<div dir="ltr"><div dir="ltr">Thank you - <div>i'm running 6.5.3<div>I do see were to add the user agents in the config.yml (I did not notice that in the past)</div><div><br></div><div><div> block_useragents:</div><div> action: drop</div><div> enable: yes</div><div> mode: blacklist</div><div> ua_patterns: ['Z 5.2.25 rv2.8.112+']</div></div><div><br></div><div>NEXT</div><div>i'd like to add it to fail2ban<br></div><div>1. which log file should i monitor?<br></div><div>2. what should i be looking for in the log file?</div><div><br></div><div>for example:</div><div>in your tutorial i would monitor "<em style="margin:0px;padding:0px;border:0px;outline:0px;font-size:14.3px;vertical-align:baseline;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;color:rgb(0,0,0);font-family:Arial">Malformed SIP message detected"</em></div><div><em style="margin:0px;padding:0px;border:0px;outline:0px;font-size:14.3px;vertical-align:baseline;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;color:rgb(0,0,0);font-family:Arial">within "</em><em style="margin:0px;padding:0px;border:0px;outline:0px;font-size:14.3px;vertical-align:baseline;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial;color:rgb(0,0,0);font-family:monospace">/var/log/ngcp/kamailio-lb.log"</em></div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Mar 14, 2019 at 8:44 AM Daniel Grotti <<a href="mailto:dgrotti@sipwise.com">dgrotti@sipwise.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<tt>Hi Andy,<br>
what version are you running?<br>
As the UA block has been included in the config.yml since 6.5:<br>
<br>
block_useragents:<br>
action: reject<br>
enable: no<br>
mode: blacklist<br>
ua_patterns: []<br>
<br>
<br>
<br>
If you are using an older version you can use the following in
proxy/kamailio.cfg.customtt.tt2<br>
<br>
<br>
...<br>
...<br>
</tt><tt>if(uri =~ ";sw_domain=.+")<br>
{<br>
# a click2dial call, fix request uri<br>
<br>
$var(swdom) = $(ru{uri.param,sw_domain});<br>
$ru = "sip:" + $rU + "@" + $var(swdom);<br>
}<br>
<b>### code starts here</b><br>
</tt><b><tt>if( is_method("REGISTER|INVITE") && $sp != "[%
sems.bindport %]" && !has_totag() &&
!from_any_gw($avp(s:ip), $avp(s:protoid)) )</tt></b><b><tt><br>
</tt></b><b><tt>{</tt></b><b><tt><br>
</tt></b><b><tt> if($ua =~ "friendly-scanner" || $ua =~
"sipvicious" || $ua =~ "^sipcli.+" || $ua =~
"^VaxSIPUserAgent.+" )</tt></b><b><tt><br>
</tt></b><b><tt> {</tt></b><b><tt><br>
</tt></b><b><tt> xlog("L_NOTICE", "UA='$ua' accepted - [%
logreq_init -%]\n");</tt></b><b><tt><br>
</tt></b><b><tt> }</tt></b><b><tt><br>
</tt></b><b><tt> else</tt></b><b><tt><br>
</tt></b><b><tt> {</tt></b><b><tt><br>
</tt></b><b><tt> xlog("L_NOTICE", "Request rejected, bad
UA='$ua' - [% logreq_init -%]\n");</tt></b><b><tt><br>
</tt></b><b><tt> exit;</tt></b><b><tt><br>
</tt></b><b><tt> }</tt></b><b><tt><br>
</tt></b><b><tt>}</tt></b><tt><br>
</tt><tt><b>###end</b><br>
</tt><tt><br>
</tt><tt><br>
This should work.<br>
<br>
<br>
</tt>
<pre class="gmail-m_-788095149069116889moz-signature" cols="72">--
Daniel Grotti
Head of Customer Support Sipwise GmbH
e: <a class="gmail-m_-788095149069116889moz-txt-link-abbreviated" href="mailto:dgrotti@sipwise.com" target="_blank">dgrotti@sipwise.com</a> Europaring F15
t: +43(0)130120332 A-2345 Brunn Am Gebirge
w: <a class="gmail-m_-788095149069116889moz-txt-link-abbreviated" href="http://www.sipwise.com" target="_blank">www.sipwise.com</a> FN: 305595f FG: LG Wiener Neustadt
</pre>
<div class="gmail-m_-788095149069116889moz-cite-prefix">On 3/14/19 4:13 PM, Andy Clark wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr">i also tried this
<div><br>
</div>
<div>
<pre style="white-space:pre-wrap;color:rgb(0,0,0)">if(is_method("REGISTER|INVITE"))
{
if ($ua =~ "friendly-scanner" || $ua =~ "sipvicious" || $ua =~ "^sipcli.+" || $ua =~ "^VaxSIPUserAgent.+")
{
xlog("L_WARN", "Request rejected, malicious UA='$u' from IP=$si - [% logreq_init -%]\n");
exit;
}
}
</pre>
but i'm getting this </div>
<div><a class="gmail-m_-788095149069116889moz-txt-link-abbreviated" href="mailto:root@spce:/etc/cron.d#" target="_blank">root@spce:/etc/cron.d#</a> grep 'Request rejected'
/var/log/ngcp/kamailio-lb.log<br>
</div>
<div>
<div>Mar 14 07:54:48 core lb[4086]: ERROR: xlog
[xlog.c:513]: xdbg_fixup_helper(): wrong format[Request
rejected, malicious UA='$u' from IP=$si - M=$rm R=$ru
F=$fu T=$tu IP=$pr:$si:$sp ID=$ci UA='$ua'
DESTIP=$Ri:$Rp#012]</div>
<div>Mar 14 08:08:56 core lb[25972]: ERROR: xlog
[xlog.c:513]: xdbg_fixup_helper(): wrong format[Request
rejected, malicious UA='$u' from IP=$si - M=$rm R=$ru
F=$fu T=$tu IP=$pr:$si:$sp ID=$ci UA='$ua'
DESTIP=$Ri:$Rp#012]</div>
</div>
<div><br>
</div>
<div>any help?</div>
<div><br>
</div>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, Mar 14, 2019 at 7:14
AM Andy Clark <<a href="mailto:andyclark05251978@gmail.com" target="_blank">andyclark05251978@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div>Hi Daniel,</div>
<div>i'm trying to implement UA filter using your online
tutorial, unfortunately after implantation i'm getting a
408 when trying to register</div>
<div><br>
</div>
<div>would you be able to look over the code</div>
<div><br>
</div>
<div>Thank you </div>
<div><br>
</div>
<div><a href="https://www.sipwise.org/news/technical/securing-your-ngcp-against-sip-attacks/" target="_blank">https://www.sipwise.org/news/technical/securing-your-ngcp-against-sip-attacks/</a><span style="white-space:pre-wrap"> </span></div>
<div><br>
</div>
<div>if(!sanity_check("1511", "7"))</div>
<div><span style="white-space:pre-wrap"> </span>{</div>
<div><span style="white-space:pre-wrap"> </span>xlog("L_WARN",
"Malformed SIP message detected - [% logreq_init -%]\n");</div>
<div><span style="white-space:pre-wrap"> </span>exit;</div>
<div>## <span style="white-space:pre-wrap"> </span>filtering
by UA : blacklist</div>
<div><span style="white-space:pre-wrap"> </span>if(
is_method(“REGISTER|INVITE”) && ($ua =~
“friendly-scanner” || $ua =~ “sipvicious” || $ua =~
“^sipcli.+”) )</div>
<div><span style="white-space:pre-wrap"> </span>{ </div>
<div><span style="white-space:pre-wrap"> </span>xlog(“L_WARN”,
“Request rejected, malicious UA=’$ua’ from IP=$si – [%
logreq_init -%]\n”); </div>
<div><span style="white-space:pre-wrap"> </span>exit; </div>
<div><span style="white-space:pre-wrap"> </span>}</div>
<div><span style="white-space:pre-wrap"> </span>}</div>
<div><span style="white-space:pre-wrap"> </span># checking
if a request is a retransmission, if so it will exit</div>
<div class="gmail-m_-788095149069116889gmail-m_-4180696603223334550gmail-adL"><br>
</div>
<br class="gmail-m_-788095149069116889gmail-m_-4180696603223334550gmail-Apple-interchange-newline">
</div>
</blockquote>
</div>
</blockquote>
<br>
</div>
</blockquote></div>