[Spce-user] UA filter
Daniel Grotti
dgrotti at sipwise.com
Thu Mar 14 11:44:51 EDT 2019
Hi Andy,
what version are you running?
As the UA block has been included in the config.yml since 6.5:
block_useragents:
action: reject
enable: no
mode: blacklist
ua_patterns: []
If you are using an older version you can use the following in
proxy/kamailio.cfg.customtt.tt2
...
...
if(uri =~ ";sw_domain=.+")
{
# a click2dial call, fix request uri
$var(swdom) = $(ru{uri.param,sw_domain});
$ru = "sip:" + $rU + "@" + $var(swdom);
}
*### code starts here*
*if( is_method("REGISTER|INVITE") && $sp != "[% sems.bindport %]" &&
!has_totag() && !from_any_gw($avp(s:ip), $avp(s:protoid)) )**
**{**
** if($ua =~ "friendly-scanner" || $ua =~ "sipvicious" || $ua =~
"^sipcli.+" || $ua =~ "^VaxSIPUserAgent.+" )**
** {**
** xlog("L_NOTICE", "UA='$ua' accepted - [% logreq_init -%]\n");**
** }**
** else**
** {**
** xlog("L_NOTICE", "Request rejected, bad UA='$ua' - [%
logreq_init -%]\n");**
** exit;**
** }**
**}*
*###end*
This should work.
--
Daniel Grotti
Head of Customer Support Sipwise GmbH
e: dgrotti at sipwise.com Europaring F15
t: +43(0)130120332 A-2345 Brunn Am Gebirge
w: www.sipwise.com FN: 305595f FG: LG Wiener Neustadt
On 3/14/19 4:13 PM, Andy Clark wrote:
> i also tried this
>
> if(is_method("REGISTER|INVITE"))
> {
> if ($ua =~ "friendly-scanner" || $ua =~ "sipvicious" || $ua =~ "^sipcli.+" || $ua =~ "^VaxSIPUserAgent.+")
> {
>
> xlog("L_WARN", "Request rejected, malicious UA='$u' from IP=$si - [% logreq_init -%]\n");
>
> exit;
>
> }
> }
>
> but i'm getting this
> root at spce:/etc/cron.d# grep 'Request rejected'
> /var/log/ngcp/kamailio-lb.log
> Mar 14 07:54:48 core lb[4086]: ERROR: xlog [xlog.c:513]:
> xdbg_fixup_helper(): wrong format[Request rejected, malicious UA='$u'
> from IP=$si - M=$rm R=$ru F=$fu T=$tu IP=$pr:$si:$sp ID=$ci UA='$ua'
> DESTIP=$Ri:$Rp#012]
> Mar 14 08:08:56 core lb[25972]: ERROR: xlog [xlog.c:513]:
> xdbg_fixup_helper(): wrong format[Request rejected, malicious UA='$u'
> from IP=$si - M=$rm R=$ru F=$fu T=$tu IP=$pr:$si:$sp ID=$ci UA='$ua'
> DESTIP=$Ri:$Rp#012]
>
> any help?
>
>
> On Thu, Mar 14, 2019 at 7:14 AM Andy Clark
> <andyclark05251978 at gmail.com <mailto:andyclark05251978 at gmail.com>> wrote:
>
> Hi Daniel,
> i'm trying to implement UA filter using your online tutorial,
> unfortunately after implantation i'm getting a 408 when trying to
> register
>
> would you be able to look over the code
>
> Thank you
>
> https://www.sipwise.org/news/technical/securing-your-ngcp-against-sip-attacks/
>
> if(!sanity_check("1511", "7"))
> {
> xlog("L_WARN", "Malformed SIP message detected - [% logreq_init
> -%]\n");
> exit;
> ## filtering by UA : blacklist
> if( is_method(“REGISTER|INVITE”) && ($ua =~ “friendly-scanner” ||
> $ua =~ “sipvicious” || $ua =~ “^sipcli.+”) )
> {
> xlog(“L_WARN”, “Request rejected, malicious UA=’$ua’ from IP=$si –
> [% logreq_init -%]\n”);
> exit;
> }
> }
> # checking if a request is a retransmission, if so it will exit
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20190314/28433796/attachment-0001.html>
More information about the Spce-user
mailing list