[Spce-user] fail2ban question

Daniel Grotti dgrotti at sipwise.com
Mon Mar 23 14:58:16 EDT 2015


Gerry,
Try to split the if:

If ( method is invite|register)
{
     If ( if UA= xxxx | UA= xxxx .....)
     {
        .....
      }
}


Daniel


IOn 23 Mar 2015 18:37, gerry kernan <gerry.kernan at infinityit.ie> wrote:
>
> Hi ,
>
> I’ve followed the instructions in this post
>
> https://www.sipwise.com/news/technical/securing-your-ngcp-against-sip-attacks/
>
> but I can’t get spce to log when an user agent is on of the ones I try and match against.
>
>  
>
> I add this to /etc/ngcp-config/templates/lb/kamailio.custom.tt2
>
> ## filtering by UA : blacklist
>
>         if(is_method("REGISTER|INVITE") && ($ua =~ "friendly-scanner" || $ua =~ "sipvicious" || $ua =~ "^sipcli.+" || $ua =~ "^VaxSIPUserAgent.+"))
>
>         {  
>
>             xlog("L_WARN", "Request rejected, malicious UA='$u' from IP=$si - [% logreq_init -%]\n");
>
>             exit;
>
>         }
>
>  
>
> I checked /etc/kamailio/lb/kamailio.custom and the custom entry is there
>
>  
>
> ## filtering by UA : blacklist
>
>         if(is_method("REGISTER|INVITE") && ($ua =~ "friendly-scanner" || $ua =~ "sipvicious" || $ua =~ "^sipcli.+" || $ua =~ "^VaxSIPUserAgent.+"))
>
>         {  
>
>             xlog("L_WARN", "Request rejected, malicious UA='$u' from IP=$si - M=$rm R=$ru F=$fu T=$tu IP=$pr:$si:$sp ID=$ci\n");
>
>             exit;
>
>         }
>
>  
>
> I have Homer monitoring sip and from traces can see INVITEs from User agent sipcli/v1.8  for example.
>
> Is my kamailio config incorrect?
>
>  
>
>  
>
>  
>
> Best Regards,
>
>  
>
> Gerry Kernan
>
> InfinityIT
>
>  
>
> Suite 17 The Mall | Beacon Court | Sandyford | Dublin 18
>
> p: +35312930090 | f: +35312930137 | m: +353861709790
>
>  
>
>  
>
>  
>
>  


More information about the Spce-user mailing list