<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 3/26/14, 2:40 PM, Rainer Piper
wrote:<br>
</div>
<blockquote cite="mid:53331F27.7020405@soho-piper.de" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
Hi Andres,<br>
<br>
today I had a very funny one ... an amazon server tried to relay
over my server.<br>
<br>
</blockquote>
I see that. Its cheap and easy to use an Amazon server for this
purpose. Plus you can change its public IP by shutting down and
starting the instance again.<br>
<blockquote cite="mid:53331F27.7020405@soho-piper.de" type="cite"> <br>
LOG Data:<br>
Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: WARNING: pike
[pike_funcs.c:164]: pike_check_req(): PIKE - BLOCKing ip
184.72.211.251, node=0x7f90dd8abcb8 <br>
Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: ALERT:
<script>: ALERT: pike blocking INVITE from <a
moz-do-not-send="true" class="moz-txt-link-freetext"
href="sip:448099999999@184.72.211.251">sip:448099999999@184.72.211.251</a>
(IP:184.72.211.251:5060) <br>
Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: ALERT:
<script>: IPTABLES: blocking 184.72.211.251 antiflood <br>
<br>
<br>
<br>
-------- Original-Nachricht -------- <br>
<br>
Hi, <br>
<br>
The IP 184.72.211.251 has just been banned by Fail2Ban after <br>
1 attempts against KAMAILIO. <br>
<br>
<br>
Here are more information about 184.72.211.251: <br>
<br>
<br>
# <br>
# ARIN WHOIS data and services are subject to the Terms of Use <br>
# available at: <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://www.arin.net/whois_tou.html">https://www.arin.net/whois_tou.html</a>
<br>
# <br>
<br>
<br>
# <br>
# Query terms are ambiguous. The query is assumed to be: <br>
# "n 184.72.211.251" <br>
# <br>
# Use "?" to get help. <br>
# <br>
<br>
# <br>
# The following results may also be obtained via: <br>
# <a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://whois.arin.net/rest/nets;q=184.72.211.251?showDetails=true&showARIN=false&ext=netref2">http://whois.arin.net/rest/nets;q=184.72.211.251?showDetails=true&showARIN=false&ext=netref2</a>
<br>
# <br>
<br>
NetRange: 184.72.0.0 - 184.73.255.255 <br>
CIDR: 184.72.0.0/15 <br>
OriginAS: <br>
NetName: AMAZON-EC2-7 <br>
NetHandle: NET-184-72-0-0-1 <br>
Parent: NET-184-0-0-0-0 <br>
NetType: Direct Assignment <br>
Comment: The activity you have detected originates from a <br>
Comment: dynamic hosting environment. <br>
Comment: For fastest response, please submit abuse reports
at <br>
Comment: <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://aws-portal.amazon.com/gp/aws/html-forms-controller/contactus/AWSAbuse">http://aws-portal.amazon.com/gp/aws/html-forms-controller/contactus/AWSAbuse</a>
<br>
Comment: For more information regarding EC2 see: <br>
Comment: <a moz-do-not-send="true"
class="moz-txt-link-freetext" href="http://ec2.amazonaws.com/">http://ec2.amazonaws.com/</a>
<br>
Comment: All reports MUST include: <br>
Comment: * src IP <br>
Comment: * dest IP (your IP) <br>
Comment: * dest port <br>
Comment: * Accurate date/timestamp and timezone of activity
<br>
Comment: * Intensity/frequency (short log extracts) <br>
Comment: * Your contact details (phone and email) <br>
Comment: Without these we will be unable to identify <br>
Comment: the correct owner of the IP address at that <br>
Comment: point in time. <br>
RegDate: 2010-01-26 <br>
Updated: 2012-03-02 <br>
Ref: <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://whois.arin.net/rest/net/NET-184-72-0-0-1">http://whois.arin.net/rest/net/NET-184-72-0-0-1</a>
<br>
<br>
<br>
OrgName: Amazon.com, Inc. <br>
OrgId: AMAZO-4 <br>
Address: Amazon Web Services, Elastic Compute Cloud, EC2 <br>
Address: 1200 12th Avenue South <br>
City: Seattle <br>
StateProv: WA <br>
PostalCode: 98144 <br>
Country: US <br>
RegDate: 2005-09-29 <br>
Updated: 2009-06-02 <br>
Comment: For details of this service please see <br>
Comment: <a moz-do-not-send="true"
class="moz-txt-link-freetext" href="http://ec2.amazonaws.com/">http://ec2.amazonaws.com/</a>
<br>
Ref: <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://whois.arin.net/rest/org/AMAZO-4">http://whois.arin.net/rest/org/AMAZO-4</a>
<br>
<br>
OrgAbuseHandle: AEA8-ARIN <br>
OrgAbuseName: Amazon EC2 Abuse <br>
OrgAbusePhone: <a moz-do-not-send="true"
href="callto:0012062664064" nr="+12062664064" class="telified"
title="Als Telefonnummer verwenden"
style="color:#00001f;background-color:#ffffdf;-moz-border-radius:3px;cursor:pointer">+1-206-266-4064</a>
<br>
OrgAbuseEmail: <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:ec2-abuse@amazon.com">ec2-abuse@amazon.com</a> <br>
OrgAbuseRef: <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://whois.arin.net/rest/poc/AEA8-ARIN">http://whois.arin.net/rest/poc/AEA8-ARIN</a>
<br>
<br>
OrgTechHandle: ANO24-ARIN <br>
OrgTechName: Amazon EC2 Network Operations <br>
OrgTechPhone: <a moz-do-not-send="true"
href="callto:0012062664064" nr="+12062664064" class="telified"
title="Als Telefonnummer verwenden"
style="color:#00001f;background-color:#ffffdf;-moz-border-radius:3px;cursor:pointer">+1-206-266-4064</a>
<br>
OrgTechEmail: <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:aes-noc@amazon.com">aes-noc@amazon.com</a> <br>
OrgTechRef: <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://whois.arin.net/rest/poc/ANO24-ARIN">http://whois.arin.net/rest/poc/ANO24-ARIN</a>
<br>
<br>
RNOCHandle: ANO24-ARIN <br>
RNOCName: Amazon EC2 Network Operations <br>
RNOCPhone: <a moz-do-not-send="true" href="callto:0012062664064"
nr="+12062664064" class="telified" title="Als Telefonnummer
verwenden"
style="color:#00001f;background-color:#ffffdf;-moz-border-radius:3px;cursor:pointer">+1-206-266-4064</a>
<br>
RNOCEmail: <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:aes-noc@amazon.com">aes-noc@amazon.com</a> <br>
RNOCRef: <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://whois.arin.net/rest/poc/ANO24-ARIN">http://whois.arin.net/rest/poc/ANO24-ARIN</a>
<br>
<br>
RTechHandle: ANO24-ARIN <br>
RTechName: Amazon EC2 Network Operations <br>
RTechPhone: <a moz-do-not-send="true"
href="callto:0012062664064" nr="+12062664064" class="telified"
title="Als Telefonnummer verwenden"
style="color:#00001f;background-color:#ffffdf;-moz-border-radius:3px;cursor:pointer">+1-206-266-4064</a>
<br>
RTechEmail: <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:aes-noc@amazon.com">aes-noc@amazon.com</a> <br>
RTechRef: <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://whois.arin.net/rest/poc/ANO24-ARIN">http://whois.arin.net/rest/poc/ANO24-ARIN</a>
<br>
<br>
RAbuseHandle: AEA8-ARIN <br>
RAbuseName: Amazon EC2 Abuse <br>
RAbusePhone: <a moz-do-not-send="true"
href="callto:0012062664064" nr="+12062664064" class="telified"
title="Als Telefonnummer verwenden"
style="color:#00001f;background-color:#ffffdf;-moz-border-radius:3px;cursor:pointer">+1-206-266-4064</a>
<br>
RAbuseEmail: <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:ec2-abuse@amazon.com">ec2-abuse@amazon.com</a> <br>
RAbuseRef: <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://whois.arin.net/rest/poc/AEA8-ARIN">http://whois.arin.net/rest/poc/AEA8-ARIN</a>
<br>
<br>
<br>
# <br>
# ARIN WHOIS data and services are subject to the Terms of Use <br>
# available at: <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://www.arin.net/whois_tou.html">https://www.arin.net/whois_tou.html</a>
<br>
# <br>
<br>
<br>
Lines containing IP:184.72.211.251 in /var/log/kamailio.log <br>
<br>
Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: WARNING: pike
[pike_funcs.c:164]: pike_check_req(): PIKE - BLOCKing ip
184.72.211.251, node=0x7f90dd8abcb8 <br>
Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: ALERT:
<script>: ALERT: pike blocking INVITE from <a
moz-do-not-send="true" class="moz-txt-link-freetext"
href="sip:448099999999@184.72.211.251">sip:448099999999@184.72.211.251</a>
(IP:184.72.211.251:5060) <br>
Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: ALERT:
<script>: IPTABLES: blocking 184.72.211.251 antiflood <br>
<br>
<br>
Regards, <br>
<br>
Fail2Ban <br>
<br>
<br>
<div class="moz-signature">-- <br>
<b>Rainer Piper</b> <br>
NOC - +49 (0)228 97167161 - sip.soho-piper.de <br>
NOC - +49 (0)2247 9064188 - sip.tele33.de - sip.tefonix.de -
D293 </div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:sr-users@lists.sip-router.org">sr-users@lists.sip-router.org</a>
<a class="moz-txt-link-freetext" href="http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users">http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users</a>
</pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Technical Support
<a class="moz-txt-link-freetext" href="http://www.cellroute.net">http://www.cellroute.net</a></pre>
</body>
</html>