El mié., 14 de ago. de 2019 a la(s) 10:11, Daniel Tryba (d.tryba@pocos.nl) escribió:
Yes, this adds the source ip to the htable that is used to block further requests. But my experience is that if you sent a 200 OK the scans will stop for the older scanners. So you might want to add a sl_send_reply("200", "OK"); before the drop.
added! thanks
but:
I'm not sure what you are trying to say here.
In my setups I have a limit of 64 requests per 2s. But I also have whitelist (with/via the permissions module) for known high traffic ipaddresses. Dimensioning the pike module for the known high traffic hosts kind of defeats the purpose of using pike to detect strange unwanted traffic. The correct numbers depend on your endpoints.
i cannot use whitelist due my experiment are for all dinamyc ip clients so what its the meaning of "depend on your endpoints" ?
if(src_ip!=myself && !allow_address("2", "$si", "$sp")) { if($sht(ipban=>$si)!=$null) { # ip is already blocked exit; }
if (!pike_check_req()) { $sht(ipban=>$si) = 1; exit;
oh, also i put for scanners that:
if($ua =~ "friendly-scanner") { xlog("L_ALERT", "friendly scanning incoming $rm IP:$si:$sp - R:$ruri - F:$fu - T:$tu - UA:$ua - $rm\n"); $sht(ipban=>$si) = 1; drop(); }
so i ban the ip where the friendly scanner are made for a while, it's
that
correct?
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users