detect if a known hacker or not.<br> <b>i)</b> - Take fail2ban for example, or pike module , or iptables rate limit mechanism to initially detect a new born hacker trying to access your sip server (yes will take few minutes to finally conclude that a particular source IP is hacker) - Store that IP in your hacker's listing.</div>
<div><b>iii)</b> - Use an intelligent script to share the detected hacker's IP across all the other SIP servers and router devices/firewall to block the traffic at network layer.</div><div><br></div><div><u>Critical Exceptions:</u> </div>
<div>Always ensure that the IP which is going to get blocked across the whole network perimeter is not your own server or within the same subnet as your's. It shouldn't be localhost as well.(Hint: IP spoofing) </div>
<div><br></div><div><u>Focus on Security rather Friendly-scanner:</u></div><div><u><br></u></div><div>One need to secure each and everything when it comes to security, just one layer security i.e fail2ban or iptables or pike module is never enough. Like Brett said you can drop packets once detected a "very friendly scanner", how about a customer who wants to toy with your service ! how about a massive DoS attack !! drop() won't help alone. iptables needs to be there to stop the packets from even reaching the SIP server app, then again why should the server's NIC be chocked up by that massive DoS ! your firewall or networking device should stop the packets from entering the network !</div>
<div><br></div><div>This is just not enough: How about a different unique new tool which sends malicious or malformed SIP packets to crash the server !! its just one packet but malformed -- all the above measures WILL fail !! Obviously needs to go one step ahead and use SNORT or anything like IDS+IPS to verify that the packet going through the network is not malformed.</div>
<div><br></div><div>Thats pretty much it for now. There are things which I've forgotten to write at the moment OR might not even know which I expect some one else may like to add.</div><div><br></div><div>Networks and Data Security is a huge field, and VoIP security alone has hundreds of book on the topic. </div>
<div><br></div><div><u>Interesting threads to read: </u></div><div><u><br></u></div><div><a href="http://lists.opensips.org/pipermail/users/2010-November/015243.html" target="_blank">http://lists.opensips.org/pipermail/users/2010-November/015243.html</a></div>
<div><a href="http://lists.opensips.org/pipermail/users/2011-June/018271.html" target="_blank">http://lists.opensips.org/pipermail/users/2011-June/018271.html</a></div><div>Read: <a href="http://blog.sipvicious.org/" target="_blank">http://blog.sipvicious.org/</a> to know more about the tool we all face every once a while.</div>
<div>Fail2ban for openSIPS :: <a href="http://www.opensips.org/Resources/DocsTutFail2ban" target="_blank">http://www.opensips.org/Resources/DocsTutFail2ban</a></div><div><br></div><div><br></div><div>--</div><div>Best Regards</div>
<div>Sammy</div><div><div class="h5">
<div><br></div><div><br></div><div> </div><div><br></div><div><br></div><div><br></div><div><br></div><div><br><div class="gmail_quote">On Mon, Oct 8, 2012 at 6:31 PM, Brett Nemeroff <span dir="ltr"><<a href="mailto:brett@nemeroff.com" target="_blank">brett@nemeroff.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">First of all,<div>This is an attack from sipvicious. It is an *attack*. It will be very high rate (cps) and you do *not* want to use anything that consumes resources to attempt to block it.</div>
<div><br></div><div>First recommendation is to use iptables. In addition, you *should* put a check in your config for friendly-scanner and drop() the packet. Do not reply with a sip code. You want to be invisible to the attacker. If you reply with a sip code, they'll just scan you attempting to find a request combination that will return a usable result. </div>
<div><br></div><div>1. Do whatever you can to not use CPU resources to block this</div><div>2. Don't look like a SIP server to source IPs you do not recognize</div><div><br></div><div>I guarantee, if you look like a SIP server, you will get brutally attacked from unsolicited sources. </div>
<div><br></div><div>Read up on the fail2ban docs for asterisk. They have some good ideas in there on how to perform intrusion detection and how to automatically add offending traffic to fail2ban. You can do something similar in OpenSIPs. </div>
<div><br></div><div>I would be very curious to hear about other people's experiences using the Pike module to block this type of traffic. For what it's worth, I've seen attack traffic high enough in bandwidth to saturate a pretty beefy internet connection and I've even seen it crash routers. If you can avoid them finding you in the first place, that would be a much better option. </div>
<span><font color="#888888">
<div>-Brett</div></font></span><div><div><div><br><br><div class="gmail_quote">On Mon, Oct 8, 2012 at 7:53 AM, Engineer voip <span dir="ltr"><<a href="mailto:forvoip4@gmail.com" target="_blank">forvoip4@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<font color="#000066"><font face="comic sans ms,sans-serif">Hi,<br>I'm trying to use pike module and i'm using the script above, but when i execute this command " opensipsctl fifo pike_list"<br>i don't get any address blocked<br>
My opensips config is:<br><br>loadmodule "pike.so"<br>modparam("pike", "sampling_time_unit", 10)<br>modparam("pike", "reqs_density_per_unit", 30)<br>modparam("pike", "remove_latency", 120)<br>
modparam("pike", "check_route","pike") # enable automatic checking<br>modparam("pike", "pike_log_level",1)<br><br>route[pike]<br>{<br> if (src_ip==x.x.x.x ||src_ip==gw_ip) # Trusted IP<br>
xlog("L_INFO", "in pike route ");<br> drop();<br>}<br><br>have you an idea please toresolve that?<br></font></font><div><div><br><div class="gmail_quote">2012/10/8 SamyGo <span dir="ltr"><<a href="mailto:govoiper@gmail.com" target="_blank">govoiper@gmail.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><p>Hi,<br>
Relax it says its Friendly !! </p>
<p>But still if you want to block it you've many options i.e in opensips.cfg start put a condition $ua =~ "friendly-scanner". If matched return stateless some error.<br>
Other option is to use pike module.<br>
Another option is use fail2ban for opensips logs. <br>
More sophisticated options involve firewalls with IPS and IDS modules.</p>
<p>I hope it was helpful.</p>
<p>BR<br>
Sammy<br>
</p>
<div class="gmail_quote"><div><div>On Oct 8, 2012 2:33 PM, "Engineer voip" <<a href="mailto:forvoip4@gmail.com" target="_blank">forvoip4@gmail.com</a>> wrote:<br type="attribution"></div></div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div>
<font face="comic sans ms,sans-serif">Hi All,<br>I receveid several packets </font><font face="comic sans ms,sans-serif"><font face="comic sans ms,sans-serif"> of registration </font>from a </font><font face="comic sans ms,sans-serif"> "friendly-scanner" on my opensips server<br>
how can i do to block that please??<br clear="all"></font><br>-- <br><font color="#663300"><font face="comic sans ms,sans-serif"><br><span>Best Regards.</span><br></font></font><br><br>
<br></div></div>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
<br></blockquote></div>
<br>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
<br></blockquote></div><br><br clear="all"><br></div></div><span><font color="#888888">-- <br><font color="#663300"><font face="comic sans ms,sans-serif"><br><span>Best Regards.</span><br></font></font><br>
<br>
</font></span><br>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
<br></blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
<br></blockquote></div><br></div></div></div></div>
<br>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br><font color="#663300"><font face="comic sans ms,sans-serif"><br><span style="color:rgb(0,0,0)">Best Regards.</span><br></font></font><br><br>