[OpenSIPS-Users] Ghost calls 1001

Nabeel nabeelshikder at gmail.com
Fri Apr 21 05:23:52 EDT 2017


In case the call is attempted via your server, you can add the following to
opensips.cfg to block sip scanners:

 if($ua=~"friendly-scanner") {
        xlog("L_ERROR", "Auth error for $fU@$fd from $si method $rm
user-agent (friendly-scanner)\n");
        drop();
        exit;
     }
  if($ua=~"sipvicious") {
        xlog("L_ERROR", "Auth error for $fU@$fd from $si method $rm
user-agent (friendly-scanner)\n");
        drop();
        exit;
     }

On 21 Apr 2017 8:12 a.m., "Uzair Hassan" <uzairhassan at shaw.ca> wrote:

> Is there any documentation I could read to understand the process you just
> described?
>
> On April 20, 2017 11:15:54 PM Schneur Rosenberg <rosenberg11219 at gmail.com>
> wrote:
>
>> In addition to iptables/fail2ban you should inspect the useragent that
>> the packets come from, most of them will come from sip vicious or friendly
>> scanner etc, you can block them with iptables and/or with drop() in
>> opensips, this will stop the scanner right away because he won't get any
>> replies so he will just move on.
>>
>> On Apr 21, 2017 8:11 AM, "Uzair Hassan" <uzairhassan at shaw.ca> wrote:
>>
>>> Is there a way to change opensips port ? Whenever I try it doesn't even
>>> start.
>>>
>>> On April 20, 2017 9:09:55 PM "Alexander Jankowsky" <
>>> E75A4669 at exemail.com.au> wrote:
>>>
>>>>
>>>>
>>>> You might need to do a Wireshark trace and find out if the calls
>>>> originate externally into the system.
>>>>
>>>> If you are in an open DMZ with the router, that could be just the start
>>>> of your problems.
>>>>
>>>> I had Opensips 2.3.0-beta in the open on DMZ with the router for only a
>>>> few hours and
>>>>
>>>> I then had a couple of dozen automated break in attempts trying to
>>>> access the system.
>>>>
>>>> You need to pay a lot of attention to the system logs otherwise you may
>>>> not even notice.
>>>>
>>>> Go over your router very carefully and restrict everything you do not
>>>> need exposed.
>>>>
>>>> Port 5060 is a very popular target with automated robots, use another
>>>> port if your able to.
>>>>
>>>>
>>>>
>>>> Alex
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> *From:* Users [mailto:users-bounces at lists.opensips.org] *On Behalf Of *Uzair
>>>> Hassan
>>>> *Sent:* Friday, 21 April 2017 6:16 AM
>>>> *To:* users at lists.opensips.org
>>>> *Subject:* [OpenSIPS-Users] Ghost calls 1001
>>>>
>>>>
>>>>
>>>> Hello all,
>>>>
>>>>
>>>>
>>>> I have setup a opensips 2.3 on a new server and I'm getting ghost calls
>>>> into my system. How do I stop these ghost call? The opensips server is
>>>> brand new. the install is clean and nothing has been touched after the
>>>> initial simple residential script setup. What can I do to defend myself
>>>> from these ghost calls.
>>>>
>>>> Thank you so much.
>>>>
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at lists.opensips.org
>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opensips.org
>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>
>>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20170421/7ca42301/attachment.html>


More information about the Users mailing list