<div>A few suggestions (mostly already suggested by many guys in this thread, i am only arranging their order to a secure setup), opensips log level should be at least 2.</div><div><br></div><div>1. I usually filter out all known nasty users / attackers right in sanity check section of default request route. My sanity check section structured something like this,</div>

<div><br></div><div>    a). check max forwards.</div><div>    b). check message size.</div><div>    c). check user-agent string against filter list, you can use permissions module for this as well as hard code user-agents as Nick suggested.</div>

<div><br></div><div>############################################</div><div>route {</div><div><div><span class="Apple-tab-span" style="white-space:pre">        </span>if (!mf_process_maxfwd_header(&quot;10&quot;)) {</div><div><span class="Apple-tab-span" style="white-space:pre">                </span>sl_send_reply(&quot;483&quot;,&quot;Too Many Hops&quot;);</div>

<div><span class="Apple-tab-span" style="white-space:pre">                </span>exit;</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>};</div><div><br></div><div><span class="Apple-tab-span" style="white-space:pre">        </span>if (msg:len &gt; max_len) {</div>

<div><span class="Apple-tab-span" style="white-space:pre">                </span>sl_send_reply(&quot;513&quot;,&quot;Message Too Big&quot;);</div><div><span class="Apple-tab-span" style="white-space:pre">                </span>exit;</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>};</div>

<div><br></div><div><span class="Apple-tab-span" style="white-space:pre">        </span>if ($ua =~ &quot;friendly-scanner&quot;) {</div><div><span class="Apple-tab-span" style="white-space:pre">                </span>xlog(&quot;L_WARN&quot;, &quot;[$pr:$fU@$si:$sp]: Rejecting &#39;$rm&#39; request from bogus device &#39;$ua&#39; \n&quot;);</div>

<div><span class="Apple-tab-span" style="white-space:pre">                </span>exit;</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>};</div></div><div>...</div><div>#####################################</div>
<div>
<br></div><div><br></div><div>2. Then in authentication section, i make sure to authenticate both INVITE and REGISTER requests, you check ret-code for both www-authorize and proxy-authorize methods and if it is -1 or -2 then do xlog to print log on intruder which is picked by fail2ban to block the user (make sure text pattern in your xlog matches failregex in fail2ban! ).</div>

<div><br></div><div>#####################################</div><div>...</div><div><div><span class="Apple-tab-span" style="white-space:pre">                </span>if (!www_authorize(&quot;&quot;,&quot;subscriber&quot;)) {</div><div><span class="Apple-tab-span" style="white-space:pre">                        </span>switch ($retcode) {</div>

<div><span class="Apple-tab-span" style="white-space:pre">                                </span>case -1:</div><div><span class="Apple-tab-span" style="white-space:pre">                                        </span>xlog(&quot;L_NOTICE&quot;, &quot;[$pr:$fU@$si:$sp]: Auth error for &#39;$tU&#39; from &#39;$si&#39;, peer not found - User-Agent: &#39;$ua&#39; \n&quot;);</div>

<div><span class="Apple-tab-span" style="white-space:pre">                                        </span>break;</div><div><span class="Apple-tab-span" style="white-space:pre">                                </span>case -2:</div><div><span class="Apple-tab-span" style="white-space:pre">                                        </span>xlog(&quot;L_NOTICE&quot;, &quot;[$pr:$fU@$si:$sp]: Auth error for &#39;$tU&#39; from &#39;$si&#39;, wrong password - User-Agent: &#39;$ua&#39; \n&quot;);</div>

<div><span class="Apple-tab-span" style="white-space:pre">                                        </span>break;</div><div>                                ...</div><div><span class="Apple-tab-span" style="white-space:pre">                        </span>};</div><div><br></div><div>

<span class="Apple-tab-span" style="white-space:pre">                        </span>www_challenge(&quot;&quot;, &quot;1&quot;);</div><div><span class="Apple-tab-span" style="white-space:pre">                        </span>exit;</div><div><span class="Apple-tab-span" style="white-space:pre">                </span>};</div>

</div><div>...</div><div>#######################################</div><div><br></div>Thank you.<br><div><br><br><div class="gmail_quote">On Wed, Mar 6, 2013 at 7:58 PM, leo <span dir="ltr">&lt;<a href="mailto:uzcudunl@yahoo.it" target="_blank">uzcudunl@yahoo.it</a>&gt;</span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="font-size:10pt;font-family:verdana,helvetica,sans-serif">Hello Bakko:<br><br>I&#39;ve it configured as you but i&#39;m still not having events in opensips.log file like &quot;Auth error for $fU@$fd from $si cause&quot; for packets:<br>

<br>19:52:41.100695 00:08:e3:20:fb:b6 &gt; 00:0c:29:fc:95:e1, ethertype IPv4 (0x0800), length 384: (tos 0x0, ttl 52, id 0, offset 0, flags [DF], proto UDP (17), length 370)<br>    199.217.115.214.5981 &gt; [my SIP Server].5060: [udp sum ok] SIP, length: 342<br>

    REGISTER sip:[my SIP Server] SIP/2.0<br>    Via: SIP/2.0/UDP 199.217.115.214:5981;branch=z9hG4bK-2068012690;rport<br>    Content-Length: 0<br>    From: &quot;5988&quot; &lt;sip:5988@[my SIP Server]&gt;<br>    Accept: application/sdp<br>

    User-Agent: friendly-scanner<br>    To: &quot;5988&quot; &lt;sip:5988@[my SIP
 Server]&gt;<div class="im"><br>    Contact: <a href="mailto:sip%3A123@1.1.1.1" target="_blank">sip:123@1.1.1.1</a><br>    CSeq: 1 REGISTER<br></div>    Call-ID: 1787915151<br>    Max-Forwards: 70<br><br><br>I&#39;ve also added Nick&#39;s suggestion:<div class="im">

<br><span>if ($ua =~ &quot;friendly-scanner&quot;) {</span><div><span>                xlog(&quot;L_ERR&quot;, &quot;Attack attempt - Request dropped&quot;);</span></div><div><span>                drop();</span></div></div>

<div><span>        }<br><br>But i don&#39;t have neither those events in the opensips.log file.<br><br>Any clue?<br>Thanks,</span><br></div>Leo<br><br><div style="font-family:verdana,helvetica,sans-serif;font-size:10pt">
 <div style="font-family:times new roman,new york,times,serif;font-size:12pt">
 <div dir="ltr"> <font face="Arial"> <hr size="1">  <b><span style="font-weight:bold">Da:</span></b> bakko [via OpenSIPS (Open SIP Server)]
 &lt;<a href="http://user/SendEmail.jtp?type=node&amp;node=7585123&amp;i=0" rel="nofollow" link="external" target="_blank">[hidden email]</a>&gt;<br> <b><span style="font-weight:bold">A:</span></b> leo &lt;<a href="http://user/SendEmail.jtp?type=node&amp;node=7585123&amp;i=1" rel="nofollow" link="external" target="_blank">[hidden email]</a>&gt; <br>

 <b><span style="font-weight:bold">Inviato:</span></b> Mercoledì 6 Marzo 2013 11:49<br> <b><span style="font-weight:bold">Oggetto:</span></b> Re: How to protect OpenSIPS from undesidered requests (DoS attack?)<br> </font> </div>

 <br><div><div><div class="h5">

        Hello,
<br><br>I&#39;m using this configuration:
<br><br>if (is_method(&quot;REGISTER&quot;)) {
<br>         $var(auth_code) = www_authorize(&quot;&quot;, &quot;subscriber&quot;);
<br>         if ( $var(auth_code) == -1 || $var(auth_code) == -2 ) {
<br>                 xlog(&quot;L_NOTICE&quot;,&quot;Auth error for $fU@$fd from $si cause 
<br>$var(auth_code)&quot;);
<br>         }
<br>         if ( $var(auth_code) &lt; 0 ) {
<br>                 www_challenge(&quot;&quot;, &quot;0&quot;);
<br>                 exit;
<br>         }
<br>         save(&quot;location&quot;);
<br>         exit;
<br><br>on
<br><br>/etc/fail2ban/filter.d/opensips.conf
<br><br># Fail2Ban configuration file
<br>#
<br>#
<br># $Revision: 250 $
<br>#
<br><br>[INCLUDES]
<br><br># Read common prefixes. If any customizations available -- read them from
<br># common.local
<br>#before = common.conf
<br><br><br>[Definition]
<br><br>#_daemon = opensips
<br><br># Option:  failregex
<br># Notes.:  regex to match the password failures messages in the logfile. The
<br>#          host must be matched by a group named &quot;host&quot;. The tag 
<br>&quot;&lt;HOST&gt;&quot; can
<br>#          be used for standard IP/hostname matching and is only an 
<br>alias for
<br>#          (?:::f{4,6}:)?(?P&lt;host&gt;\S+)
<br># Values:  TEXT
<br>#
<br><br>failregex = Auth error for .* from &lt;HOST&gt; cause -[0-9]
<br><br># Option:  ignoreregex
<br># Notes.:  regex to ignore. If this regex matches, the line is ignored.
<br># Values:  TEXT
<br>#
<br>ignoreregex =
<br><br>and on /etc/fail2ban/jail.conf
<br><br>[opensips]
<br>enabled  = true
<br>filter   = opensips
<br>action   = iptables-allports[name=opensips, protocol=all]
<br></div></div>            sendmail-whois[name=opensips, dest=<a rel="nofollow" link="external">[hidden email]</a>, 
<br>sender=<a rel="nofollow" link="external">[hidden email]</a>]
<br><div class="im">logpath  = /var/log/opensips.log
<br>maxretry = 3
<br>bantime = 7200
<br><br><br>Regards
<br><br><br>_______________________________________________
<br>Users mailing list
<br></div><a rel="nofollow" link="external">[hidden email]</a>
<br><a rel="nofollow" href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" link="external" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>

        
        
        
        <br>
        <br>
        <hr color="#cccccc" noshade size="1">
        <div style="color:#444;font:12px tahoma,geneva,helvetica,arial,sans-serif">
                <div style="font-weight:bold">If you reply to this email, your message will be added to the discussion below:</div>
                <a rel="nofollow" href="http://opensips-open-sip-server.1449251.n2.nabble.com/How-to-protect-OpenSIPS-from-undesidered-requests-DoS-attack-tp7585091p7585097.html" link="external" target="_blank">http://opensips-open-sip-server.1449251.n2.nabble.com/How-to-protect-OpenSIPS-from-undesidered-requests-DoS-attack-tp7585091p7585097.html</a>
        </div>
        <div style="color:#666;font:11px tahoma,geneva,helvetica,arial,sans-serif;margin-top:.4em;line-height:1.5em">
                
                To unsubscribe from How to protect OpenSIPS from undesidered requests (DoS attack?), <a rel="nofollow" link="external">click here</a>.<br>
                <a rel="nofollow" href="http://opensips-open-sip-server.1449251.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&amp;id=instant_html%21nabble%3Aemail.naml&amp;base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&amp;breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml" style="font:9px serif" link="external" target="_blank">NAML</a>
        </div></div><br><br> </div> </div>  </div>

        
        
        
<br><hr align="left" width="300">
View this message in context: <a href="http://opensips-open-sip-server.1449251.n2.nabble.com/How-to-protect-OpenSIPS-from-undesidered-requests-DoS-attack-tp7585091p7585123.html" target="_blank">Re: How to protect OpenSIPS from undesidered requests (DoS attack?)</a><div class="HOEnZb">

<div class="h5"><br>
Sent from the <a href="http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html" target="_blank">OpenSIPS - Users mailing list archive</a> at Nabble.com.<br></div></div><br>_______________________________________________<br>


Users mailing list<br>
<a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><span style="color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">Muhammad Shahzad</span><br style="color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">

<span style="color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">------------------------------</span><span style="color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">-----</span><br style="color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">

<span style="color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">CISCO Rich Media Communication Specialist (CRMCS)</span><br style="color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">

<span style="color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">CISCO Certified Network Associate (CCNA)</span><br style="color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">

<span style="color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">Cell: +49 176 99 83 10 85</span><br style="color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">

<span style="color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">MSN: </span><a href="mailto:shari_786pk@hotmail.com" style="color:rgb(17,85,204);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)" target="_blank">shari_786pk@hotmail.com</a><br style="color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">

<span style="color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">Email: </span><a href="mailto:shaheryarkh@googlemail.com" style="color:rgb(17,85,204);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)" target="_blank">shaheryarkh@googlemail.com</a>
</div>