[Spce-user] autoban or fail2ban

Andreas Granig agranig at sipwise.com
Mon May 7 14:45:37 EDT 2012


On 05/07/2012 08:35 PM, Jon Bonilla (Manwe) wrote:
> The spce has SIP attack protection against DOS and DDOS attacks.
> If you're talking about ssh or similar you should use iptables. Please check
> the security chapter of the handbook.

To make it clear, flood traffic above a certain threshold is blocked in
user-space on the load-balancer. You can check the blocked ips with the
following command:

ngcp-sercmd lb htable.dump ipban

Every time an IP gets into this blacklist, a warning is logged in
kamailio-lb.log, using this kamailio config line:

xlog("L_WARN", "IP '$var(banip)' is blocked and banned - M=$rm R=$ru
F=$fu T=$tu IP=$pr:$si:$sp ID=$ci\n");

Sometimes it makes sense to block the traffic on kernel level already to
keep the receive queue clean, so fail2ban could make sense here. See the
section "Fail2Ban" in
http://kb.asipto.com/kamailio:usage:k31-sip-scanning-attack (the rest is
already implemented in the SPCE), just adapt the "failregex" to the log
message shown above.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20120507/a276acf0/attachment-0001.asc>

More information about the Spce-user mailing list