<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<tt>Hi Andy,<br>
what version are you running?<br>
As the UA block has been included in the config.yml since 6.5:<br>
<br>
block_useragents:<br>
action: reject<br>
enable: no<br>
mode: blacklist<br>
ua_patterns: []<br>
<br>
<br>
<br>
If you are using an older version you can use the following in
proxy/kamailio.cfg.customtt.tt2<br>
<br>
<br>
...<br>
...<br>
</tt><tt>if(uri =~ ";sw_domain=.+")<br>
{<br>
# a click2dial call, fix request uri<br>
<br>
$var(swdom) = $(ru{uri.param,sw_domain});<br>
$ru = "sip:" + $rU + "@" + $var(swdom);<br>
}<br>
<b>### code starts here</b><br>
</tt><b><tt>if( is_method("REGISTER|INVITE") && $sp != "[%
sems.bindport %]" && !has_totag() &&
!from_any_gw($avp(s:ip), $avp(s:protoid)) )</tt></b><b><tt><br>
</tt></b><b><tt>{</tt></b><b><tt><br>
</tt></b><b><tt> if($ua =~ "friendly-scanner" || $ua =~
"sipvicious" || $ua =~ "^sipcli.+" || $ua =~
"^VaxSIPUserAgent.+" )</tt></b><b><tt><br>
</tt></b><b><tt> {</tt></b><b><tt><br>
</tt></b><b><tt> xlog("L_NOTICE", "UA='$ua' accepted - [%
logreq_init -%]\n");</tt></b><b><tt><br>
</tt></b><b><tt> }</tt></b><b><tt><br>
</tt></b><b><tt> else</tt></b><b><tt><br>
</tt></b><b><tt> {</tt></b><b><tt><br>
</tt></b><b><tt> xlog("L_NOTICE", "Request rejected, bad
UA='$ua' - [% logreq_init -%]\n");</tt></b><b><tt><br>
</tt></b><b><tt> exit;</tt></b><b><tt><br>
</tt></b><b><tt> }</tt></b><b><tt><br>
</tt></b><b><tt>}</tt></b><tt><br>
</tt><tt><b>###end</b><br>
</tt><tt><br>
</tt><tt><br>
This should work.<br>
<br>
<br>
</tt>
<pre class="moz-signature" cols="72">--
Daniel Grotti
Head of Customer Support Sipwise GmbH
e: <a class="moz-txt-link-abbreviated" href="mailto:dgrotti@sipwise.com">dgrotti@sipwise.com</a> Europaring F15
t: +43(0)130120332 A-2345 Brunn Am Gebirge
w: <a class="moz-txt-link-abbreviated" href="http://www.sipwise.com">www.sipwise.com</a> FN: 305595f FG: LG Wiener Neustadt
</pre>
<div class="moz-cite-prefix">On 3/14/19 4:13 PM, Andy Clark wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CA+-Ur-Jvw1+suOyi9WCTLsZ-NeLGAhLeQBzDeLthW0yoBa9KUQ@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div dir="ltr">i also tried this
<div><br>
</div>
<div>
<pre style="white-space:pre-wrap;color:rgb(0,0,0)">if(is_method("REGISTER|INVITE"))
{
if ($ua =~ "friendly-scanner" || $ua =~ "sipvicious" || $ua =~ "^sipcli.+" || $ua =~ "^VaxSIPUserAgent.+")
{
xlog("L_WARN", "Request rejected, malicious UA='$u' from IP=$si - [% logreq_init -%]\n");
exit;
}
}
</pre>
but i'm getting this </div>
<div><a class="moz-txt-link-abbreviated" href="mailto:root@spce:/etc/cron.d#">root@spce:/etc/cron.d#</a> grep 'Request rejected'
/var/log/ngcp/kamailio-lb.log<br>
</div>
<div>
<div>Mar 14 07:54:48 core lb[4086]: ERROR: xlog
[xlog.c:513]: xdbg_fixup_helper(): wrong format[Request
rejected, malicious UA='$u' from IP=$si - M=$rm R=$ru
F=$fu T=$tu IP=$pr:$si:$sp ID=$ci UA='$ua'
DESTIP=$Ri:$Rp#012]</div>
<div>Mar 14 08:08:56 core lb[25972]: ERROR: xlog
[xlog.c:513]: xdbg_fixup_helper(): wrong format[Request
rejected, malicious UA='$u' from IP=$si - M=$rm R=$ru
F=$fu T=$tu IP=$pr:$si:$sp ID=$ci UA='$ua'
DESTIP=$Ri:$Rp#012]</div>
</div>
<div><br>
</div>
<div>any help?</div>
<div><br>
</div>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, Mar 14, 2019 at 7:14
AM Andy Clark <<a href="mailto:andyclark05251978@gmail.com"
moz-do-not-send="true">andyclark05251978@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div>Hi Daniel,</div>
<div>i'm trying to implement UA filter using your online
tutorial, unfortunately after implantation i'm getting a
408 when trying to register</div>
<div><br>
</div>
<div>would you be able to look over the code</div>
<div><br>
</div>
<div>Thank you </div>
<div><br>
</div>
<div><a
href="https://www.sipwise.org/news/technical/securing-your-ngcp-against-sip-attacks/"
target="_blank" moz-do-not-send="true">https://www.sipwise.org/news/technical/securing-your-ngcp-against-sip-attacks/</a><span style="white-space:pre-wrap"> </span></div>
<div><br>
</div>
<div>if(!sanity_check("1511", "7"))</div>
<div><span style="white-space:pre-wrap"> </span>{</div>
<div><span style="white-space:pre-wrap"> </span>xlog("L_WARN",
"Malformed SIP message detected - [% logreq_init -%]\n");</div>
<div><span style="white-space:pre-wrap"> </span>exit;</div>
<div>## <span style="white-space:pre-wrap"> </span>filtering
by UA : blacklist</div>
<div><span style="white-space:pre-wrap"> </span>if(
is_method(“REGISTER|INVITE”) && ($ua =~
“friendly-scanner” || $ua =~ “sipvicious” || $ua =~
“^sipcli.+”) )</div>
<div><span style="white-space:pre-wrap"> </span>{ </div>
<div><span style="white-space:pre-wrap"> </span>xlog(“L_WARN”,
“Request rejected, malicious UA=’$ua’ from IP=$si – [%
logreq_init -%]\n”); </div>
<div><span style="white-space:pre-wrap"> </span>exit; </div>
<div><span style="white-space:pre-wrap"> </span>}</div>
<div><span style="white-space:pre-wrap"> </span>}</div>
<div><span style="white-space:pre-wrap"> </span># checking
if a request is a retransmission, if so it will exit</div>
<div class="gmail-m_-4180696603223334550gmail-adL"><br>
</div>
<br
class="gmail-m_-4180696603223334550gmail-Apple-interchange-newline">
</div>
</blockquote>
</div>
</blockquote>
<br>
</body>
</html>