[Spce-user] Securing your NGCP against SIP attacks
Anthony Sanchez
agswinpr at gmail.com
Tue Apr 18 23:06:29 EDT 2017
Hi I’m trying to “Securing your NGCP against SIP attacks” as in:
https://www.linkedin.com/pulse/securing-your-ngcp-against-sip-attacks-daniel-grotti
*What I did until now:*
1- cp /etc/ngcp-config/templates/etc/kamailio/lb/kamailio.cfg.tt2
/etc/ngcp-config/templates/etc/kamailio/lb/kamailio.cfg.customtt.tt2
2- nano /etc/ngcp-config/templates/etc/kamailio/lb/kamailio.cfg.customtt.tt2
3- and add the following lines: (Right after request_route { )
if(!sanity_check("1511", "7"))
{
xlog("L_WARN", "Malformed SIP
message detected - [% logreq_init -%]\n");
exit;
}
## filtering by UA : blacklist
if(is_method("REGISTER|INVITE"))
{
if ($ua =~ "friendly-scanner" || $ua =~
"sipvicious" || $ua =~ "user" || $ua =~ "^sipcli.+" || $ua =~
"^VaxSIPUserAgent.+")
{
xlog("L_WARN", "Request
rejected, malicious UA='$ua' from IP=$si - [% logreq_init -%]\n");
exit;
}
}
4- after that I ran ngcpcfg apply
*5- **apt-get install fail2ban*
6- cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
7- nano /etc/fail2ban/jail.local
8- Also added to the bottom in jail.local
[kamailio-iptables]
enabled = true
filter = kamailio
action = iptables-allports[name=KAMAILIO, protocol=all]
logpath = /var/log/ngcp/kamailio-lb.log
maxretry = 1
bantime = 3600
9- Then I created the filter
[Definition]
# filter for kamailio messages
failregex = Request rejected, malicious UA='.*' from IP='<HOST>'
Consecutive Authentication Failure for '.*' UA='.*' IP='<HOST>'
ignoreregex =
10- And finally, I did
# ngcpcfg apply
# /etc/init.d/fail2ban restart
*Fail2ban is NOT banning KAMAILIO users/IPs*
-It is banning SSH
What am I doing wrong?
Thanks in advance,
Tony
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/mailman/private/spce-user_lists.sipwise.com/attachments/20170418/f44e078c/attachment.html>
More information about the Spce-user
mailing list