El mié., 14 de ago. de 2019 a la(s) 10:11, Daniel Tryba (d.tryba@pocos.nl) escribió:

Yes, this adds the source ip to the htable that is used to block further
requests. But my experience is that if you sent a 200 OK the scans
will stop for the older scanners. So you might want to add a
sl_send_reply("200", "OK");
before the drop.

added! thanks

but:

I'm not sure what you are trying to say here.

In my setups I have a limit of 64 requests per 2s. But I also have
whitelist (with/via the permissions module) for known high traffic
ipaddresses. Dimensioning the pike module for the known high traffic
hosts kind of defeats the purpose of using pike to detect strange
unwanted traffic. The correct numbers depend on your endpoints.

i cannot use whitelist due my experiment are for all dinamyc ip clients

so what its the meaning of "depend on your endpoints" ?

if(src_ip!=myself && !allow_address("2", "$si", "$sp"))
{
if($sht(ipban=>$si)!=$null)
{
# ip is already blocked
exit;
}

if (!pike_check_req())
{
$sht(ipban=>$si) = 1;
exit;

> oh, also i put for scanners that:
>
> if($ua =~ "friendly-scanner") {
> xlog("L_ALERT", "friendly scanning incoming $rm IP:$si:$sp - R:$ruri -
> F:$fu - T:$tu - UA:$ua - $rm\n");
> $sht(ipban=>$si) = 1;
> drop();
> }
>
> so i ban the ip where the friendly scanner are made for a while, it's that
> correct?

_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users