<div style="color:#000; background-color:#fff; font-family:verdana, helvetica, sans-serif;font-size:10pt">Hello Bakko:<br><br>I've it configured as you but i'm still not having events in opensips.log file like "Auth error for $fU@$fd from $si cause" for packets:<br><br>19:52:41.100695 00:08:e3:20:fb:b6 > 00:0c:29:fc:95:e1, ethertype IPv4 (0x0800), length 384: (tos 0x0, ttl 52, id 0, offset 0, flags [DF], proto UDP (17), length 370)<br> 199.217.115.214.5981 > [my SIP Server].5060: [udp sum ok] SIP, length: 342<br> REGISTER sip:[my SIP Server] SIP/2.0<br> Via: SIP/2.0/UDP 199.217.115.214:5981;branch=z9hG4bK-2068012690;rport<br> Content-Length: 0<br> From: "5988" <sip:5988@[my SIP Server]><br> Accept: application/sdp<br> User-Agent: friendly-scanner<br> To: "5988" <sip:5988@[my SIP
Server]><br> Contact: sip:123@1.1.1.1<br> CSeq: 1 REGISTER<br> Call-ID: 1787915151<br> Max-Forwards: 70<br><br><br>I've also added Nick's suggestion:<br><span>if ($ua =~ "friendly-scanner") {</span><div><span> xlog("L_ERR", "Attack attempt - Request dropped");</span></div><div><span> drop();</span></div><div><span> }<br><br>But i don't have neither those events in the opensips.log file.<br><br>Any clue?<br>Thanks,</span><br></div>Leo<br><br><div style="font-family: verdana, helvetica, sans-serif; font-size: 10pt;"> <div style="font-family: times new roman, new york, times, serif; font-size: 12pt;"> <div dir="ltr"> <font face="Arial" size="2"> <hr size="1"> <b><span style="font-weight:bold;">Da:</span></b> bakko [via OpenSIPS (Open SIP Server)]
<<a href="/user/SendEmail.jtp?type=node&node=7585123&i=0" target="_top" rel="nofollow" link="external">[hidden email]</a>><br> <b><span style="font-weight: bold;">A:</span></b> leo <<a href="/user/SendEmail.jtp?type=node&node=7585123&i=1" target="_top" rel="nofollow" link="external">[hidden email]</a>> <br> <b><span style="font-weight: bold;">Inviato:</span></b> Mercoledì 6 Marzo 2013 11:49<br> <b><span style="font-weight: bold;">Oggetto:</span></b> Re: How to protect OpenSIPS from undesidered requests (DoS attack?)<br> </font> </div> <br><meta http-equiv="x-dns-prefetch-control" content="off"><div id="yiv1922962463">
Hello,
<br><br>I'm using this configuration:
<br><br>if (is_method("REGISTER")) {
<br> $var(auth_code) = www_authorize("", "subscriber");
<br> if ( $var(auth_code) == -1 || $var(auth_code) == -2 ) {
<br> xlog("L_NOTICE","Auth error for $fU@$fd from $si cause
<br>$var(auth_code)");
<br> }
<br> if ( $var(auth_code) < 0 ) {
<br> www_challenge("", "0");
<br> exit;
<br> }
<br> save("location");
<br> exit;
<br><br>on
<br><br>/etc/fail2ban/filter.d/opensips.conf
<br><br># Fail2Ban configuration file
<br>#
<br>#
<br># $Revision: 250 $
<br>#
<br><br>[INCLUDES]
<br><br># Read common prefixes. If any customizations available -- read them from
<br># common.local
<br>#before = common.conf
<br><br><br>[Definition]
<br><br>#_daemon = opensips
<br><br># Option: failregex
<br># Notes.: regex to match the password failures messages in the logfile. The
<br># host must be matched by a group named "host". The tag
<br>"<HOST>" can
<br># be used for standard IP/hostname matching and is only an
<br>alias for
<br># (?:::f{4,6}:)?(?P<host>\S+)
<br># Values: TEXT
<br>#
<br><br>failregex = Auth error for .* from <HOST> cause -[0-9]
<br><br># Option: ignoreregex
<br># Notes.: regex to ignore. If this regex matches, the line is ignored.
<br># Values: TEXT
<br>#
<br>ignoreregex =
<br><br>and on /etc/fail2ban/jail.conf
<br><br>[opensips]
<br>enabled = true
<br>filter = opensips
<br>action = iptables-allports[name=opensips, protocol=all]
<br> sendmail-whois[name=opensips, dest=<a href="" rel="nofollow" target="_top" link="external">[hidden email]</a>,
<br>sender=<a href="" rel="nofollow" target="_top" link="external">[hidden email]</a>]
<br>logpath = /var/log/opensips.log
<br>maxretry = 3
<br>bantime = 7200
<br><br><br>Regards
<br><br><br>_______________________________________________
<br>Users mailing list
<br><a href="" rel="nofollow" target="_top" link="external">[hidden email]</a>
<br><a rel="nofollow" target="_blank" href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" link="external">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
<br>
<br>
<hr color="#cccccc" noshade="noshade" size="1">
<div style="color:#444;font:12px tahoma, geneva, helvetica, arial, sans-serif;">
<div style="font-weight:bold;">If you reply to this email, your message will be added to the discussion below:</div>
<a rel="nofollow" target="_blank" href="http://opensips-open-sip-server.1449251.n2.nabble.com/How-to-protect-OpenSIPS-from-undesidered-requests-DoS-attack-tp7585091p7585097.html" link="external">http://opensips-open-sip-server.1449251.n2.nabble.com/How-to-protect-OpenSIPS-from-undesidered-requests-DoS-attack-tp7585091p7585097.html</a>
</div>
<div style="color:#666;font:11px tahoma, geneva, helvetica, arial, sans-serif;margin-top:.4em;line-height:1.5em;">
To unsubscribe from How to protect OpenSIPS from undesidered requests (DoS attack?), <a rel="nofollow" target="_blank" href="" link="external">click here</a>.<br>
<a rel="nofollow" target="_blank" href="http://opensips-open-sip-server.1449251.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml" style="font:9px serif;" link="external">NAML</a>
</div></div><meta http-equiv="x-dns-prefetch-control" content="on"><br><br> </div> </div> </div>
<br/><hr align="left" width="300" />
View this message in context: <a href="http://opensips-open-sip-server.1449251.n2.nabble.com/How-to-protect-OpenSIPS-from-undesidered-requests-DoS-attack-tp7585091p7585123.html">Re: How to protect OpenSIPS from undesidered requests (DoS attack?)</a><br/>
Sent from the <a href="http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html">OpenSIPS - Users mailing list archive</a> at Nabble.com.<br/>