<div>A few suggestions (mostly already suggested by many guys in this thread, i am only arranging their order to a secure setup), opensips log level should be at least 2.</div><div><br></div><div>1. I usually filter out all known nasty users / attackers right in sanity check section of default request route. My sanity check section structured something like this,</div>
<div><br></div><div> a). check max forwards.</div><div> b). check message size.</div><div> c). check user-agent string against filter list, you can use permissions module for this as well as hard code user-agents as Nick suggested.</div>
<div><br></div><div>############################################</div><div>route {</div><div><div><span class="Apple-tab-span" style="white-space:pre"> </span>if (!mf_process_maxfwd_header("10")) {</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>sl_send_reply("483","Too Many Hops");</div>
<div><span class="Apple-tab-span" style="white-space:pre"> </span>exit;</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>};</div><div><br></div><div><span class="Apple-tab-span" style="white-space:pre"> </span>if (msg:len > max_len) {</div>
<div><span class="Apple-tab-span" style="white-space:pre"> </span>sl_send_reply("513","Message Too Big");</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>exit;</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>};</div>
<div><br></div><div><span class="Apple-tab-span" style="white-space:pre"> </span>if ($ua =~ "friendly-scanner") {</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>xlog("L_WARN", "[$pr:$fU@$si:$sp]: Rejecting '$rm' request from bogus device '$ua' \n");</div>
<div><span class="Apple-tab-span" style="white-space:pre"> </span>exit;</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>};</div></div><div>...</div><div>#####################################</div>
<div>
<br></div><div><br></div><div>2. Then in authentication section, i make sure to authenticate both INVITE and REGISTER requests, you check ret-code for both www-authorize and proxy-authorize methods and if it is -1 or -2 then do xlog to print log on intruder which is picked by fail2ban to block the user (make sure text pattern in your xlog matches failregex in fail2ban! ).</div>
<div><br></div><div>#####################################</div><div>...</div><div><div><span class="Apple-tab-span" style="white-space:pre"> </span>if (!www_authorize("","subscriber")) {</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>switch ($retcode) {</div>
<div><span class="Apple-tab-span" style="white-space:pre"> </span>case -1:</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>xlog("L_NOTICE", "[$pr:$fU@$si:$sp]: Auth error for '$tU' from '$si', peer not found - User-Agent: '$ua' \n");</div>
<div><span class="Apple-tab-span" style="white-space:pre"> </span>break;</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>case -2:</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>xlog("L_NOTICE", "[$pr:$fU@$si:$sp]: Auth error for '$tU' from '$si', wrong password - User-Agent: '$ua' \n");</div>
<div><span class="Apple-tab-span" style="white-space:pre"> </span>break;</div><div> ...</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>};</div><div><br></div><div>
<span class="Apple-tab-span" style="white-space:pre"> </span>www_challenge("", "1");</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>exit;</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>};</div>
</div><div>...</div><div>#######################################</div><div><br></div>Thank you.<br><div><br><br><div class="gmail_quote">On Wed, Mar 6, 2013 at 7:58 PM, leo <span dir="ltr"><<a href="mailto:uzcudunl@yahoo.it" target="_blank">uzcudunl@yahoo.it</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="font-size:10pt;font-family:verdana,helvetica,sans-serif">Hello Bakko:<br><br>I've it configured as you but i'm still not having events in opensips.log file like "Auth error for $fU@$fd from $si cause" for packets:<br>
<br>19:52:41.100695 00:08:e3:20:fb:b6 > 00:0c:29:fc:95:e1, ethertype IPv4 (0x0800), length 384: (tos 0x0, ttl 52, id 0, offset 0, flags [DF], proto UDP (17), length 370)<br> 199.217.115.214.5981 > [my SIP Server].5060: [udp sum ok] SIP, length: 342<br>
REGISTER sip:[my SIP Server] SIP/2.0<br> Via: SIP/2.0/UDP 199.217.115.214:5981;branch=z9hG4bK-2068012690;rport<br> Content-Length: 0<br> From: "5988" <sip:5988@[my SIP Server]><br> Accept: application/sdp<br>
User-Agent: friendly-scanner<br> To: "5988" <sip:5988@[my SIP
Server]><div class="im"><br> Contact: <a href="mailto:sip%3A123@1.1.1.1" target="_blank">sip:123@1.1.1.1</a><br> CSeq: 1 REGISTER<br></div> Call-ID: 1787915151<br> Max-Forwards: 70<br><br><br>I've also added Nick's suggestion:<div class="im">
<br><span>if ($ua =~ "friendly-scanner") {</span><div><span> xlog("L_ERR", "Attack attempt - Request dropped");</span></div><div><span> drop();</span></div></div>
<div><span> }<br><br>But i don't have neither those events in the opensips.log file.<br><br>Any clue?<br>Thanks,</span><br></div>Leo<br><br><div style="font-family:verdana,helvetica,sans-serif;font-size:10pt">
<div style="font-family:times new roman,new york,times,serif;font-size:12pt">
<div dir="ltr"> <font face="Arial"> <hr size="1"> <b><span style="font-weight:bold">Da:</span></b> bakko [via OpenSIPS (Open SIP Server)]
<<a href="http://user/SendEmail.jtp?type=node&node=7585123&i=0" rel="nofollow" link="external" target="_blank">[hidden email]</a>><br> <b><span style="font-weight:bold">A:</span></b> leo <<a href="http://user/SendEmail.jtp?type=node&node=7585123&i=1" rel="nofollow" link="external" target="_blank">[hidden email]</a>> <br>
<b><span style="font-weight:bold">Inviato:</span></b> Mercoledì 6 Marzo 2013 11:49<br> <b><span style="font-weight:bold">Oggetto:</span></b> Re: How to protect OpenSIPS from undesidered requests (DoS attack?)<br> </font> </div>
<br><div><div><div class="h5">
Hello,
<br><br>I'm using this configuration:
<br><br>if (is_method("REGISTER")) {
<br> $var(auth_code) = www_authorize("", "subscriber");
<br> if ( $var(auth_code) == -1 || $var(auth_code) == -2 ) {
<br> xlog("L_NOTICE","Auth error for $fU@$fd from $si cause
<br>$var(auth_code)");
<br> }
<br> if ( $var(auth_code) < 0 ) {
<br> www_challenge("", "0");
<br> exit;
<br> }
<br> save("location");
<br> exit;
<br><br>on
<br><br>/etc/fail2ban/filter.d/opensips.conf
<br><br># Fail2Ban configuration file
<br>#
<br>#
<br># $Revision: 250 $
<br>#
<br><br>[INCLUDES]
<br><br># Read common prefixes. If any customizations available -- read them from
<br># common.local
<br>#before = common.conf
<br><br><br>[Definition]
<br><br>#_daemon = opensips
<br><br># Option: failregex
<br># Notes.: regex to match the password failures messages in the logfile. The
<br># host must be matched by a group named "host". The tag
<br>"<HOST>" can
<br># be used for standard IP/hostname matching and is only an
<br>alias for
<br># (?:::f{4,6}:)?(?P<host>\S+)
<br># Values: TEXT
<br>#
<br><br>failregex = Auth error for .* from <HOST> cause -[0-9]
<br><br># Option: ignoreregex
<br># Notes.: regex to ignore. If this regex matches, the line is ignored.
<br># Values: TEXT
<br>#
<br>ignoreregex =
<br><br>and on /etc/fail2ban/jail.conf
<br><br>[opensips]
<br>enabled = true
<br>filter = opensips
<br>action = iptables-allports[name=opensips, protocol=all]
<br></div></div> sendmail-whois[name=opensips, dest=<a rel="nofollow" link="external">[hidden email]</a>,
<br>sender=<a rel="nofollow" link="external">[hidden email]</a>]
<br><div class="im">logpath = /var/log/opensips.log
<br>maxretry = 3
<br>bantime = 7200
<br><br><br>Regards
<br><br><br>_______________________________________________
<br>Users mailing list
<br></div><a rel="nofollow" link="external">[hidden email]</a>
<br><a rel="nofollow" href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" link="external" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
<br>
<br>
<hr color="#cccccc" noshade size="1">
<div style="color:#444;font:12px tahoma,geneva,helvetica,arial,sans-serif">
<div style="font-weight:bold">If you reply to this email, your message will be added to the discussion below:</div>
<a rel="nofollow" href="http://opensips-open-sip-server.1449251.n2.nabble.com/How-to-protect-OpenSIPS-from-undesidered-requests-DoS-attack-tp7585091p7585097.html" link="external" target="_blank">http://opensips-open-sip-server.1449251.n2.nabble.com/How-to-protect-OpenSIPS-from-undesidered-requests-DoS-attack-tp7585091p7585097.html</a>
</div>
<div style="color:#666;font:11px tahoma,geneva,helvetica,arial,sans-serif;margin-top:.4em;line-height:1.5em">
To unsubscribe from How to protect OpenSIPS from undesidered requests (DoS attack?), <a rel="nofollow" link="external">click here</a>.<br>
<a rel="nofollow" href="http://opensips-open-sip-server.1449251.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml" style="font:9px serif" link="external" target="_blank">NAML</a>
</div></div><br><br> </div> </div> </div>
<br><hr align="left" width="300">
View this message in context: <a href="http://opensips-open-sip-server.1449251.n2.nabble.com/How-to-protect-OpenSIPS-from-undesidered-requests-DoS-attack-tp7585091p7585123.html" target="_blank">Re: How to protect OpenSIPS from undesidered requests (DoS attack?)</a><div class="HOEnZb">
<div class="h5"><br>
Sent from the <a href="http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html" target="_blank">OpenSIPS - Users mailing list archive</a> at Nabble.com.<br></div></div><br>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><span style="color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">Muhammad Shahzad</span><br style="color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
<span style="color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">------------------------------</span><span style="color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">-----</span><br style="color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
<span style="color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">CISCO Rich Media Communication Specialist (CRMCS)</span><br style="color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
<span style="color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">CISCO Certified Network Associate (CCNA)</span><br style="color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
<span style="color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">Cell: +49 176 99 83 10 85</span><br style="color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
<span style="color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">MSN: </span><a href="mailto:shari_786pk@hotmail.com" style="color:rgb(17,85,204);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)" target="_blank">shari_786pk@hotmail.com</a><br style="color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
<span style="color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">Email: </span><a href="mailto:shaheryarkh@googlemail.com" style="color:rgb(17,85,204);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)" target="_blank">shaheryarkh@googlemail.com</a>
</div>