Comments on: Automatically Block Failed SIP Peer Registrations http://www.teamforrest.com/blog/171/asterisk-no-matching-peer-found-block/ Kamailio, Asterisk, VoIP, and IT Consulting Mon, 23 Jan 2012 12:37:52 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: batman http://www.teamforrest.com/blog/171/asterisk-no-matching-peer-found-block/comment-page-1/#comment-1391 batman Mon, 23 Jan 2012 12:37:52 +0000 http://www.teamforrest.com/blog/?p=171#comment-1391 this script takes on my server 2GB of memory and then iptables does not work memory allocation error! so I changed it! I used hash :) instead of push(@failhost,$1); I use: $failhost{$1}++; similar: $ls = keys %failhost; if ($ls>0) { while (my ($ip, $count) = each(%failhost)) no its working :) this script takes on my server 2GB of memory and then iptables does not work memory allocation error! so I changed it!

I used hash :)
instead of push(@failhost,$1); I use:
$failhost{$1}++;
similar:

$ls = keys %failhost;
if ($ls>0)
{
while (my ($ip, $count) = each(%failhost))

no its working :)

]]> By: Noah http://www.teamforrest.com/blog/171/asterisk-no-matching-peer-found-block/comment-page-1/#comment-1354 Noah Mon, 29 Aug 2011 15:58:10 +0000 http://www.teamforrest.com/blog/?p=171#comment-1354 When using strict in perl you have to establish the global variables at the top my $blockedhosts; This will stop error messaging from filling up your var/mail/root #!/usr/bin/perl -w use strict; use warnings; my (@failhost); my %currblocked; my %addblocked; my $action; my $blockedhosts; When using strict in perl you have to establish the global variables at the top my $blockedhosts;

This will stop error messaging from filling up your var/mail/root

#!/usr/bin/perl -w
use strict;
use warnings;
my (@failhost);
my %currblocked;
my %addblocked;
my $action;
my $blockedhosts;

]]> By: Tola http://www.teamforrest.com/blog/171/asterisk-no-matching-peer-found-block/comment-page-1/#comment-1345 Tola Tue, 21 Jun 2011 16:41:11 +0000 http://www.teamforrest.com/blog/?p=171#comment-1345 Is it ok to permanently block the attacker with INPUT -s. Thanks Is it ok to permanently block the attacker with INPUT -s. Thanks

]]> By: Arno Teigseth http://www.teamforrest.com/blog/171/asterisk-no-matching-peer-found-block/comment-page-1/#comment-1331 Arno Teigseth Sat, 26 Mar 2011 14:52:32 +0000 http://www.teamforrest.com/blog/?p=171#comment-1331 Hi and thanks I was quite proud that I found out how to iptables -j DROP the addresses I watched attacking me in the asterisk console, but this script is of course what I should have googled for in the first place. Thanks again Arno Hi and thanks

I was quite proud that I found out how to iptables -j DROP the addresses I watched attacking me in the asterisk console, but this script is of course what I should have googled for in the first place.

Thanks again
Arno

]]> By: Explaining SIP Brute Force Attacks to non-techs | TEAM FORREST Blog http://www.teamforrest.com/blog/171/asterisk-no-matching-peer-found-block/comment-page-1/#comment-1319 Explaining SIP Brute Force Attacks to non-techs | TEAM FORREST Blog Fri, 11 Mar 2011 04:48:37 +0000 http://www.teamforrest.com/blog/?p=171#comment-1319 [...] If you’re running asterisk, you might wish to install a script that checks for attacks and blocks those connections. [...] [...] If you’re running asterisk, you might wish to install a script that checks for attacks and blocks those connections. [...]

]]> By: Team Forrest http://www.teamforrest.com/blog/171/asterisk-no-matching-peer-found-block/comment-page-1/#comment-1317 Team Forrest Mon, 07 Mar 2011 13:23:47 +0000 http://www.teamforrest.com/blog/?p=171#comment-1317 You can add any block you would like in this section: [sourcecode language="perl"] while () { chomp; my $line = $_; if ($line =~ /\' failed for \'(.*?)\' - No matching peer found/) { push(@failhost,$1); } if ($line =~ /\' failed for \'(.*?)\' - Wrong password/) { push(@failhost,$1); } } [/sourcecode] For example, for what you want... [sourcecode language="perl"] while () { chomp; my $line = $_; if ($line =~ /\' failed for \'(.*?)\' - No matching peer found/) { push(@failhost,$1); } if ($line =~ /\' failed for \'(.*?)\' - Wrong password/) { push(@failhost,$1); } if ($line =~ /\' failed for \'(.*?)\' - Device does not match ACL/) { push(@failhost,$1); } } [/sourcecode] You can add any block you would like in this section:

while () {
    chomp; my $line = $_;
    if ($line =~ /\' failed for \'(.*?)\' - No matching peer found/) {
      push(@failhost,$1);
    }
    if ($line =~ /\' failed for \'(.*?)\' - Wrong password/) {
      push(@failhost,$1);
    }
  }

For example, for what you want…

while () {
    chomp; my $line = $_;
    if ($line =~ /\' failed for \'(.*?)\' - No matching peer found/) {
      push(@failhost,$1);
    }
    if ($line =~ /\' failed for \'(.*?)\' - Wrong password/) {
      push(@failhost,$1);
    }
    if ($line =~ /\' failed for \'(.*?)\' - Device does not match ACL/) {
      push(@failhost,$1);
    }
  }
]]> By: JeffK http://www.teamforrest.com/blog/171/asterisk-no-matching-peer-found-block/comment-page-1/#comment-1316 JeffK Thu, 03 Mar 2011 17:31:32 +0000 http://www.teamforrest.com/blog/?p=171#comment-1316 I added a check for "- Device does not match ACL". The offending hacker was using my own external IP in it's SIP host string. I added a check for “- Device does not match ACL”. The offending hacker was using my own external IP in it’s SIP host string.

]]> By: Team Forrest http://www.teamforrest.com/blog/171/asterisk-no-matching-peer-found-block/comment-page-1/#comment-386 Team Forrest Fri, 10 Dec 2010 20:46:49 +0000 http://www.teamforrest.com/blog/?p=171#comment-386 Great that you think fail2ban is more useful. You should run it. This script is for those that do not wish to run fail2ban. Great that you think fail2ban is more useful. You should run it. This script is for those that do not wish to run fail2ban.

]]> By: kasio http://www.teamforrest.com/blog/171/asterisk-no-matching-peer-found-block/comment-page-1/#comment-385 kasio Fri, 10 Dec 2010 20:34:04 +0000 http://www.teamforrest.com/blog/?p=171#comment-385 I think fail2ban is more usefull , if someone needs help there are thousand of people who can help, this script is just for some people if someone asks you something instead of you help you remove the comment. That means fai2ban is for everyone this script not. I think fail2ban is more usefull , if someone needs help there are thousand of people who can help, this script is just for some people if someone asks you something instead of you help you remove the comment.
That means fai2ban is for everyone this script not.

]]> By: Tony http://www.teamforrest.com/blog/171/asterisk-no-matching-peer-found-block/comment-page-1/#comment-357 Tony Tue, 16 Nov 2010 01:59:32 +0000 http://www.teamforrest.com/blog/?p=171#comment-357 Thanks for the very useful script. Fail2ban seemed much too complicated to use. This script worked perfectly for me. I have been receiving 10s if not 100s of registration attempts a second when the attack begins. Rather than decreasing the cron job frequency, I have added rate limiting which uses the state module: http://pbxinaflash.com/forum/showthread.php?t=5018 Now, no more than a few failed attempts until your script kicks in the next cron job. Thanks for the very useful script. Fail2ban seemed much too complicated to use. This script worked perfectly for me.

I have been receiving 10s if not 100s of registration attempts a second when the attack begins. Rather than decreasing the cron job frequency, I have added rate limiting which uses the state module:
http://pbxinaflash.com/forum/showthread.php?t=5018

Now, no more than a few failed attempts until your script kicks in the next cron job.

]]>