5/24/2023 0 Comments Obscurity server![]() This approach has the benefit of printing the PIKE alert every 5 minutes, being easier to sport in syslog file the IP addresses that persist in flooding. So, even if the attacker lowers the rate, it is still banned for 5 minutes. Xlog("L_ALERT","ALERT: pike block $rm from $fu (IP:$si:$sp)\n") Xdbg("request from blocked IP - $rm from $fu (IP:$si:$sp)\n") # ip is already blocked - keep the node warm Modparam("htable", "htable", "ipban=>size=8 autoexpire=300 ") ![]() Here is an example blocking the IP 5 minutes (autoexpires value in seconds for htable definition): You can add htable module with a special hash table that can store the list of banned IPs and forbid traffic from it for a period of time. When debugging your setup, it can be very annoying when you see thousands of packets passing over your screen. whenever credentials are checked you can have a query being executed. For some packets there is additional processing done, e.g. Whenever you have a packet arriving on your Kamailio machine, it will require a bit of time of your CPU. Attackers know this, and attempt to guess prefixes which behave differently. In SS7 a typical method to arrange routing, is by adding prefixes to URI's. When users are allowed to create their own passwords, there will be weak passwords.Ī typical configuration error is to take shortcuts in your config. ![]() Your Kamailio setup can process thousands of SIP packets per second, and at those rates it is worthwhile for attackers to guess credentials which allow them to call out. Three types of attacks are to be recognized: And it won't take long until a Friendly-Scanner floods your machine. The moment you put a machine on the Internet, it will be scanned. A SERVICES -p tcp -m udp -m multiport -dports 5061 -m state -state NEW -j ACCEPTĬOMMIT Change the server and user agent header A SERVICES -p tcp -m udp -m multiport -dports 5060 -m state -state NEW -j ACCEPT A SERVICES -p tcp -m tcp -dport 53 -m state -state NEW -j ACCEPT A SERVICES -p udp -m udp -dport 53 -m state -state NEW -j ACCEPT A SERVICES -p udp -m udp -dport 123 -m state -state NEW -j ACCEPT A SERVICES -p icmp -m state -state INVALID -j DROP A PSD -m statistic -mode random -probability 0.050000 -j REJECT -reject-with icmp-host-unreachable A PSD -p udp -m statistic -mode random -probability 0.050000 -j REJECT -reject-with icmp-port-unreachable A PSD -p tcp -m statistic -mode random -probability 0.500000 -j TARPIT -tarpit A PSD -p tcp -m statistic -mode random -probability 0.050000 -j TARPIT -reset A PSD -p tcp -m statistic -mode random -probability 0.050000 -j REJECT -reject-with icmp-port-unreachable A ICMP -p icmp -m icmp -icmp-type 8 -m limit -limit 10/sec -limit-burst 10 -m state -state NEW -j ACCEPT A ICMP -p icmp -m icmp -icmp-type 3 -m limit -limit 10/sec -m state -state NEW -j ACCEPT A ICMP -p icmp -m icmp -icmp-type 11/0 -m limit -limit 5/sec -m state -state NEW -j ACCEPT A ICMP -p icmp -m icmp -icmp-type 11/1 -m limit -limit 5/sec -m state -state NEW -j ACCEPT ![]() A CHECK_TCP -p tcp -m tcp -tcp-option 128 -j DROP A CHECK_TCP -p tcp -m tcp -tcp-option 64 -j DROP A CHECK_TCP -p tcp -m tcp -tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP A CHECK_TCP -p tcp -m tcp -tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP A CHECK_TCP -p tcp -m tcp -tcp-flags ACK,URG URG -j DROP A CHECK_TCP -p tcp -m tcp -tcp-flags PSH,ACK PSH -j DROP A CHECK_TCP -p tcp -m tcp -tcp-flags FIN,RST FIN,RST -j DROP A CHECK_TCP -p tcp -m tcp -tcp-flags SYN,RST SYN,RST -j DROP A CHECK_TCP -p tcp -m tcp -tcp-flags FIN,SYN FIN,SYN -j DROP A CHECK_TCP -p tcp -m tcp -tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN -j DROP A CHECK_TCP -p tcp -m tcp -tcp-flags FIN,ACK FIN -m state -state INVALID,NEW,RELATED -j DROP A CHECK_TCP -p tcp -m tcp -tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP A CHECK_TCP -p tcp -m tcp -tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK -j DROP A CHECK_TCP -p tcp -m tcp ! -tcp-flags SYN,RST,ACK SYN -m state -state NEW -j DROP A OUTPUT -m state -state NEW,RELATED,ESTABLISHED -j ACCEPT A INPUT -m state -state RELATED,ESTABLISHED -j ACCEPT Portscans are inevitable, but we can fight back by making sure the portscan takes very long and gives random results, consider an iptables setup like the one below, it needs for sure some tweaking to work for you, but it will make an nmap to your box slow and close to fully useless
0 Comments
Leave a Reply. |