<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hi Andres,<br>
<br>
today I had a very funny one ... an amazon server tried to relay
over my server.<br>
<br>
<br>
LOG Data:<br>
Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: WARNING: pike
[pike_funcs.c:164]: pike_check_req(): PIKE - BLOCKing ip
184.72.211.251, node=0x7f90dd8abcb8
<br>
Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: ALERT:
<script>: ALERT: pike blocking INVITE from <a
class="moz-txt-link-freetext"
href="sip:448099999999@184.72.211.251">sip:448099999999@184.72.211.251</a>
(IP:184.72.211.251:5060)
<br>
Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: ALERT:
<script>: IPTABLES: blocking 184.72.211.251 antiflood
<br>
<br>
<br>
<br>
-------- Original-Nachricht --------
<br>
<br>
Hi,
<br>
<br>
The IP 184.72.211.251 has just been banned by Fail2Ban after
<br>
1 attempts against KAMAILIO.
<br>
<br>
<br>
Here are more information about 184.72.211.251:
<br>
<br>
<br>
#
<br>
# ARIN WHOIS data and services are subject to the Terms of Use
<br>
# available at: <a class="moz-txt-link-freetext"
href="https://www.arin.net/whois_tou.html">https://www.arin.net/whois_tou.html</a>
<br>
#
<br>
<br>
<br>
#
<br>
# Query terms are ambiguous. The query is assumed to be:
<br>
# "n 184.72.211.251"
<br>
#
<br>
# Use "?" to get help.
<br>
#
<br>
<br>
#
<br>
# The following results may also be obtained via:
<br>
# <a class="moz-txt-link-freetext"
href="http://whois.arin.net/rest/nets;q=184.72.211.251?showDetails=true&showARIN=false&ext=netref2">http://whois.arin.net/rest/nets;q=184.72.211.251?showDetails=true&showARIN=false&ext=netref2</a>
<br>
#
<br>
<br>
NetRange: 184.72.0.0 - 184.73.255.255
<br>
CIDR: 184.72.0.0/15
<br>
OriginAS:
<br>
NetName: AMAZON-EC2-7
<br>
NetHandle: NET-184-72-0-0-1
<br>
Parent: NET-184-0-0-0-0
<br>
NetType: Direct Assignment
<br>
Comment: The activity you have detected originates from a
<br>
Comment: dynamic hosting environment.
<br>
Comment: For fastest response, please submit abuse reports at
<br>
Comment: <a class="moz-txt-link-freetext"
href="http://aws-portal.amazon.com/gp/aws/html-forms-controller/contactus/AWSAbuse">http://aws-portal.amazon.com/gp/aws/html-forms-controller/contactus/AWSAbuse</a>
<br>
Comment: For more information regarding EC2 see:
<br>
Comment: <a class="moz-txt-link-freetext"
href="http://ec2.amazonaws.com/">http://ec2.amazonaws.com/</a>
<br>
Comment: All reports MUST include:
<br>
Comment: * src IP
<br>
Comment: * dest IP (your IP)
<br>
Comment: * dest port
<br>
Comment: * Accurate date/timestamp and timezone of activity
<br>
Comment: * Intensity/frequency (short log extracts)
<br>
Comment: * Your contact details (phone and email)
<br>
Comment: Without these we will be unable to identify
<br>
Comment: the correct owner of the IP address at that
<br>
Comment: point in time.
<br>
RegDate: 2010-01-26
<br>
Updated: 2012-03-02
<br>
Ref: <a class="moz-txt-link-freetext"
href="http://whois.arin.net/rest/net/NET-184-72-0-0-1">http://whois.arin.net/rest/net/NET-184-72-0-0-1</a>
<br>
<br>
<br>
OrgName: Amazon.com, Inc.
<br>
OrgId: AMAZO-4
<br>
Address: Amazon Web Services, Elastic Compute Cloud, EC2
<br>
Address: 1200 12th Avenue South
<br>
City: Seattle
<br>
StateProv: WA
<br>
PostalCode: 98144
<br>
Country: US
<br>
RegDate: 2005-09-29
<br>
Updated: 2009-06-02
<br>
Comment: For details of this service please see
<br>
Comment: <a class="moz-txt-link-freetext"
href="http://ec2.amazonaws.com/">http://ec2.amazonaws.com/</a>
<br>
Ref: <a class="moz-txt-link-freetext"
href="http://whois.arin.net/rest/org/AMAZO-4">http://whois.arin.net/rest/org/AMAZO-4</a>
<br>
<br>
OrgAbuseHandle: AEA8-ARIN
<br>
OrgAbuseName: Amazon EC2 Abuse
<br>
OrgAbusePhone: <a href="callto:0012062664064" nr="+12062664064"
class="telified" title="Als Telefonnummer verwenden"
style="color:#00001f;background-color:#ffffdf;-moz-border-radius:3px;cursor:pointer">+1-206-266-4064</a>
<br>
OrgAbuseEmail: <a class="moz-txt-link-abbreviated"
href="mailto:ec2-abuse@amazon.com">ec2-abuse@amazon.com</a>
<br>
OrgAbuseRef: <a class="moz-txt-link-freetext"
href="http://whois.arin.net/rest/poc/AEA8-ARIN">http://whois.arin.net/rest/poc/AEA8-ARIN</a>
<br>
<br>
OrgTechHandle: ANO24-ARIN
<br>
OrgTechName: Amazon EC2 Network Operations
<br>
OrgTechPhone: <a href="callto:0012062664064" nr="+12062664064"
class="telified" title="Als Telefonnummer verwenden"
style="color:#00001f;background-color:#ffffdf;-moz-border-radius:3px;cursor:pointer">+1-206-266-4064</a>
<br>
OrgTechEmail: <a class="moz-txt-link-abbreviated"
href="mailto:aes-noc@amazon.com">aes-noc@amazon.com</a>
<br>
OrgTechRef: <a class="moz-txt-link-freetext"
href="http://whois.arin.net/rest/poc/ANO24-ARIN">http://whois.arin.net/rest/poc/ANO24-ARIN</a>
<br>
<br>
RNOCHandle: ANO24-ARIN
<br>
RNOCName: Amazon EC2 Network Operations
<br>
RNOCPhone: <a href="callto:0012062664064" nr="+12062664064"
class="telified" title="Als Telefonnummer verwenden"
style="color:#00001f;background-color:#ffffdf;-moz-border-radius:3px;cursor:pointer">+1-206-266-4064</a>
<br>
RNOCEmail: <a class="moz-txt-link-abbreviated"
href="mailto:aes-noc@amazon.com">aes-noc@amazon.com</a>
<br>
RNOCRef: <a class="moz-txt-link-freetext"
href="http://whois.arin.net/rest/poc/ANO24-ARIN">http://whois.arin.net/rest/poc/ANO24-ARIN</a>
<br>
<br>
RTechHandle: ANO24-ARIN
<br>
RTechName: Amazon EC2 Network Operations
<br>
RTechPhone: <a href="callto:0012062664064" nr="+12062664064"
class="telified" title="Als Telefonnummer verwenden"
style="color:#00001f;background-color:#ffffdf;-moz-border-radius:3px;cursor:pointer">+1-206-266-4064</a>
<br>
RTechEmail: <a class="moz-txt-link-abbreviated"
href="mailto:aes-noc@amazon.com">aes-noc@amazon.com</a>
<br>
RTechRef: <a class="moz-txt-link-freetext"
href="http://whois.arin.net/rest/poc/ANO24-ARIN">http://whois.arin.net/rest/poc/ANO24-ARIN</a>
<br>
<br>
RAbuseHandle: AEA8-ARIN
<br>
RAbuseName: Amazon EC2 Abuse
<br>
RAbusePhone: <a href="callto:0012062664064" nr="+12062664064"
class="telified" title="Als Telefonnummer verwenden"
style="color:#00001f;background-color:#ffffdf;-moz-border-radius:3px;cursor:pointer">+1-206-266-4064</a>
<br>
RAbuseEmail: <a class="moz-txt-link-abbreviated"
href="mailto:ec2-abuse@amazon.com">ec2-abuse@amazon.com</a>
<br>
RAbuseRef: <a class="moz-txt-link-freetext"
href="http://whois.arin.net/rest/poc/AEA8-ARIN">http://whois.arin.net/rest/poc/AEA8-ARIN</a>
<br>
<br>
<br>
#
<br>
# ARIN WHOIS data and services are subject to the Terms of Use
<br>
# available at: <a class="moz-txt-link-freetext"
href="https://www.arin.net/whois_tou.html">https://www.arin.net/whois_tou.html</a>
<br>
#
<br>
<br>
<br>
Lines containing IP:184.72.211.251 in /var/log/kamailio.log
<br>
<br>
Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: WARNING: pike
[pike_funcs.c:164]: pike_check_req(): PIKE - BLOCKing ip
184.72.211.251, node=0x7f90dd8abcb8
<br>
Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: ALERT:
<script>: ALERT: pike blocking INVITE from <a
class="moz-txt-link-freetext"
href="sip:448099999999@184.72.211.251">sip:448099999999@184.72.211.251</a>
(IP:184.72.211.251:5060)
<br>
Mar 26 06:20:44 lb2 /usr/sbin/kamailio[16409]: ALERT:
<script>: IPTABLES: blocking 184.72.211.251 antiflood
<br>
<br>
<br>
Regards,
<br>
<br>
Fail2Ban
<br>
<br>
<br>
<div class="moz-signature">-- <br>
<b>Rainer Piper</b>
<br>
NOC - +49 (0)228 97167161 - sip.soho-piper.de
<br>
NOC - +49 (0)2247 9064188 - sip.tele33.de - sip.tefonix.de - D293
</div>
</body>
</html>