Cannot block hacking attempts


I’m unable to block malicious SIP INVITES to my box.
Via sngrep, I see the following packet coming in:

INVITE sip:00441519470451@mypbxipaddress SIP/2.0
Via: SIP/2.0/UDP;branch=z9hG4bK1998065274
Max-Forwards: 70
From: sip:16@mypbxipaddress;tag=432918223
To: sip:00441519470451@mypbxipaddress
Call-ID: 2058906050-1389826825-1470979558
Contact: sip:[email protected]:62393
Content-Type: application/sdp
Content-Length: 206

I already tried adding the line below to my iptables script, but no luck:
$IPT -A INPUT -i eth0 -p udp -m udp --dport 5580 -m string --string “00441519470451” --algo bm --to 65535 -j DROP

Thanks for your urgent help!

More info:

The IP (hacker’s IP?), which is seen in the Contact header is blocked by my iptables… So I assume they are spoofing “mypbxipaddress”.

sngrep sees traffic before your firewall, if there is more than one ‘message’ you need to tighten up your firewall if only the one,you got it done already. (you met our buddy from Iceland. he, will NEVER EVER EVER give up :slight_smile: )

Hello Dicko,

It’s not only one unfortunately… I’m getting spammed by these kind of invites.

Here is another one:

INVITE sip:00441519470451@ mypbxipaddress SIP/2.0
Via: SIP/2.0/UDP;branch=z9hG4bK1068000655
Max-Forwards: 70
From: <sip:1400@ mypbxipaddress>;tag=1477072440
To: <sip:00441519470451@ mypbxipaddress>
Call-ID: 1558839286-1416956875-1934806265
Contact: sip:[email protected]:60785
Content-Type: application/sdp
Content-Length: 208

How can I know my specific iptables rule is working? :slight_smile:
$IPT -A INPUT -i eth0 -p udp -m udp --dport 5580 -m string --string “00441519470451” --algo bm --to 65535 -j DROP

just drop all connections from

You are fast :wink:

I just added: $IPT -A INPUT --src -j DROP

I didn’t know sngrep is seeing the traffic before iptables… So it’s normal the INVITES are still showing after I applied the new rule?

You do now

1 Like

Thanks a lot for your help! I can enjoy my good night sleep now :wink:

You can block it at your edge firewall if you have one, otherwise it will be there until somebody stops that AHole

Lets all

while true ;do echo effU|mail [email protected];done &

Drop all connections from , ,

This is from the same bot service

Ok, thanks guys! Let’s indeed ask the whole FreePBX community to start the script Dicko suggested :wink:

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.