<div dir="auto">Sending a 200 ok will notify the hacker that a sip server exists on the IP/port, simply ignoring the request is best.</div><div class="gmail_extra"><br><div class="gmail_quote">On Apr 21, 2017 12:20 PM, "johan de clercq" <<a href="mailto:johan@democon.be">johan@democon.be</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="blue" vlink="purple"><div class="m_-9073904347695897913WordSection1"><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Another approach is sending 200 ok and then exit(). <u></u><u></u></span></p><p class="MsoNormal"><a name="m_-9073904347695897913__MailEndCompose"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u> <u></u></span></a></p><span></span><p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Users [mailto:<a href="mailto:users-bounces@lists.opensips.org" target="_blank">users-bounces@lists.<wbr>opensips.org</a>] <b>On Behalf Of </b>Schneur Rosenberg<br><b>Sent:</b> Friday, April 21, 2017 11:00 AM<br><b>To:</b> OpenSIPS users mailling list <<a href="mailto:users@lists.opensips.org" target="_blank">users@lists.opensips.org</a>><br><b>Subject:</b> Re: [OpenSIPS-Users] Ghost calls 1001<u></u><u></u></span></p><p class="MsoNormal"><u></u> <u></u></p><div><p class="MsoNormal">User agent variable is stored in $ua do a if and drop()<u></u><u></u></p><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">Regarding iptables do something like this <u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p><div><p class="MsoNormal"><a href="https://community.freepbx.org/t/stop-sipvicious-friendly-scanner/28580" target="_blank">https://community.freepbx.org/<wbr>t/stop-sipvicious-friendly-<wbr>scanner/28580</a><u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div></div></div><div><p class="MsoNormal"><u></u> <u></u></p><div><p class="MsoNormal">On Apr 21, 2017 10:12 AM, "Uzair Hassan" <<a href="mailto:uzairhassan@shaw.ca" target="_blank">uzairhassan@shaw.ca</a>> wrote:<u></u><u></u></p><blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in"><div><div><div><p style="margin-right:0in;margin-bottom:12.0pt;margin-left:0in"><span style="color:black">Is there any documentation I could read to understand the process you just described? <u></u><u></u></span></p></div><div><p style="margin-right:0in;margin-bottom:10.0pt;margin-left:0in"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">On April 20, 2017 11:15:54 PM Schneur Rosenberg <<a href="mailto:rosenberg11219@gmail.com" target="_blank">rosenberg11219@gmail.com</a>> wrote:<u></u><u></u></span></p><blockquote style="border:none;border-left:solid gray 1.0pt;padding:0in 0in 0in 5.0pt;margin-left:4.5pt;margin-right:0in"><div><p class="MsoNormal"><span style="color:black">In addition to iptables/fail2ban you should inspect the useragent that the packets come from, most of them will come from sip vicious or friendly scanner etc, you can block them with iptables and/or with drop() in opensips, this will stop the scanner right away because he won't get any replies so he will just move on. <u></u><u></u></span></p></div><div><p class="MsoNormal"><span style="color:black"><u></u> <u></u></span></p><div><p class="MsoNormal"><span style="color:black">On Apr 21, 2017 8:11 AM, "Uzair Hassan" <<a href="mailto:uzairhassan@shaw.ca" target="_blank">uzairhassan@shaw.ca</a>> wrote:<u></u><u></u></span></p><blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in"><div><div><div><p style="margin-right:0in;margin-bottom:12.0pt;margin-left:0in"><span style="color:black">Is there a way to change opensips port ? Whenever I try it doesn't even start. <u></u><u></u></span></p></div><div><p style="margin-right:0in;margin-bottom:10.0pt;margin-left:0in"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">On April 20, 2017 9:09:55 PM "Alexander Jankowsky" <<a href="mailto:E75A4669@exemail.com.au" target="_blank">E75A4669@exemail.com.au</a>> wrote:<u></u><u></u></span></p><blockquote style="border:none;border-left:solid gray 1.0pt;padding:0in 0in 0in 5.0pt;margin-left:4.5pt;margin-right:0in"><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><span style="color:black"><u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">You might need to do a Wireshark trace and find out if the calls originate externally into the system.</span><span style="color:black"><u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">If you are in an open DMZ with the router, that could be just the start of your problems.</span><span style="color:black"><u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">I had Opensips 2.3.0-beta in the open on DMZ with the router for only a few hours and</span><span style="color:black"><u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">I then had a couple of dozen automated break in attempts trying to access the system.</span><span style="color:black"><u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">You need to pay a lot of attention to the system logs otherwise you may not even notice.</span><span style="color:black"><u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Go over your router very carefully and restrict everything you do not need exposed.</span><span style="color:black"><u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Port 5060 is a very popular target with automated robots, use another port if your able to.</span><span style="color:black"><u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><span style="color:black"><u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Alex</span><span style="color:black"><u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><span style="color:black"><u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><span style="color:black"><u></u><u></u></span></p><div><div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in"><p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"> Users [mailto:<a href="mailto:users-bounces@lists.opensips.org" target="_blank">users-bounces@lists.<wbr>opensips.org</a>] <b>On Behalf Of </b>Uzair Hassan<br><b>Sent:</b> Friday, 21 April 2017 6:16 AM<br><b>To:</b> <a href="mailto:users@lists.opensips.org" target="_blank">users@lists.opensips.org</a><br><b>Subject:</b> [OpenSIPS-Users] Ghost calls 1001</span><span style="color:black"><u></u><u></u></span></p></div></div><p class="MsoNormal"><span style="color:black"> <u></u><u></u></span></p><div><div><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">Hello all, </span><span style="color:black"><u></u><u></u></span></p></div><div><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"> </span><span style="color:black"><u></u><u></u></span></p></div><div><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">I have setup a opensips 2.3 on a new server and I'm getting ghost calls into my system. How do I stop these ghost call? The opensips server is brand new. the install is clean and nothing has been touched after the initial simple residential script setup. What can I do to defend myself from these ghost calls.<br><br>Thank you so much.</span><span style="color:black"><u></u><u></u></span></p></div><div><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"> </span><span style="color:black"><u></u><u></u></span></p></div></div></div><p class="MsoNormal"><span style="color:black">______________________________<wbr>_________________<br>Users mailing list<br><a href="mailto:Users%40lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br><a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-<wbr>bin/mailman/listinfo/users</a><u></u><u></u></span></p></blockquote></div></div></div><p class="MsoNormal" style="margin-bottom:12.0pt"><span style="color:black"><br>______________________________<wbr>_________________<br>Users mailing list<br><a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br><a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-<wbr>bin/mailman/listinfo/users</a><u></u><u></u></span></p></blockquote></div></div><p class="MsoNormal"><span style="color:black">______________________________<wbr>_________________<br>Users mailing list<br><a href="mailto:Users%40lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br><a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-<wbr>bin/mailman/listinfo/users</a><u></u><u></u></span></p></blockquote></div></div></div><p class="MsoNormal" style="margin-bottom:12.0pt"><br>______________________________<wbr>_________________<br>Users mailing list<br><a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br><a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-<wbr>bin/mailman/listinfo/users</a><u></u><u></u></p></blockquote></div></div></div></div><br>______________________________<wbr>_________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-<wbr>bin/mailman/listinfo/users</a><br>
<br></blockquote></div></div>