[Spce-user] fail2ban question

Tue Mar 24 08:49:04 EDT 2015

Hi Daniel,

Thanks, I had wrong file name, I was missing the .cfg in the custom file name,  thanks for your time on this.

Regards

Gerry

-----Original Message-----
From: Daniel Grotti [mailto:dgrotti at sipwise.com] 
Sent: 24 March 2015 08:07
To: gerry kernan
Cc: spce-user at lists.sipwise.com
Subject: Re: [Spce-user] fail2ban question

Hi,
the place is fine.
Just try to rewrite it into:

if(is_method("REGISTER|INVITE"))
{
     if ($ua =~ "friendly-scanner" || $ua =~ "sipvicious" || $ua =~ "^sipcli.+" || $ua =~ "^VaxSIPUserAgent.+")
     {

             xlog("L_WARN", "Request rejected, malicious UA='$u' from IP=$si - [% logreq_init -%]\n");

             exit;

     }
}

Also be sure that your customtt file is called "kamailio.cfg.customtt.tt2"

--
Meet us @ ANGACOM: Hall 10.1/booth N10
Exhibition and Congress for Broadband, Cable & Satellite: 9-11 June 2015, Cologne
--

Daniel Grotti
VoIP Engineer

Phone: +43(0)1 301 2032
Email: dgrotti at sipwise.com
Website: www.sipwise.com

Particulars according Austrian Companies Code paragraph 14 "Sipwise GmbH“ - Europaring F15 – 2345 Brunn am Gebirge FN:305595f, Commercial Court Vienna, ATU64002206

On 03/23/2015 09:25 PM, gerry kernan wrote:
> Maybe I have the code in the wrong place.
> 
> Changed it to below so it should output on all registers or invites, but I don’t get anything in the kamailio-lb log.
> 
> ## filtering by UA : blacklist
>         if(is_method("INVITE" || "REGISTER")
>         {   
>             xlog("L_WARN", "XXequest rejected, XXmalicious UA='$u' 
> from IP=$si - [% logreq_init -%]\n");
>              
>         }
> 
> 
> I have the code in this section of kamailio-custom.tt2, is it in the correct section?
> 
> 
> route
> {
> 	$var(outbound_reg) = 0;
> 	$var(outbound_sock) = 0;
> 	$var(received_route) = 0;
> 	$var(routemarker) = "";
> 	force_rport();
> 
> 	if (!mf_process_maxfwd_header("[% kamailio.lb.max_forwards %]")) 
> 	{
> 		xlog("L_WARN", "Too many hops detected - [% logreq_init -%]\n");
> 		sl_send_reply("483","Too Many Hops");
> 		exit;
> 	}
> 
> 	# first param: check types
> 	# http://kamailio.org/docs/modules/3.3.x/modules/sanity.html#uri_checks
> 	# (everything except 8, 16, 512, 2048)
> 	# second param: check ruri, from, to
> 	if(!sanity_check("1511", "7"))
> 	{
> 		xlog("L_WARN", "Malformed SIP message detected - [% logreq_init -%]\n");
> 		exit;
> 	}
>         ## filtering by UA : blacklist
>         if(is_method("INVITE" || "REGISTER")
>         {   
>             xlog("L_WARN", "XXequest rejected, XXmalicious UA='$u' 
> from IP=$si - [% logreq_init -%]\n");
>              
>         }
> 
> 	
> 
> 	# request from b2bua or proxy
> 
> -----Original Message-----
> From: Daniel Grotti [mailto:dgrotti at sipwise.com]
> Sent: 23 March 2015 18:58
> To: gerry kernan
> Cc: spce-user at lists.sipwise.com
> Subject: Re: [Spce-user] fail2ban question
> 
> Gerry,
> Try to split the if:
> 
> If ( method is invite|register)
> {
>      If ( if UA= xxxx | UA= xxxx .....)
>      {
>         .....
>       }
> }
> 
> 
> Daniel
> 
> 
> IOn 23 Mar 2015 18:37, gerry kernan <gerry.kernan at infinityit.ie> wrote:
>>
>> Hi ,
>>
>> I’ve followed the instructions in this post
>>
>> https://www.sipwise.com/news/technical/securing-your-ngcp-against-sip
>> -attacks/
>>
>> but I can’t get spce to log when an user agent is on of the ones I try and match against.
>>
>>  
>>
>> I add this to /etc/ngcp-config/templates/lb/kamailio.custom.tt2
>>
>> ## filtering by UA : blacklist
>>
>>         if(is_method("REGISTER|INVITE") && ($ua =~ "friendly-scanner" 
>> || $ua =~ "sipvicious" || $ua =~ "^sipcli.+" || $ua =~ 
>> "^VaxSIPUserAgent.+"))
>>
>>         {
>>
>>             xlog("L_WARN", "Request rejected, malicious UA='$u' from 
>> IP=$si - [% logreq_init -%]\n");
>>
>>             exit;
>>
>>         }
>>
>>  
>>
>> I checked /etc/kamailio/lb/kamailio.custom and the custom entry is 
>> there
>>
>>  
>>
>> ## filtering by UA : blacklist
>>
>>         if(is_method("REGISTER|INVITE") && ($ua =~ "friendly-scanner" 
>> || $ua =~ "sipvicious" || $ua =~ "^sipcli.+" || $ua =~ 
>> "^VaxSIPUserAgent.+"))
>>
>>         {
>>
>>             xlog("L_WARN", "Request rejected, malicious UA='$u' from 
>> IP=$si - M=$rm R=$ru F=$fu T=$tu IP=$pr:$si:$sp ID=$ci\n");
>>
>>             exit;
>>
>>         }
>>
>>  
>>
>> I have Homer monitoring sip and from traces can see INVITEs from User agent sipcli/v1.8  for example.
>>
>> Is my kamailio config incorrect?
>>
>>  
>>
>>  
>>
>>  
>>
>> Best Regards,
>>
>>  
>>
>> Gerry Kernan
>>
>> InfinityIT
>>
>>  
>>
>> Suite 17 The Mall | Beacon Court | Sandyford | Dublin 18
>>
>> p: +35312930090 | f: +35312930137 | m: +353861709790
>>
>>  
>>
>>  
>>
>>  
>>
>>  
> 