[Spce-user] Upgrade from 5.5.5 to 6.5.3 - Block Useragent Edit

Hohl Matthias matthias.hohl at telematica.at
Wed Mar 20 19:26:45 EDT 2019


Aah the [] has to be removed first… now it works

 

Von: Spce-user <spce-user-bounces at lists.sipwise.com> Im Auftrag von Hohl Matthias
Gesendet: Donnerstag, 21. März 2019 00:24
An: 'qabane me' <qabaneitsolutions at gmail.com>
Cc: 'Spce-user' <spce-user at lists.sipwise.com>
Betreff: Re: [Spce-user] Upgrade from 5.5.5 to 6.5.3 - Block Useragent Edit

 

It looks like there is a problem with the syntax:

 

    block_useragents:

      action: drop

      enable: yes

      mode: blacklist

      ua_patterns: []

      - friendly-scanner

      - friendly-request

      - sipvicious

      - ^sipcli.+

      - sip-scan

      - sipsak

      - sundayddr

      - iWar

      - CSipSimple

      - SIVuS

      - Gulp

      - sipv

      - smap

      - VaxIPUserAgent

      - VaxSIPUserAgent

      - siparmyknife

      - Test Agent

 

 

If I try to apply the config I get this:

 

root at spce:~# ngcpcfg apply "config Anpassung Malicious Call"

2019-03-21 00:22:01 spce: Error: Invalid file syntax in /etc/ngcp-config/config.yml:

YAML::XS::Load Error: The problem:

 

    did not find expected key

 

was found at document: 1, line: 659, column: 7

while parsing a block mapping at line: 655, column: 7

root at spce:~#

 

Von: qabane me <qabaneitsolutions at gmail.com <mailto:qabaneitsolutions at gmail.com> > 
Gesendet: Mittwoch, 20. März 2019 12:20
An: Hohl Matthias <matthias.hohl at telematica.at <mailto:matthias.hohl at telematica.at> >
Cc: Alex Lutay <alutay at sipwise.com <mailto:alutay at sipwise.com> >; Spce-user <spce-user at lists.sipwise.com <mailto:spce-user at lists.sipwise.com> >
Betreff: Re: [Spce-user] Upgrade from 5.5.5 to 6.5.3 - Block Useragent Edit

 

Thanks Matthias,

 

There are a few that I did not have in my list so will add them.

 

Sadly I have found that more and more they use user agents that look legit. Freepbx, cisco, etc.

 

On Wed, Mar 20, 2019 at 1:14 PM Hohl Matthias <matthias.hohl at telematica.at <mailto:matthias.hohl at telematica.at> > wrote:

Thanks for the info:

 

Btw, if anybody need it, here is a list of malicious UA for copy&paste:

 

      ua_patterns: []

      - friendly-scanner

      - friendly-request

      - sipvicious

      - ^sipcli.+

      - sip-scan

      - sipsak

      - sundayddr

      - iWar

      - CSipSimple

      - SIVuS

      - Gulp

      - sipv

      - smap

      - VaxIPUserAgent

      - VaxSIPUserAgent

      - siparmyknife

      - Test Agent

 

Von: Spce-user <spce-user-bounces at lists.sipwise.com <mailto:spce-user-bounces at lists.sipwise.com> > Im Auftrag von Alex Lutay
Gesendet: Mittwoch, 20. März 2019 11:47
An: spce-user at lists.sipwise.com <mailto:spce-user at lists.sipwise.com> 
Betreff: Re: [Spce-user] Upgrade from 5.5.5 to 6.5.3 - Block Useragent Edit

 

Hi,
On 3/20/19 11:40 AM, Hohl Matthias wrote:
> Oh okay thank you. In version 6.5.3 I didn’t found this information in
> the handbook 😊

Correct, it is new documentation and has been backported to mr6.5 LTS
already. It will be the part of the next mr6.5 build: mr6.5.4

> Thanks again. BTW: the xlog entry is also there then if something got
> blocked?

You can check it in kamailio tt2 config yourself ;-)

> if([% IF kamailio.proxy.block_useragents.mode == "whitelist" %]![% END %]([% FOREACH item IN kamailio.proxy.block_useragents.ua_patterns -%]$x_hdr(User-Agent) =~ "[% item %]"[% IF kamailio.proxy.block_useragents.ua_patterns.last != item %] || [% END %][% END -%]))
> {
> xlog("L_INFO", "Request rejected, bad UA='$x_hdr(User-Agent)' - [% logreq_init -%]\n");

-- 
Alex Lutay
_______________________________________________
Spce-user mailing list
Spce-user at lists.sipwise.com <mailto:Spce-user at lists.sipwise.com> 
https://lists.sipwise.com/listinfo/spce-user

_______________________________________________
Spce-user mailing list
Spce-user at lists.sipwise.com <mailto:Spce-user at lists.sipwise.com> 
https://lists.sipwise.com/listinfo/spce-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20190321/ee2bada8/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6564 bytes
Desc: not available
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20190321/ee2bada8/attachment-0001.p7s>


More information about the Spce-user mailing list