Well,
About sipvicious, just put a kamailio in front of asterisk and just drop
all messages with user agents corrreponding to these messages.
Spivicious first send options messages, read the user agent and drop if
it's corresponding to one of the user agents well known to be used.
In Kamailio (to be updtaed) I have :
### Country check
if (is_method("OPTIONS") || is_method("REGISTER"))
{
avp_db_query("SELECT sql_cache country FROM ip_country inner
join GeoLiteCity on GeoLiteCity.locId = ip_country.locId WHERE
MBRCONTAINS(ip_poly, POINTFROMWKB(POINT(INET_ATON('$si'), 0))) limit 1;"
, "$avp(s:countryCode)");
if ($avp(s:countryCode) !="BE" && $avp(s:countryCode) !="FR" &&
$avp(s:countryCode) !="LU" && $avp(s:countryCode) !="MA" &&
$avp(s:countryCode) !="ES" && $avp(s:countryCode) !="IT" &&
$avp(s:countryCode) !="DE" )
{
xlog("L_NOTICE", "------------------> Probable Attack
attempt from countrycode : $avp(s:countryCode) - $si - $fu - $ua - $rm" );
}
}
### Hackers check
if($ua=="friendly-scanner"){
xlog("L_NOTICE", "------------------> Attack attempt from
countrycode : $avp(s:countryCode) - $si - $fu - $ua - $rm - DROP" );
drop();
}
if($ua=="sundayddr"){
xlog("L_NOTICE", "------------------> Attack attempt from
countrycode : $avp(s:countryCode) - $si - $fu - $ua - $rm - DROP" );
drop();
}
if($ua=="sip-scan"){
xlog("L_NOTICE", "------------------> Attack attempt from
countrycode : $avp(s:countryCode) - $si - $fu - $ua - $rm - DROP" );
drop();
}
if($ua=="iWar"){
xlog("L_NOTICE", "------------------> Attack attempt from
countrycode : $avp(s:countryCode) - $si - $fu - $ua - $rm - DROP" );
drop();
}
if($ua=="sipsak"){
xlog("L_NOTICE", "------------------> Attack attempt from
countrycode : $avp(s:countryCode) - $si - $fu - $ua - $rm - DROP" );
drop();
}
When sipvicious doesn't receive answer, it stops scanning the server :)
Best regards,
Olivier
Le 2/06/11 17:06, Paul Hayes a écrit :
On 01/06/11 16:13, Allen David Niven wrote:
what does ossec give u that fail2ban does not ?
thx and cheers
Replied to list so others can find this in the future if they want to.
I haven't spent a lot of time investigating fail2ban as I was already
using ossec before I saw much talk about fail2ban with Asterisk.
Anyway as far as I can see my main advantage is that OSSEC has
multiple levels of incidents. So I can create rules to send emails
out for unusual activity that might not necessarily require an IP
block but needs checking out.
My fear with something that just watches Asterisk logs for a very
specific known attack metric and then blocks IP(s) based on that is
what happens when the attackers start doing something different?
Fail2ban may well do all this as well, I don't know but I find OSSEC
does it very well and the XML rules and log decoders are very versatile.
cheers,
Paul.
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
