Cannot block hacking attempts


(Dotcom) #1

Hello,

I’m unable to block malicious SIP INVITES to my box.
Via sngrep, I see the following packet coming in:

INVITE sip:00441519470451@mypbxipaddress SIP/2.0
Via: SIP/2.0/UDP 77.247.110.65:62393;branch=z9hG4bK1998065274
Max-Forwards: 70
From: sip:16@mypbxipaddress;tag=432918223
To: sip:00441519470451@mypbxipaddress
Call-ID: 2058906050-1389826825-1470979558
CSeq: 1 INVITE
Contact: sip:16@77.247.110.65:62393
Content-Type: application/sdp
Content-Length: 206

I already tried adding the line below to my iptables script, but no luck:
$IPT -A INPUT -i eth0 -p udp -m udp --dport 5580 -m string --string “00441519470451” --algo bm --to 65535 -j DROP

Thanks for your urgent help!


(Dotcom) #2

More info:

The IP 77.247.110.65 (hacker’s IP?), which is seen in the Contact header is blocked by my iptables… So I assume they are spoofing “mypbxipaddress”.


#3

sngrep sees traffic before your firewall, if there is more than one ‘message’ you need to tighten up your firewall if only the one,you got it done already. (you met our buddy from Iceland. he, will NEVER EVER EVER give up :slight_smile: )


(Dotcom) #4

Hello Dicko,

It’s not only one unfortunately… I’m getting spammed by these kind of invites.

Here is another one:

INVITE sip:00441519470451@ mypbxipaddress SIP/2.0
Via: SIP/2.0/UDP 77.247.110.65:60785;branch=z9hG4bK1068000655
Max-Forwards: 70
From: <sip:1400@ mypbxipaddress>;tag=1477072440
To: <sip:00441519470451@ mypbxipaddress>
Call-ID: 1558839286-1416956875-1934806265
CSeq: 1 INVITE
Contact: sip:1400@77.247.110.65:60785
Content-Type: application/sdp
Content-Length: 208

How can I know my specific iptables rule is working? :slight_smile:
$IPT -A INPUT -i eth0 -p udp -m udp --dport 5580 -m string --string “00441519470451” --algo bm --to 65535 -j DROP


#5

just drop all connections from 77.247.110.0/24


(Dotcom) #7

You are fast :wink:

I just added: $IPT -A INPUT --src 77.247.110.0/24 -j DROP

I didn’t know sngrep is seeing the traffic before iptables… So it’s normal the INVITES are still showing after I applied the new rule?


#8

You do now


(Dotcom) #9

Thanks a lot for your help! I can enjoy my good night sleep now :wink:


#10

You can block it at your edge firewall if you have one, otherwise it will be there until somebody stops that AHole


#11

Lets all

while true ;do echo effU|mail abuse@cloudstar.is;done &


(NorColorNorName) #12

Drop all connections from 77.247.110.0/24 , 77.247.109.0/24 , 77.247.108.0/24

This is from the same bot service


(Dotcom) #13

Ok, thanks guys! Let’s indeed ask the whole FreePBX community to start the script Dicko suggested :wink:


(system) closed #14

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.