<div dir="ltr">You could also consider actively crashing the offenders IP on log hits alongside the banning (using either svcrash.py, Homer Kill-Vicious tool, or sipgrep 2.0 -J or your own solution)<div class="gmail_extra">
<br clear="all"><div><div dir="ltr"><span style="font-family:arial,sans-serif;background-color:rgb(255,255,255)"><span style="font-family:Arial"><div style="font-size:13px;color:rgb(119,119,119)"><font><span style="font-family:Arial;color:rgb(119,119,119)">Best,</span></font></div>
<div style="font-size:13px;color:rgb(119,119,119)"><font><span style="font-family:Arial;color:rgb(119,119,119)"><br></span></font></div><div style="font-size:13px"><font color="#666666"><span style="font-family:Arial">Lorenzo Mangani</span></font></div>
<div style="font-size:13px"><font color="#666666"><div style="font-size:x-small"><br></div><div style="font-size:x-small">HOMER DEV TEAM</div></font></div><div style="font-size:x-small"><font size="1" color="#666666"><span style="font-family:Arial">QXIP - Capture Engineering</span></font></div>
<div style="font-size:x-small"><font size="1" color="#666666"><span style="font-family:Arial">Desk: +1 (202) 470-5312</span></font></div><div style="font-size:x-small"><font size="1" color="#666666"><span style="font-family:Arial">Mobile: +31 6 4603-2730</span></font></div>
<div style="font-size:x-small"><font size="1" color="#666666"><span style="font-family:Arial"><br></span></font></div><div style="font-size:x-small"><br></div></span></span></div></div>
<br><br><div class="gmail_quote">On Wed, Apr 30, 2014 at 1:26 PM, Norbert Piper <span dir="ltr"><<a href="mailto:norbert.piper@telenoise.de" target="_blank">norbert.piper@telenoise.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="DE" link="blue" vlink="purple"><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">USE GEOIP ban instead of fail2ban<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:Wingdings;color:#1f497d">J</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">Von:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> <a href="mailto:spce-user-bounces@lists.sipwise.com" target="_blank">spce-user-bounces@lists.sipwise.com</a> [mailto:<a href="mailto:spce-user-bounces@lists.sipwise.com" target="_blank">spce-user-bounces@lists.sipwise.com</a>] <b>Im Auftrag von </b>Tabi Tabe Tabi<br>
<b>Gesendet:</b> Mittwoch, 30. April 2014 13:18<br><b>An:</b> <a href="mailto:spce-user@lists.sipwise.com" target="_blank">spce-user@lists.sipwise.com</a><br><b>Betreff:</b> [Spce-user] SPCE Security alert<u></u><u></u></span></p>
<div><div class="h5"><p class="MsoNormal"><u></u> <u></u></p><div><p class="MsoNormal">Hi,<u></u><u></u></p><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">I just realized one of my test SPCE servers is under heavy friendly scanner and SIPViscious attack. This happened 30 minutes after I exposed the server to the Internet. I found the following IP addresses in Banned IP:<u></u><u></u></p>
</div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">1.<span style="font-size:7.0pt"> </span>199.231.48.5<u></u><u></u></p><p class="MsoNormal">2.<span style="font-size:7.0pt"> </span>188.138.4.216<u></u><u></u></p>
<p class="MsoNormal">3.<span style="font-size:7.0pt"> </span>109.230.245.113<u></u><u></u></p><p class="MsoNormal">4.<span style="font-size:7.0pt"> </span>31.3.240.251<u></u><u></u></p><p class="MsoNormal">5.<span style="font-size:7.0pt"> </span>41.221.11.46<u></u><u></u></p>
<p class="MsoNormal">6.<span style="font-size:7.0pt"> </span>46.165.220.215<u></u><u></u></p><p class="MsoNormal">7.<span style="font-size:7.0pt"> </span>70.34..120.248<u></u><u></u></p><p class="MsoNormal">8.<span style="font-size:7.0pt"> </span>79.143.83.4<u></u><u></u></p>
<p class="MsoNormal"> I am using iptables to drop the packets and have seen drop in resource utilization on the server.<u></u><u></u></p><p class="MsoNormal">Does any one have recommendation for implementation of fail2ban on SIPWise?<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Thanks.<u></u><u></u></p><div><p class="MsoNormal"><u></u> <u></u></p></div><p class="MsoNormal">-- <br>...Tabi<u></u><u></u></p><div><p class="MsoNormal"><u></u> <u></u></p>
</div></div></div></div></div></div></div><br>_______________________________________________<br>
Spce-user mailing list<br>
<a href="mailto:Spce-user@lists.sipwise.com">Spce-user@lists.sipwise.com</a><br>
<a href="http://lists.sipwise.com/listinfo/spce-user" target="_blank">http://lists.sipwise.com/listinfo/spce-user</a><br>
<br></blockquote></div><br></div></div>