[Spce-user] fail2ban question

gerry kernan gerry.kernan at infinityit.ie
Mon Mar 23 13:37:43 EDT 2015


Hi ,
I've followed the instructions in this post
https://www.sipwise.com/news/technical/securing-your-ngcp-against-sip-attacks/
but I can't get spce to log when an user agent is on of the ones I try and match against.
 
I add this to /etc/ngcp-config/templates/lb/kamailio.custom.tt2
## filtering by UA : blacklist
        if(is_method("REGISTER|INVITE") && ($ua =~ "friendly-scanner" || $ua =~ "sipvicious" || $ua =~ "^sipcli.+" || $ua =~ "^VaxSIPUserAgent.+"))
        {   
            xlog("L_WARN", "Request rejected, malicious UA='$u' from IP=$si - [% logreq_init -%]\n"); 
            exit; 
        }
 
I checked /etc/kamailio/lb/kamailio.custom and the custom entry is there
 
## filtering by UA : blacklist
        if(is_method("REGISTER|INVITE") && ($ua =~ "friendly-scanner" || $ua =~ "sipvicious" || $ua =~ "^sipcli.+" || $ua =~ "^VaxSIPUserAgent.+"))
        {   
            xlog("L_WARN", "Request rejected, malicious UA='$u' from IP=$si - M=$rm R=$ru F=$fu T=$tu IP=$pr:$si:$sp ID=$ci\n"); 
            exit; 
        }
 
I have Homer monitoring sip and from traces can see INVITEs from User agent sipcli/v1.8  for example.
Is my kamailio config incorrect?
 
 
 
Best Regards,
 
Gerry Kernan
InfinityIT
 
Suite 17 The Mall | Beacon Court | Sandyford | Dublin 18
p: +35312930090 | f: +35312930137 | m: +353861709790
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/mailman/private/spce-user_lists.sipwise.com/attachments/20150323/de62113e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 16016 bytes
Desc: not available
URL: <http://lists.sipwise.com/mailman/private/spce-user_lists.sipwise.com/attachments/20150323/de62113e/attachment.jpg>


More information about the Spce-user mailing list