On 19/06/16 20:19, Яцко Эллад Геннадьевич wrote:
Hello!
How to detect several unsuccessful REGISTER attempts from the same IP?
For example: a malicious user tries to look for passwords, can I detect this in some way to black list it? As you know there are different SIP dialogs here.. I need to mention these attempts should be counted during certain period of time (e. g. 1 minute). If there were ONLY TWO attempts for 1 minute the counter need to be reset to zero.
I've read about PERMISSIONS/BLST, but they don't offer such a mechanism.
I'll be waiting for your help, guys! :-)
See the example config at:
- https://kb.asipto.com/kamailio:usage:k31-sip-scanning-attack#ddos_and_dictio...
It is for kamailio 3.1, but can be easily updated to the latest config for 4.4. The idea is to rely on htable module to keep the counter. The key has to be '$si::$au' -- the source ip and the authentication user -- or you can use $fU instead of $au. The example above is using only user id as key, so this is another change you have to do.
Cheers, Daniel