Playing with sipvicious ..

Home » Asterisk Users » Playing with sipvicious ..
Asterisk Users 1 Comment

On 01/06/11 16:13, Allen David Niven wrote:
> what does ossec give u that fail2ban does not ?
> thx and cheers
>
>

Replied to list so others can find this in the future if they want to.

I haven’t spent a lot of time investigating fail2ban as I was already
using ossec before I saw much talk about fail2ban with Asterisk.

Anyway as far as I can see my main advantage is that OSSEC has multiple
levels of incidents. So I can create rules to send emails out for
unusual activity that might not necessarily require an IP block but
needs checking out.

My fear with something that just watches Asterisk logs for a very
specific known attack metric and then blocks IP(s) based on that is what
happens when the attackers start doing something different?

Fail2ban may well do all this as well, I don’t know but I find OSSEC
does it very well and the XML rules and log decoders are very versatile.

cheers,
Paul.

One thought on - Playing with sipvicious ..

  • Well,

    About sipvicious, just put a kamailio in front of asterisk and just drop
    all messages with user agents corrreponding to these messages.
    Spivicious first send options messages, read the user agent and drop if
    it’s corresponding to one of the user agents well known to be used.

    In Kamailio (to be updtaed) I have :

    ### Country check
    if (is_method(“OPTIONS”) || is_method(“REGISTER”))
    {
    avp_db_query(“SELECT sql_cache country FROM ip_country inner
    join GeoLiteCity on GeoLiteCity.locId = ip_country.locId WHERE
    MBRCONTAINS(ip_poly, POINTFROMWKB(POINT(INET_ATON(‘$si’), 0))) limit 1;”
    , “$avp(s:countryCode)”);
    if ($avp(s:countryCode) !=”BE” && $avp(s:countryCode) !=”FR” &&
    $avp(s:countryCode) !=”LU” && $avp(s:countryCode) !=”MA” &&
    $avp(s:countryCode) !=”ES” && $avp(s:countryCode) !=”IT” &&
    $avp(s:countryCode) !=”DE” )
    {
    xlog(“L_NOTICE”, “——————> Probable Attack
    attempt from countrycode : $avp(s:countryCode) – $si – $fu – $ua – $rm” );
    }
    }

    ### Hackers check
    if($ua==”friendly-scanner”){
    xlog(“L_NOTICE”, “——————> Attack attempt from
    countrycode : $avp(s:countryCode) – $si – $fu – $ua – $rm – DROP” );
    drop();
    }
    if($ua==”sundayddr”){
    xlog(“L_NOTICE”, “——————> Attack attempt from
    countrycode : $avp(s:countryCode) – $si – $fu – $ua – $rm – DROP” );
    drop();
    }
    if($ua==”sip-scan”){
    xlog(“L_NOTICE”, “——————> Attack attempt from
    countrycode : $avp(s:countryCode) – $si – $fu – $ua – $rm – DROP” );
    drop();
    }
    if($ua==”iWar”){
    xlog(“L_NOTICE”, “——————> Attack attempt from
    countrycode : $avp(s:countryCode) – $si – $fu – $ua – $rm – DROP” );
    drop();
    }
    if($ua==”sipsak”){
    xlog(“L_NOTICE”, “——————> Attack attempt from
    countrycode : $avp(s:countryCode) – $si – $fu – $ua – $rm – DROP” );
    drop();
    }

    When sipvicious doesn’t receive answer, it stops scanning the server 🙂

    Best regards,

    Olivier

    Le 2/06/11 17:06, Paul Hayes a écrit :