[OpenSIPS-Users] How to protect OpenSIPS from undesidered requests (DoS attack?)

leo uzcudunl at yahoo.it
Wed Mar 6 19:58:29 CET 2013


Hello Bakko:

I've it configured as you but i'm still not having events in opensips.log file like "Auth error for $fU@$fd from $si cause" for packets:

19:52:41.100695 00:08:e3:20:fb:b6 > 00:0c:29:fc:95:e1, ethertype IPv4 (0x0800), length 384: (tos 0x0, ttl 52, id 0, offset 0, flags [DF], proto UDP (17), length 370)
    199.217.115.214.5981 > [my SIP Server].5060: [udp sum ok] SIP, length: 342
    REGISTER sip:[my SIP Server] SIP/2.0
    Via: SIP/2.0/UDP 199.217.115.214:5981;branch=z9hG4bK-2068012690;rport
    Content-Length: 0
    From: "5988" <sip:5988@[my SIP Server]>
    Accept: application/sdp
    User-Agent: friendly-scanner
    To: "5988" <sip:5988@[my SIP Server]>
    Contact: sip:123 at 1.1.1.1
    CSeq: 1 REGISTER
    Call-ID: 1787915151
    Max-Forwards: 70


I've also added Nick's suggestion:
if ($ua =~ "friendly-scanner") {
                xlog("L_ERR", "Attack attempt - Request dropped");
                drop();
        }

But i don't have neither those events in the opensips.log file.

Any clue?
Thanks,
Leo



________________________________
 Da: bakko [via OpenSIPS (Open SIP Server)] <ml-node+s1449251n7585097h85 at n2.nabble.com>
A: leo <uzcudunl at yahoo.it> 
Inviato: Mercoledì 6 Marzo 2013 11:49
Oggetto: Re: How to protect OpenSIPS from undesidered requests (DoS attack?)
 

Hello, 

I'm using this configuration: 

if (is_method("REGISTER")) { 
         $var(auth_code) = www_authorize("", "subscriber"); 
         if ( $var(auth_code) == -1 || $var(auth_code) == -2 ) { 
                 xlog("L_NOTICE","Auth error for $fU@$fd from $si cause 
$var(auth_code)"); 
         } 
         if ( $var(auth_code) < 0 ) { 
                 www_challenge("", "0"); 
                 exit; 
         } 
         save("location"); 
         exit; 

on 

/etc/fail2ban/filter.d/opensips.conf 

# Fail2Ban configuration file 
# 
# 
# $Revision: 250 $ 
# 

[INCLUDES] 

# Read common prefixes. If any customizations available -- read them from 
# common.local 
#before = common.conf 


[Definition] 

#_daemon = opensips 

# Option:  failregex 
# Notes.:  regex to match the password failures messages in the logfile. The 
#          host must be matched by a group named "host". The tag 
"<HOST>" can 
#          be used for standard IP/hostname matching and is only an 
alias for 
#          (?:::f{4,6}:)?(?P<host>\S+) 
# Values:  TEXT 
# 

failregex = Auth error for .* from <HOST> cause -[0-9] 

# Option:  ignoreregex 
# Notes.:  regex to ignore. If this regex matches, the line is ignored. 
# Values:  TEXT 
# 
ignoreregex = 

and on /etc/fail2ban/jail.conf 

[opensips] 
enabled  = true 
filter   = opensips 
action   = iptables-allports[name=opensips, protocol=all] 
            sendmail-whois[name=opensips, dest=[hidden email], 
sender=[hidden email]] 
logpath  = /var/log/opensips.log 
maxretry = 3 
bantime = 7200 


Regards 


_______________________________________________ 
Users mailing list 
[hidden email] 
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


________________________________
 
If you reply to this email, your message will be added to the discussion below:http://opensips-open-sip-server.1449251.n2.nabble.com/How-to-protect-OpenSIPS-from-undesidered-requests-DoS-attack-tp7585091p7585097.html 
To unsubscribe from How to protect OpenSIPS from undesidered requests (DoS attack?), click here.
NAML



--
View this message in context: http://opensips-open-sip-server.1449251.n2.nabble.com/How-to-protect-OpenSIPS-from-undesidered-requests-DoS-attack-tp7585091p7585123.html
Sent from the OpenSIPS - Users mailing list archive at Nabble.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20130306/a0972f68/attachment-0001.htm>


More information about the Users mailing list