Blocking SIP Scanners

From Kolmisoft Wiki
Jump to navigationJump to search

About

To increase security MOR/M2 install additional iptables rules which block common SIP scanners and attack tools based on User-Agent string.



Usage

Iptables rules are automatically installed on MOR (starting from X16) and M2 switches. The configuration is set in /etc/mor/system.conf file. Default configuration looks like this:

block_scanners_active = 1
block_scanners_list = friendly-scanner, sundayddr, sipsak, sipvicious, iWar, sipcli, VaxSIPUserAgent, pplsip

By default, MOR/M2 will block scanners listed in block_scanners_list. You can remove or add scanners in this list and the script automatically adjusts (script check configuration every 15 minutes) iptables rules base on the current configuration. You can also execute the script manually to apply changes ASAP:

/usr/local/mor/mor_block_scanners.sh




How to disable

If you want completely disable script and remove iptables rules, use these commands:

MOR:

sed -i 's#block_scanners_active\s*=\s*1#block_scanners_active = 0#' /etc/mor/system.conf
iptables -FMOR-BLOCK-SCANNERS
iptables -D INPUT -j MOR-BLOCK-SCANNERS
iptables -XMOR-BLOCK-SCANNERS

M2:

sed -i 's#block_scanners_active\s*=\s*1#block_scanners_active = 0#' /etc/m2/system.conf
iptables -FM2-BLOCK-SCANNERS
iptables -D INPUT -j M2-BLOCK-SCANNERS
iptables -XM2-BLOCK-SCANNERS



See also