[Spce-user] UA filter

Andy Clark andyclark05251978 at gmail.com
Thu Mar 14 12:41:00 EDT 2019


Thank you -
i'm running 6.5.3
I do see were to add the user agents in the config.yml (I did not notice
that in the past)

    block_useragents:
      action: drop
      enable: yes
      mode: blacklist
      ua_patterns: ['Z 5.2.25 rv2.8.112+']

NEXT
i'd like to add it to fail2ban
1. which log file should i monitor?
2. what should i be looking for in the log file?

for example:
in your tutorial i would monitor "*Malformed SIP message detected"*
*within "**/var/log/ngcp/kamailio-lb.log"*

On Thu, Mar 14, 2019 at 8:44 AM Daniel Grotti <dgrotti at sipwise.com> wrote:

> Hi Andy,
> what version are you running?
> As the UA block has been included in the config.yml since 6.5:
>
>    block_useragents:
>       action: reject
>       enable: no
>       mode: blacklist
>       ua_patterns: []
>
>
>
> If you are using an older version you can use the following in
> proxy/kamailio.cfg.customtt.tt2
>
>
> ...
> ...
> if(uri =~ ";sw_domain=.+")
> {
>       # a click2dial call, fix request uri
>
>       $var(swdom) = $(ru{uri.param,sw_domain});
>       $ru = "sip:" + $rU + "@" + $var(swdom);
> }
> *### code starts here*
> *if( is_method("REGISTER|INVITE") && $sp != "[% sems.bindport %]" &&
> !has_totag() && !from_any_gw($avp(s:ip), $avp(s:protoid)) )*
> *{*
> *    if($ua =~ "friendly-scanner" || $ua =~ "sipvicious" || $ua =~
> "^sipcli.+" || $ua =~ "^VaxSIPUserAgent.+" )*
> *    {*
> *          xlog("L_NOTICE", "UA='$ua' accepted - [% logreq_init -%]\n");*
> *    }*
> *    else*
> *    {*
> *          xlog("L_NOTICE", "Request rejected, bad UA='$ua' - [%
> logreq_init -%]\n");*
> *          exit;*
> *    }*
> *}*
> *###end*
>
>
> This should work.
>
>
> --
> Daniel Grotti
>
> Head of Customer Support                               Sipwise GmbH
> e: dgrotti at sipwise.com                               Europaring F15
> t: +43(0)130120332                          A-2345 Brunn Am Gebirge
> w: www.sipwise.com          FN: 305595f      FG: LG Wiener Neustadt
>
> On 3/14/19 4:13 PM, Andy Clark wrote:
>
> i also tried this
>
> if(is_method("REGISTER|INVITE"))
> {
>      if ($ua =~ "friendly-scanner" || $ua =~ "sipvicious" || $ua =~ "^sipcli.+" || $ua =~ "^VaxSIPUserAgent.+")
>      {
>
>              xlog("L_WARN", "Request rejected, malicious UA='$u' from IP=$si - [% logreq_init -%]\n");
>
>              exit;
>
>      }
> }
>
>
> but i'm getting this
> root at spce:/etc/cron.d# grep 'Request rejected'
> /var/log/ngcp/kamailio-lb.log
> Mar 14 07:54:48 core lb[4086]: ERROR: xlog [xlog.c:513]:
> xdbg_fixup_helper(): wrong format[Request rejected, malicious UA='$u' from
> IP=$si - M=$rm R=$ru F=$fu T=$tu IP=$pr:$si:$sp ID=$ci UA='$ua'
> DESTIP=$Ri:$Rp#012]
> Mar 14 08:08:56 core lb[25972]: ERROR: xlog [xlog.c:513]:
> xdbg_fixup_helper(): wrong format[Request rejected, malicious UA='$u' from
> IP=$si - M=$rm R=$ru F=$fu T=$tu IP=$pr:$si:$sp ID=$ci UA='$ua'
> DESTIP=$Ri:$Rp#012]
>
> any help?
>
>
> On Thu, Mar 14, 2019 at 7:14 AM Andy Clark <andyclark05251978 at gmail.com>
> wrote:
>
>> Hi Daniel,
>> i'm trying to implement UA filter using your online tutorial,
>> unfortunately after implantation i'm getting a 408 when trying to register
>>
>> would you be able to look over the code
>>
>> Thank you
>>
>>
>> https://www.sipwise.org/news/technical/securing-your-ngcp-against-sip-attacks/
>>
>> if(!sanity_check("1511", "7"))
>> {
>> xlog("L_WARN", "Malformed SIP message detected - [% logreq_init -%]\n");
>> exit;
>> ##  filtering by UA : blacklist
>> if( is_method(“REGISTER|INVITE”) && ($ua =~ “friendly-scanner” || $ua =~
>> “sipvicious” || $ua =~ “^sipcli.+”) )
>> {
>> xlog(“L_WARN”, “Request rejected, malicious UA=’$ua’ from IP=$si – [%
>> logreq_init -%]\n”);
>> exit;
>> }
>> }
>> # checking if a request is a retransmission, if so it will exit
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20190314/536ab8fc/attachment-0001.html>


More information about the Spce-user mailing list