dotcom
(dotcom)
September 5, 2019, 10:31pm
1
Hello,
I’m unable to block malicious SIP INVITES to my box.
Via sngrep, I see the following packet coming in:
INVITE sip:00441519470451@mypbxipaddress SIP/2.0
Via: SIP/2.0/UDP 77.247.110.65:62393;branch=z9hG4bK1998065274
Max-Forwards: 70
From: sip:16@mypbxipaddress ;tag=432918223
To: sip:00441519470451@mypbxipaddress
Call-ID: 2058906050-1389826825-1470979558
CSeq: 1 INVITE
Contact: sip:[email protected] :62393
Content-Type: application/sdp
Content-Length: 206
I already tried adding the line below to my iptables script, but no luck:
$IPT -A INPUT -i eth0 -p udp -m udp --dport 5580 -m string --string “00441519470451” --algo bm --to 65535 -j DROP
Thanks for your urgent help!
dotcom
(dotcom)
September 5, 2019, 10:36pm
2
More info:
The IP 77.247.110.65 (hacker’s IP?), which is seen in the Contact header is blocked by my iptables… So I assume they are spoofing “mypbxipaddress ”.
dicko
(dicko)
September 5, 2019, 10:41pm
3
sngrep sees traffic before your firewall, if there is more than one ‘message’ you need to tighten up your firewall if only the one,you got it done already. (you met our buddy from Iceland. he, will NEVER EVER EVER give up )
dotcom
(dotcom)
September 5, 2019, 10:45pm
4
dicko:
message
Hello Dicko,
It’s not only one unfortunately… I’m getting spammed by these kind of invites.
Here is another one:
INVITE sip:00441519470451@ mypbxipaddress SIP/2.0
Via: SIP/2.0/UDP 77.247.110.65:60785;branch=z9hG4bK1068000655
Max-Forwards: 70
From: <sip:1400@ mypbxipaddress >;tag=1477072440
To: <sip:00441519470451@ mypbxipaddress >
Call-ID: 1558839286-1416956875-1934806265
CSeq: 1 INVITE
Contact: sip:[email protected] :60785
Content-Type: application/sdp
Content-Length: 208
How can I know my specific iptables rule is working?
$IPT -A INPUT -i eth0 -p udp -m udp --dport 5580 -m string --string “00441519470451” --algo bm --to 65535 -j DROP
dicko
(dicko)
September 5, 2019, 10:46pm
5
just drop all connections from 77.247.110.0/24
dotcom
(dotcom)
September 5, 2019, 10:49pm
7
You are fast
I just added: $IPT -A INPUT --src 77.247.110.0/24 -j DROP
I didn’t know sngrep is seeing the traffic before iptables… So it’s normal the INVITES are still showing after I applied the new rule?
dotcom
(dotcom)
September 5, 2019, 11:01pm
9
Thanks a lot for your help! I can enjoy my good night sleep now
dicko
(dicko)
September 5, 2019, 11:06pm
10
You can block it at your edge firewall if you have one, otherwise it will be there until somebody stops that AHole
dicko
(dicko)
September 6, 2019, 12:03am
11
Lets all
while true ;do echo effU|mail [email protected] ;done &
Drop all connections from 77.247.110.0/24 , 77.247.109.0/24 , 77.247.108.0/24
This is from the same bot service
dotcom
(dotcom)
September 6, 2019, 9:53am
13
dicko:
effU
Ok, thanks guys! Let’s indeed ask the whole FreePBX community to start the script Dicko suggested
system
(system)
Closed
September 13, 2019, 9:53am
14
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.