By default the SipVicious scanner uses the ua : “friendly-scanner”. To block this ua, you can have iptables search the packet for that text.
add the following line to /etc/sysconfig/iptables
-A INPUT -p udp -m udp –dport 5060 -m string –string “friendly-scanner” –algo bm –to 500 -j DROP
Now the thing to keep in mind about this is that it only works if you know the string that will be sent as the user agent, and some hackers using SipVicious may take the trouble to change that default string, but some protection is better than none. However this same technique can be used to block any attack that constantly sends the same string as the user agent, if you know what that string contains.
For those that use Webmin to manage iptables, here are the settings to use. This should come BEFORE any other rules applicable to port 5060 – I made it the very first rule on the page “Incoming packets (INPUT) – Only applies to packets addressed to this host“:
Rule comment: Stop SipVicious
Action to take: Drop
Network protocol: Equals UDP
Destination TCP or UDP port: Equals Port(s) 5060
Additional IPtables modules: string
Additional parameters: –string “friendly-scanner” –algo bm –to 500
All other settings on the Webmin “Add Rule” page should be left at the default value (usually <ignored>).
To stop the hackers clever enough to change the default user agent string, consider also using this technique.