TIPS SIPvicious

Eliad

Active Member
Joined
Aug 13, 2017
Messages
619
Reaction score
127
I have an iPBX 13 hosted locally. My staff noted this week they get a call listed as SIPvicious. I search about this and it looks this is a SIP scanner. Does not show on the CDR reports. What is your advise to find it a and stop it?
 

krzykat

Telecom Strategist
Joined
Aug 2, 2008
Messages
3,145
Reaction score
1,235
Add this to your IPtables:


#drop sipvicious attacks
-I INPUT -j DROP -p udp --dport 5060 -m string --string "friendly-scanner" --algo bm
-I INPUT -j DROP -p udp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm
-I INPUT -j DROP -p udp --dport 5060 -m string --string "sundayddr" --algo bm
-I INPUT -j DROP -p udp --dport 5060 -m string --string "sipsak" --algo bm
-I INPUT -j DROP -p udp --dport 5060 -m string --string "sipvicious" --algo bm
-I INPUT -j DROP -p udp --dport 5060 -m string --string "iWar" --algo bm
-I INPUT -j DROP -p udp --dport 5060 -m string --string "sip-scan" --algo bm
-I INPUT -j DROP -p udp --dport 5060 -m string --string "sipcli" --algo bm
-I INPUT -j DROP -p udp --dport 5060 -m string --string "pplsip" --algo bm
# End sip attacks


But also be sure to use whitelist and hopefully allow registrations from FQDN only
 

Eliad

Active Member
Joined
Aug 13, 2017
Messages
619
Reaction score
127
Add this to your IPtables:


#drop sipvicious attacks
-I INPUT -j DROP -p udp --dport 5060 -m string --string "friendly-scanner" --algo bm
-I INPUT -j DROP -p udp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm
-I INPUT -j DROP -p udp --dport 5060 -m string --string "sundayddr" --algo bm
-I INPUT -j DROP -p udp --dport 5060 -m string --string "sipsak" --algo bm
-I INPUT -j DROP -p udp --dport 5060 -m string --string "sipvicious" --algo bm
-I INPUT -j DROP -p udp --dport 5060 -m string --string "iWar" --algo bm
-I INPUT -j DROP -p udp --dport 5060 -m string --string "sip-scan" --algo bm
-I INPUT -j DROP -p udp --dport 5060 -m string --string "sipcli" --algo bm
-I INPUT -j DROP -p udp --dport 5060 -m string --string "pplsip" --algo bm
# End sip attacks


But also be sure to use whitelist and hopefully allow registrations from FQDN only
Thank you, i really appreciate it. I installed IncrediblePBX 13 following Ward instructions. When I set it up I used ./add-fqdn to whitelist the my specific servers for VOIP.MS and Vitelity
I added your script to the /etc/sysconfig/iptables. Then i did an iptables-restart.
I hope i understood the process and i did the right procedures,
I am not an IT person, just like to tinker with electronics. Back in the day I used to build electronic projects, now there is no point on doing it, Now i am tinkering with Linux.
 

Members online

No members online now.

Forum statistics

Threads
25,782
Messages
167,509
Members
19,202
Latest member
pbxnewguy
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top