Thanks for that. I have only just started with this community, but if the speed and quality of responses is anything to go by - it's an awesome one!!!<div><br></div><div>Cheers</div><div><br></div><div>Theo<br><br><div class="gmail_quote">
On Fri, Feb 15, 2013 at 10:52 AM, Daniel Grotti <span dir="ltr"><<a href="mailto:dgrotti@sipwise.com" target="_blank">dgrotti@sipwise.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>Hi Theo,<br>
Malicious attack are banned by the proxy and you can see the IP
address/Users ban under the "Security Ban" section.<br>
What you could do is change the value defining how many seconds
the system keep the IP/Users banned.<br>
You can find all the variables in /etc/ngcp-config/config.yml
under "kamailio -> lb -> security".<br>
<br>
security:<br>
dos_ban_enable: 'yes'<br>
dos_ban_time: 300<br>
dos_reqs_density_per_unit: 50<br>
dos_sampling_time_unit: 5<br>
dos_whitelisted_ips: ~<br>
failed_auth_attempts: 3<br>
failed_auth_ban_enable: 'yes'<br>
failed_auth_ban_time: 3600<br>
<br>
<br>
So, by default the IP will keep banned for 300sec.<br>
<br>
Daniel<div><div class="h5"><br>
<br>
<br>
<br>
<br>
On 02/15/2013 09:45 AM, Theo wrote:<br>
</div></div></div>
<blockquote type="cite"><div><div class="h5">Hi
<div><br>
</div>
<div>ngrep-sip gives me:</div>
<div><br>
</div>
<div>
<div>#</div>
<div>U 2013/02/15 10:39:23.432811 <a href="http://173.242.123.148:5266" target="_blank">173.242.123.148:5266</a>
-> <a href="http://196.41.123.113:5060" target="_blank">196.41.123.113:5060</a></div>
<div>REGISTER sip:196.41.123.113 SIP/2.0'</div>
<div>Via: SIP/2.0/UDP
173.242.123.148:5266;branch=z9hG4bK-2478367181;rport'</div>
<div>Content-Length: 0'</div>
<div>From: "12unknown" <<a href="mailto:sip%3A12unknown@196.41.123.113" target="_blank">sip:12unknown@196.41.123.113</a>>'</div>
<div>Accept: application/sdp'</div>
<div>User-Agent: friendly-scanner'</div>
<div>To: "12unknown" <<a href="mailto:sip%3A12unknown@196.41.123.113" target="_blank">sip:12unknown@196.41.123.113</a>>'</div>
<div>Contact: <a href="mailto:sip%3A123@1.1.1.1" target="_blank">sip:123@1.1.1.1</a>'</div>
<div>CSeq: 1 REGISTER'</div>
<div>Call-ID: <a href="tel:4123206054" value="+14123206054" target="_blank">4123206054</a>'</div>
<div>Max-Forwards: 70'</div>
<div>'</div>
</div>
<div>with a script changing the Call-ID a a massive rate. So
someone is trying to register or doing something sinister. This
box is not behind a firewall at this point, just a test box. the
IP you see there 173.242.123.148 has indeed been added to the
banned IPs which I guess means nothing is actually reaching the
proxy? Do we just leave it like this until they give up or is
there some other action I should take?</div>
<div><br>
</div>
<div>There is no monetary risk at this point for us - this is
really just for testing and all details such as IPs are going to
change if and when we would start using it.</div>
<br>
<fieldset></fieldset>
<br>
</div></div><pre>_______________________________________________
Spce-user mailing list
<a href="mailto:Spce-user@lists.sipwise.com" target="_blank">Spce-user@lists.sipwise.com</a>
<a href="http://lists.sipwise.com/listinfo/spce-user" target="_blank">http://lists.sipwise.com/listinfo/spce-user</a>
</pre>
</blockquote>
<br>
</div>
</blockquote></div><br></div>