[Spce-user] fail2ban question

gerry kernan gerry.kernan at infinityit.ie
Mon Mar 23 16:25:50 EDT 2015 

Maybe I have the code in the wrong place.

Changed it to below so it should output on all registers or invites, but I don’t get anything in the kamailio-lb log.

## filtering by UA : blacklist
        if(is_method("INVITE" || "REGISTER")
        {   
            xlog("L_WARN", "XXequest rejected, XXmalicious UA='$u' from IP=$si - [% logreq_init -%]\n"); 
             
        }


I have the code in this section of kamailio-custom.tt2, is it in the correct section?


route
{
	$var(outbound_reg) = 0;
	$var(outbound_sock) = 0;
	$var(received_route) = 0;
	$var(routemarker) = "";
	force_rport();

	if (!mf_process_maxfwd_header("[% kamailio.lb.max_forwards %]")) 
	{
		xlog("L_WARN", "Too many hops detected - [% logreq_init -%]\n");
		sl_send_reply("483","Too Many Hops");
		exit;
	}

	# first param: check types
	# http://kamailio.org/docs/modules/3.3.x/modules/sanity.html#uri_checks
	# (everything except 8, 16, 512, 2048)
	# second param: check ruri, from, to
	if(!sanity_check("1511", "7"))
	{
		xlog("L_WARN", "Malformed SIP message detected - [% logreq_init -%]\n");
		exit;
	}
        ## filtering by UA : blacklist
        if(is_method("INVITE" || "REGISTER")
        {   
            xlog("L_WARN", "XXequest rejected, XXmalicious UA='$u' from IP=$si - [% logreq_init -%]\n"); 
             
        }

	

	# request from b2bua or proxy

-----Original Message-----
From: Daniel Grotti [mailto:dgrotti at sipwise.com] 
Sent: 23 March 2015 18:58
To: gerry kernan
Cc: spce-user at lists.sipwise.com
Subject: Re: [Spce-user] fail2ban question

Gerry,
Try to split the if:

If ( method is invite|register)
{
     If ( if UA= xxxx | UA= xxxx .....)
     {
        .....
      }
}


Daniel


IOn 23 Mar 2015 18:37, gerry kernan <gerry.kernan at infinityit.ie> wrote:
>
> Hi ,
>
> I’ve followed the instructions in this post
>
> https://www.sipwise.com/news/technical/securing-your-ngcp-against-sip-attacks/
>
> but I can’t get spce to log when an user agent is on of the ones I try and match against.
>
>  
>
> I add this to /etc/ngcp-config/templates/lb/kamailio.custom.tt2
>
> ## filtering by UA : blacklist
>
>         if(is_method("REGISTER|INVITE") && ($ua =~ "friendly-scanner" || $ua =~ "sipvicious" || $ua =~ "^sipcli.+" || $ua =~ "^VaxSIPUserAgent.+"))
>
>         {  
>
>             xlog("L_WARN", "Request rejected, malicious UA='$u' from IP=$si - [% logreq_init -%]\n");
>
>             exit;
>
>         }
>
>  
>
> I checked /etc/kamailio/lb/kamailio.custom and the custom entry is there
>
>  
>
> ## filtering by UA : blacklist
>
>         if(is_method("REGISTER|INVITE") && ($ua =~ "friendly-scanner" || $ua =~ "sipvicious" || $ua =~ "^sipcli.+" || $ua =~ "^VaxSIPUserAgent.+"))
>
>         {  
>
>             xlog("L_WARN", "Request rejected, malicious UA='$u' from IP=$si - M=$rm R=$ru F=$fu T=$tu IP=$pr:$si:$sp ID=$ci\n");
>
>             exit;
>
>         }
>
>  
>
> I have Homer monitoring sip and from traces can see INVITEs from User agent sipcli/v1.8  for example.
>
> Is my kamailio config incorrect?
>
>  
>
>  
>
>  
>
> Best Regards,
>
>  
>
> Gerry Kernan
>
> InfinityIT
>
>  
>
> Suite 17 The Mall | Beacon Court | Sandyford | Dublin 18
>
> p: +35312930090 | f: +35312930137 | m: +353861709790
>
>  
>
>  
>
>  
>
>  

More information about the Spce-user mailing list